diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1f211e..cc1de58 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,18 +1,25 @@ name: Build Docker Image on: push: - branches: master + branches: [master] jobs: build: - name: Push to GHCR + name: GitHub Container Registry runs-on: ubuntu-latest + needs: release steps: - - uses: actions/checkout@v2 - - name: Login - run: echo ${{ secrets.GHCR_PAT }} | docker login ghcr.io -u dchidell --password-stdin - - name: Build - run: docker build . --file Dockerfile --tag ghcr.io/dchidell/radius-web:latest - - name: Push - run: | - docker push ghcr.io/dchidell/radius-web:latest \ No newline at end of file + - uses: actions/checkout@v4 + - name: Set outputs + id: vars + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - name: Check outputs + run: echo ${{ steps.vars.outputs.sha_short }} + - name: Login to GitHub Container Registry + run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin + - name: Build image for GitHub Package Registry + run: docker build . --file Dockerfile --tag ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }} --tag ghcr.io/luketainton/docker-radius:latest + - name: Push image to GitHub Package Registry + run: | + docker push ghcr.io/luketainton/docker-radius:latest + docker push ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }} diff --git a/Dockerfile b/Dockerfile index 4be59be..0fc1aa8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,11 @@ -FROM alpine:3.14 as build -LABEL maintainer="David Chidell (dchidell@cisco.com)" +FROM alpine:3.18 as build +LABEL maintainer="Luke Tainton " FROM build as webproc ENV WEBPROCVERSION 0.4.0 ENV WEBPROCURL https://github.com/jpillora/webproc/releases/download/v$WEBPROCVERSION/webproc_"$WEBPROCVERSION"_linux_amd64.gz RUN apk add --no-cache curl -RUN curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc +RUN curl -sL $WEBPROCURL | gzip -d - > /usr/local/bin/webproc RUN chmod +x /usr/local/bin/webproc FROM build as radius @@ -16,4 +16,4 @@ ADD users /etc/raddb/users ADD radiusd.conf /etc/raddb/radiusd.conf RUN chmod -R o-w /etc/raddb/ ENTRYPOINT ["webproc","-o","restart","-c","/etc/raddb/users","-c", "/etc/raddb/clients.conf", "-c", "/etc/raddb/radiusd.conf","--","radiusd","-f","-l","stdout"] -EXPOSE 1812/udp 8080 +EXPOSE 1812/udp 8080/tcp diff --git a/README.md b/README.md index f7365c0..2385fb5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ -# docker-radius-web - A web based version of my radius container. +# docker-radius +FreeRADIUS container with web-based config file manager. diff --git a/clients.conf b/clients.conf index 7cee1f6..0cde29c 100644 --- a/clients.conf +++ b/clients.conf @@ -3,3 +3,292 @@ client ALL-DEVICES { nastype = cisco ipaddr = 0.0.0.0/0 } + +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 60f9f4bf8a32804182e4516ac69ac510d25215d1 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# +# Defines a RADIUS client. +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +# + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, the string after the word "client" was the IP +# address of the client. In 2.0, the IP address is configured via +# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x +# format is still accepted. +# +# client localhost { +# # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for +# # a client. +# # +# # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR +# # notation '/' to specify ranges. +# # +# # ipaddr will accept domain names e.g. example.org resolving +# # them via DNS. +# # +# # If both A and AAAA records are found, A records will be +# # used in preference to AAAA. +# ipaddr = 127.0.0.1 + +# # Same as ipaddr but allows v4 addresses only. Requires A +# # record for domain names. +# # ipv4addr = * # any. 127.0.0.1 == localhost + +# # Same as ipaddr but allows v6 addresses only. Requires AAAA +# # record for domain names. +# # ipv6addr = :: # any. ::1 == localhost + +# # +# # A note on DNS: We STRONGLY recommend using IP addresses +# # rather than host names. Using host names means that the +# # server will do DNS lookups when it starts, making it +# # dependent on DNS. i.e. If anything goes wrong with DNS, +# # the server won't start! +# # +# # The server also looks up the IP address from DNS once, and +# # only once, when it starts. If the DNS record is later +# # updated, the server WILL NOT see that update. +# # + +# # +# # The transport protocol. +# # +# # If unspecified, defaults to "udp", which is the traditional +# # RADIUS transport. It may also be "tcp", in which case the +# # server will accept connections from this client ONLY over TCP. +# # +# proto = * + +# # +# # The shared secret use to "encrypt" and "sign" packets between +# # the NAS and FreeRADIUS. You MUST change this secret from the +# # default, otherwise it's not a secret any more! +# # +# # The secret can be any string, up to 8k characters in length. +# # +# # Control codes can be entered vi octal encoding, +# # e.g. "\101\102" == "AB" +# # Quotation marks can be entered by escaping them, +# # e.g. "foo\"bar" +# # +# # A note on security: The security of the RADIUS protocol +# # depends COMPLETELY on this secret! We recommend using a +# # shared secret that is composed of: +# # +# # upper case letters +# # lower case letters +# # numbers +# # +# # And is at LEAST 8 characters long, preferably 16 characters in +# # length. The secret MUST be random, and should not be words, +# # phrase, or anything else that is recognisable. +# # +# # The default secret below is only for testing, and should +# # not be used in any real environment. +# # +# secret = testing123 + +# # +# # Old-style clients do not send a Message-Authenticator +# # in an Access-Request. RFC 5080 suggests that all clients +# # SHOULD include it in an Access-Request. The configuration +# # item below allows the server to require it. If a client +# # is required to include a Message-Authenticator and it does +# # not, then the packet will be silently discarded. +# # +# # allowed values: yes, no +# require_message_authenticator = no + +# # +# # The short name is used as an alias for the fully qualified +# # domain name, or the IP address. +# # +# # It is accepted for compatibility with 1.x, but it is no +# # longer necessary in >= 2.0 +# # +# # shortname = localhost + +# # +# # the following three fields are optional, but may be used by +# # checkrad.pl for simultaneous use checks +# # + +# # +# # The nas_type tells 'checkrad.pl' which NAS-specific method to +# # use to query the NAS for simultaneous use. +# # +# # Permitted NAS types are: +# # +# # cisco +# # computone +# # livingston +# # juniper +# # max40xx +# # multitech +# # netserver +# # pathras +# # patton +# # portslave +# # tc +# # usrhiper +# # other # for all other types + +# # +# nas_type = other # localhost isn't usually a NAS... + +# # +# # The following two configurations are for future use. +# # The 'naspasswd' file is currently used to store the NAS +# # login name and password, which is used by checkrad.pl +# # when querying the NAS for simultaneous use. +# # +# # login = !root +# # password = someadminpas + +# # +# # As of 2.0, clients can also be tied to a virtual server. +# # This is done by setting the "virtual_server" configuration +# # item, as in the example below. +# # +# # virtual_server = home1 + +# # +# # A pointer to the "home_server_pool" OR a "home_server" +# # section that contains the CoA configuration for this +# # client. For an example of a coa home server or pool, +# # see raddb/sites-available/originate-coa +# # coa_server = coa + +# # +# # Response window for proxied packets. If non-zero, +# # then the lower of (home, client) response_window +# # will be used. +# # +# # i.e. it can be used to lower the response_window +# # packets from one client to a home server. It cannot +# # be used to raise the response_window. +# # +# # response_window = 10.0 + +# # +# # Connection limiting for clients using "proto = tcp". +# # +# # This section is ignored for clients sending UDP traffic +# # +# limit { +# # +# # Limit the number of simultaneous TCP connections from a client +# # +# # The default is 16. +# # Setting this to 0 means "no limit" +# max_connections = 16 + +# # The per-socket "max_requests" option does not exist. + +# # +# # The lifetime, in seconds, of a TCP connection. After +# # this lifetime, the connection will be closed. +# # +# # Setting this to 0 means "forever". +# lifetime = 0 + +# # +# # The idle timeout, in seconds, of a TCP connection. +# # If no packets have been received over the connection for +# # this time, the connection will be closed. +# # +# # Setting this to 0 means "no timeout". +# # +# # We STRONGLY RECOMMEND that you set an idle timeout. +# # +# idle_timeout = 30 +# } +# } + +# IPv6 Client +# client localhost_ipv6 { +# ipv6addr = ::1 +# secret = testing123 +# } + +# All IPv6 Site-local clients +#client sitelocal_ipv6 { +# ipv6addr = fe80::/16 +# secret = testing123 +#} + +#client example.org { +# ipaddr = radius.example.org +# secret = testing123 +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client private-network-1 { +# ipaddr = 192.0.2.0/24 +# secret = testing123-1 +#} + +#client private-network-2 { +# ipaddr = 198.51.100.0/24 +# secret = testing123-2 +#} + +####################################################################### +# +# Per-socket client lists. The configuration entries are exactly +# the same as above, but they are nested inside of a section. +# +# You can have as many per-socket client lists as you have "listen" +# sections, or you can re-use a list among multiple "listen" sections. +# +# Un-comment this section, and edit a "listen" section to add: +# "clients = per_socket_clients". That IP address/port combination +# will then accept ONLY the clients listed in this section. +# +# There are additional considerations when using clients from SQL. +# +# A client can be link to a virtual server via modules such as SQL. +# This link is done via the following process: +# +# If there is no listener in a virtual server, SQL clients are added +# to the global list for that virtual server. +# +# If there is a listener, and the first listener does not have a +# "clients=..." configuration item, SQL clients are added to the +# global list. +# +# If there is a listener, and the first one does have a "clients=..." +# configuration item, SQL clients are added to that list. The client +# { ...} ` configured in that list are also added for that listener. +# +# The only issue is if you have multiple listeners in a virtual +# server, each with a different client list, then the SQL clients are +# added only to the first listener. +# +#clients per_socket_clients { +# client socket_client { +# ipaddr = 192.0.2.4 +# secret = testing123 +# } +#} diff --git a/radiusd.conf b/radiusd.conf index 8f27f9b..ca43ea3 100644 --- a/radiusd.conf +++ b/radiusd.conf @@ -1,54 +1,84 @@ # -*- text -*- ## -## radiusd.conf -- FreeRADIUS server configuration file - 3.0.17 +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.26 ## -## http://www.freeradius.org/ -## $Id: 59e59f3ac443e75663333a5b7732664b67c5567d $ +## http://www.freeradius.org/ +## $Id: 154b50d6106130b3e3729d2679539c259855e381 $ ## ###################################################################### # -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. +# The format of this (and other) configuration file is +# documented in "man unlang". There are also READMEs in many +# subdirectories: # -# Run the server in debugging mode, and READ the output. +# raddb/README.rst +# How to upgrade from v2. # -# $ radiusd -X +# raddb/mods-available/README.rst +# How to use mods-available / mods-enabled. +# All of the modules are in individual files, +# along with configuration items and full documentation. # -# We cannot emphasize this point strongly enough. The vast -# majority of problems can be solved by carefully reading the -# debugging output, which includes warnings about common issues, -# and suggestions for how they may be fixed. +# raddb/sites-available/README +# virtual servers, "listen" sections, clients, etc. +# The "sites-available" directory contains many +# worked examples of common configurations. # -# There may be a lot of output, but look carefully for words like: -# "warning", "error", "reject", or "failure". The messages there -# will usually be enough to guide you to a solution. +# raddb/certs/README.md +# How to create certificates for EAP or RadSec. +# +# Every configuration item in the server is documented +# extensively in the comments in the example configuration +# files. +# +# Before editing this (or any other) configuration file, PLEASE +# read "man radiusd". See the section titled DEBUGGING. It +# outlines a method where you can quickly create the +# configuration you want, with minimal effort. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# More documentation on "radiusd -X" is available on the wiki: +# https://wiki.freeradius.org/radiusd-X +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". +# +# Guidelines for posting to the mailing list are on the wiki: +# https://wiki.freeradius.org/list-help +# +# Please read those guidelines before posting to the list. +# +# Further documentation is available in the "doc" directory +# of the server distribution, or on the wiki at: +# https://wiki.freeradius.org/ +# +# New users to RADIUS should read the Technical Guide. That guide +# explains how RADIUS works, how FreeRADIUS works, and what each +# part of a RADIUS system does. It is not just "configure FreeRADIUS"! +# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf +# +# More documentation on dictionaries, modules, unlang, etc. is also +# available on the Network RADIUS web site: +# https://networkradius.com/freeradius-documentation/ # -# If you are going to ask a question on the mailing list, then -# explain what you are trying to do, and include the output from -# debugging mode (radiusd -X). Failure to do so means that all -# of the responses to your question will be people telling you -# to "post the output of radiusd -X". ###################################################################### -# -# The location of other config files and logfiles are declared -# in this file. -# -# Also general configuration for modules can be done in this -# file, it is exported through the API to modules that ask for -# it. -# -# See "man radiusd.conf" for documentation on the format of this -# file. Note that the individual configuration items are NOT -# documented in that "man" page. They are only documented here, -# in the comments. -# -# The "unlang" policy language can be used to create complex -# if / else policies. See "man unlang" for details. -# prefix = /usr exec_prefix = ${prefix} @@ -68,10 +98,10 @@ confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs -run_dir = ${localstatedir}/run/${name} +run_dir = /run/${name} -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd +cachedir = ${localstatedir}/cache/radiusd # # libdir: Where to find the rlm_* modules. @@ -101,33 +131,30 @@ db_dir = ${raddbdir} # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # -# ./configure --disable-shared -# make -# make install +# ./configure --disable-shared +# make +# make install # libdir = /usr/lib/freeradius -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` -# -pidfile = ${run_dir}/${name}.pid - # # correct_escapes: use correct backslash escaping # +# This setting is for compatibility with 3.0.4 and earlier. If +# you're running a copy of the configuration from 3.0.4, you can +# change this setting to "no" in order to run a new binary using the +# old configuration files. +# +# If you've created the configuration after 2014, this should be set +# to "true", and you can ignore it. +# # Prior to version 3.0.5, the handling of backslashes was a little # awkward, i.e. "wrong". In some cases, to get one backslash into # a regex, you had to put 4 in the config files. # -# Version 3.0.5 fixes that. However, for backwards compatibility, +# Version 3.0.5 fixed that. However, for backwards compatibility, # the new method of escaping is DISABLED BY DEFAULT. This means -# that upgrading to 3.0.5 won't break your configuration. +# that upgrading from a 3.0.4 or below won't break your configuration. # # If you don't have double backslashes (i.e. \\) in your configuration, # this won't matter to you. If you do have them, fix that to use only @@ -135,7 +162,7 @@ pidfile = ${run_dir}/${name}.pid # # You can check for this by doing: # -# $ grep '\\\\' $(find raddb -type f -print) +# $ grep '\\\\' $(find raddb -type f -print) # correct_escapes = true @@ -208,7 +235,7 @@ max_request_time = 30 # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # -# Useful range of values: 2 to 10 +# Useful range of values: 2 to 30 # cleanup_delay = 5 @@ -249,90 +276,211 @@ max_requests = 16384 # hostname_lookups = no +# +# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when +# the server sends an Access-Challenge, and then client does not +# respond to it. The goal is to allow administrators to log +# something when the client does not respond. +# +# See sites-available/default, "Post-Auth-Type Client-Lost" for more +# information. +# +#postauth_client_lost = no + # # Logging section. The various "log_*" configuration items # will eventually be moved here. # log { - # - # Destination for log messages. This can be one of: - # - # files - log to "file", as defined below. - # syslog - to syslog (see also the "syslog_facility", below. - # stdout - standard output - # stderr - standard error. - # - # The command-line option "-X" over-rides this option, and forces - # logging to go to stdout. - # - destination = stdout + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files - # - # Highlight important messages sent to stderr and stdout. - # - # Option will be ignored (disabled) if output if TERM is not - # an xterm or output is not to a TTY. - # - colourise = yes + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes - # - # The logging messages for the server are appended to the - # tail of this file if destination == "files" - # - # If the server is running in debugging mode, this file is - # NOT used. - # - file = ${logdir}/radius.log + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log - # - # Which syslog facility to use, if ${destination} == "syslog" - # - # The exact values permitted here are OS-dependent. You probably - # don't want to change this. - # - syslog_facility = daemon + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon - # Log the full User-Name attribute, as it was found in the request. - # - # allowed values: {no, yes} - # - stripped_names = no + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no - # Log authentication requests to the log file. - # - # allowed values: {no, yes} - # - auth = yes + # Log all (accept and reject) authentication results to the log file. + # + # This is the same as setting "auth_accept = yes" and + # "auth_reject = yes" + # + # allowed values: {no, yes} + # + auth = no - # Log passwords with the authentication requests. - # auth_badpass - logs password if it's rejected - # auth_goodpass - logs password if it's correct - # - # allowed values: {no, yes} - # - auth_badpass = yes - auth_goodpass = yes + # Log Access-Accept results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_accept = no - # Log additional text at the end of the "Login OK" messages. - # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" - # configurations above have to be set to "yes". - # - # The strings below are dynamically expanded, which means that - # you can put anything you want in them. However, note that - # this expansion can be slow, and can negatively impact server - # performance. - # -# msg_goodpass = "" -# msg_badpass = "" + # Log Access-Reject results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_reject = no - # The message when the user exceeds the Simultaneous-Use limit. - # - msg_denied = "You are already logged in - access denied" + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" + + # Suppress "secret" attributes when printing them in debug mode. + # + # Secrets are NOT tracked across xlat expansions. If your + # configuration puts secrets into other strings, they will + # still get printed. + # + # Setting this to "yes" means that the server prints + # + # <<< secret >>> + # + # instead of the value, for attriburtes which contain secret + # information. e.g. User-Name, Tunnel-Password, etc. + # + # This configuration is disabled by default. It is extremely + # important for administrators to be able to debug user logins + # by seeing what is actually being sent. + # +# suppress_secrets = no } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad +# +# ENVIRONMENT VARIABLES +# +# You can reference environment variables using an expansion like +# `$ENV{PATH}`. However it is sometimes useful to be able to also set +# environment variables. This section lets you do that. +# +# The main purpose of this section is to allow administrators to keep +# RADIUS-specific configuration in the RADIUS configuration files. +# For example, if you need to set an environment variable which is +# used by a module. You could put that variable into a shell script, +# but that's awkward. Instead, just list it here. +# +# Note that these environment variables are set AFTER the +# configuration file is loaded. So you cannot set FOO here, and +# expect to reference it via `$ENV{FOO}` in another configuration file. +# You should instead just use a normal configuration variable for +# that. +# +ENV { + # + # Set environment varable `FOO` to value '/bar/baz'. + # + # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append + # values. + # +# FOO = '/bar/baz' + + # + # Delete environment variable `BAR`. + # +# BAR + + # + # `LD_PRELOAD` is special. It is normally set before the + # application runs, and is interpreted by the dynamic linker. + # Which means you cannot set it inside of an application, and + # expect it to load libraries. + # + # Since this functionality is useful, we extend it here. + # + # You can set + # + # LD_PRELOAD = /path/to/library.so + # + # and the server will load the named libraries. Multiple + # libraries can be loaded by specificing multiple individual + # `LD_PRELOAD` entries. + # + # +# LD_PRELOAD = /path/to/library1.so +# LD_PRELOAD = /path/to/library2.so +} + +# +# TEMPLATES +# +# Template files hold common definitions that can be used in other +# server sections. When a template is referenced, the configuration +# items within the referenced template are copied to the referencing +# section. +# +# Using templates reduces repetition of common configuration items, +# which in turn makes the server configuration easier to maintain. +# +# See templates.conf for examples of using templates, and the +# referencing syntax. +# + +# $INCLUDE templates.conf + + # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This @@ -340,136 +488,135 @@ checkrad = ${sbindir}/checkrad # of those attacks # security { - # chroot: directory where the server does "chroot". - # - # The chroot is done very early in the process of starting - # the server. After the chroot has been performed it - # switches to the "user" listed below (which MUST be - # specified). If "group" is specified, it switches to that - # group, too. Any other groups listed for the specified - # "user" in "/etc/group" are also added as part of this - # process. - # - # The current working directory (chdir / cd) is left - # *outside* of the chroot until all of the modules have been - # initialized. This allows the "raddb" directory to be left - # outside of the chroot. Once the modules have been - # initialized, it does a "chdir" to ${logdir}. This means - # that it should be impossible to break out of the chroot. - # - # If you are worried about security issues related to this - # use of chdir, then simply ensure that the "raddb" directory - # is inside of the chroot, end be sure to do "cd raddb" - # BEFORE starting the server. - # - # If the server is statically linked, then the only files - # that have to exist in the chroot are ${run_dir} and - # ${logdir}. If you do the "cd raddb" as discussed above, - # then the "raddb" directory has to be inside of the chroot - # directory, too. - # -# chroot = /path/to/chroot/directory + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory - # user/group: The name (or #number) of the user/group to run radiusd as. - # - # If these are commented out, the server will run as the - # user/group that started it. In order to change to a - # different user/group, you MUST be root ( or have root - # privileges ) to start the server. - # - # We STRONGLY recommend that you run the server with as few - # permissions as possible. That is, if you're not using - # shadow passwords, the user and group items below should be - # set to radius'. - # - # NOTE that some kernels refuse to setgid(group) when the - # value of (unsigned)group is above 60000; don't use group - # "nobody" on these systems! - # - # On systems with shadow passwords, you might have to set - # 'group = shadow' for the server to be able to read the - # shadow password file. If you can authenticate users while - # in debug mode, but not in daemon mode, it may be that the - # debugging mode server is running as a user that can read - # the shadow info, and the user listed below can not. - # - # The server will also try to use "initgroups" to read - # /etc/groups. It will join all groups where "user" is a - # member. This can allow for some finer-grained access - # controls. - # - user = radius - group = radius + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # + user = radius + group = radius - # Core dumps are a bad thing. This should only be set to - # 'yes' if you're debugging a problem with the server. - # - # allowed values: {no, yes} - # - allow_core_dumps = no + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no - # - # max_attributes: The maximum number of attributes - # permitted in a RADIUS packet. Packets which have MORE - # than this number of attributes in them will be dropped. - # - # If this number is set too low, then no RADIUS packets - # will be accepted. - # - # If this number is set too high, then an attacker may be - # able to send a small number of packets which will cause - # the server to use all available memory on the machine. - # - # Setting this number to 0 means "allow any number of attributes" - max_attributes = 200 + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 - # - # reject_delay: When sending an Access-Reject, it can be - # delayed for a few seconds. This may help slow down a DoS - # attack. It also helps to slow down people trying to brute-force - # crack a users password. - # - # Setting this number to 0 means "send rejects immediately" - # - # If this number is set higher than 'cleanup_delay', then the - # rejects will be sent at 'cleanup_delay' time, when the request - # is deleted from the internal cache of requests. - # - # As of Version 3.0.5, "reject_delay" has sub-second resolution. - # e.g. "reject_delay = 1.4" seconds is possible. - # - # Useful ranges: 1 to 5 - reject_delay = 1 + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # This number can be a decimal, e.g. 3.4 + # + # Useful ranges: 1 to 5 + reject_delay = 1 - # - # status_server: Whether or not the server will respond - # to Status-Server requests. - # - # When sent a Status-Server message, the server responds with - # an Access-Accept or Accounting-Response packet. - # - # This is mainly useful for administrators who want to "ping" - # the server, without adding test users, or creating fake - # accounting packets. - # - # It's also useful when a NAS marks a RADIUS server "dead". - # The NAS can periodically "ping" the server with a Status-Server - # packet. If the server responds, it must be alive, and the - # NAS can start using it for real requests. - # - # See also raddb/sites-available/status - # - status_server = yes + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes - # - # allow_vulnerable_openssl: Allow the server to start with - # versions of OpenSSL known to have critical vulnerabilities. - # - # This check is based on the version number reported by libssl - # and may not reflect patches applied to libssl by - # distribution maintainers. - # - allow_vulnerable_openssl = 'CVE-2016-6309' + # + # allow_vulnerable_openssl: Allow the server to start with + # versions of OpenSSL known to have critical vulnerabilities. + # + # This check is based on the version number reported by libssl + # and may not reflect patches applied to libssl by + # distribution maintainers. + # + allow_vulnerable_openssl = no } # PROXY CONFIGURATION @@ -525,93 +672,93 @@ $INCLUDE clients.conf # The numbers given below should be adequate for most situations. # thread pool { - # Number of servers to start initially --- should be a reasonable - # ballpark figure. - start_servers = 5 + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 - # Limit on the total number of servers running. - # - # If this limit is ever reached, clients will be LOCKED OUT, so it - # should NOT BE SET TOO LOW. It is intended mainly as a brake to - # keep a runaway server from taking the system with it as it spirals - # down... - # - # You may find that the server is regularly reaching the - # 'max_servers' number of threads, and that increasing - # 'max_servers' doesn't seem to make much difference. - # - # If this is the case, then the problem is MOST LIKELY that - # your back-end databases are taking too long to respond, and - # are preventing the server from responding in a timely manner. - # - # The solution is NOT do keep increasing the 'max_servers' - # value, but instead to fix the underlying cause of the - # problem: slow database, or 'hostname_lookups=yes'. - # - # For more information, see 'max_request_time', above. - # - max_servers = 32 + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 - # Server-pool size regulation. Rather than making you guess - # how many servers you need, FreeRADIUS dynamically adapts to - # the load it sees, that is, it tries to maintain enough - # servers to handle the current load, plus a few spare - # servers to handle transient load spikes. - # - # It does this by periodically checking how many servers are - # waiting for a request. If there are fewer than - # min_spare_servers, it creates a new spare. If there are - # more than max_spare_servers, some of the spares die off. - # The default values are probably OK for most sites. - # - min_spare_servers = 3 - max_spare_servers = 10 + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 - # When the server receives a packet, it places it onto an - # internal queue, where the worker threads (configured above) - # pick it up for processing. The maximum size of that queue - # is given here. - # - # When the queue is full, any new packets will be silently - # discarded. - # - # The most common cause of the queue being full is that the - # server is dependent on a slow database, and it has received - # a large "spike" of traffic. When that happens, there is - # very little you can do other than make sure the server - # receives less traffic, or make sure that the database can - # handle the load. - # -# max_queue_size = 65536 + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 - # Clean up old threads periodically. For no reason other than - # it might be useful. - # - # '0' is a special value meaning 'infinity', or 'the servers never - # exit' - max_requests_per_server = 0 + # Clean up old threads periodically. For no reason other than + # it might be useful. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 - # Automatically limit the number of accounting requests. - # This configuration item tracks how many requests per second - # the server can handle. It does this by tracking the - # packets/s received by the server for processing, and - # comparing that to the packets/s handled by the child - # threads. - # + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # - # If the received PPS is larger than the processed PPS, *and* - # the queue is more than half full, then new accounting - # requests are probabilistically discarded. This lowers the - # number of packets that the server needs to process. Over - # time, the server will "catch up" with the traffic. - # - # Throwing away accounting packets is usually safe and low - # impact. The NAS will retransmit them in a few seconds, or - # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 - # to see how accounting packets should be retransmitted. Using - # any other method is likely to cause network meltdowns. - # - auto_limit_acct = no + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no } ###################################################################### @@ -630,47 +777,62 @@ thread pool { # in other sections of this configuration file. # modules { - # - # Each module has a configuration as follows: - # - # name [ instance ] { - # config_item = value - # ... - # } - # - # The 'name' is used to load the 'rlm_name' library - # which implements the functionality of the module. - # - # The 'instance' is optional. To have two different instances - # of a module, it first must be referred to by 'name'. - # The different copies of the module are then created by - # inventing two 'instance' names, e.g. 'instance1' and 'instance2' - # - # The instance names can then be used in later configuration - # INSTEAD of the original 'name'. See the 'radutmp' configuration - # for an example. - # + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # - # - # As of 3.0, modules are in mods-enabled/. Files matching - # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are - # initialized ONLY if they are referenced in a processing - # section, such as authorize, authenticate, accounting, - # pre/post-proxy, etc. - # - $INCLUDE mods-enabled/ + # + # Some modules have ordering issues. e.g. "sqlippool" uses + # the configuration from "sql". In that case, the "sql" + # module must be read off of disk before the "sqlippool". + # However, the directory inclusion below just reads the + # directory from start to finish. Which means that the + # modules are read off of disk randomly. + # + # You can list individual modules *before* the directory + # inclusion. Those modules will be loaded first. Then, when + # the directory is read, those modules will be skipped and + # not read twice. + # +# $INCLUDE mods-enabled/sql + + # + # All modules are in ther mods-enabled/ directory. Files + # matching the regex /[a-zA-Z0-9_.]+/ are read. The + # modules are initialized ONLY if they are referenced in a + # processing section, such as authorize, authenticate, + # accounting, pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ } # Instantiation # -# This section orders the loading of the modules. Modules -# listed here will get loaded BEFORE the later sections like -# authorize, authenticate, etc. get examined. +# This section sets the instantiation order of the modules. listed +# here will get started up BEFORE the sections like authorize, +# authenticate, etc. get examined. # -# This section is not strictly needed. When a section like -# authorize refers to a module, it's automatically loaded and -# initialized. However, some modules may not be listed in any -# of the following sections, so they can be listed here. +# This section is not strictly needed. When a section like authorize +# refers to a module, the module is automatically loaded and +# initialized. However, some modules may not be listed in any of the +# processing sections, so they should be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initialized. If one module needs @@ -683,55 +845,55 @@ modules { # don't need to list modules here. # instantiate { - # - # We list the counter module here so that it registers - # the check_name attribute before any module which sets - # it -# daily + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily - # subsections here can be thought of as "virtual" modules. - # - # e.g. If you have two redundant SQL servers, and you want to - # use them in the authorize and accounting sections, you could - # place a "redundant" block in each section, containing the - # exact same text. Or, you could uncomment the following - # lines, and list "redundant_sql" in the authorize and - # accounting sections. - # - # The "virtual" module defined here can also be used with - # dynamic expansions, under a few conditions: - # - # * The section is "redundant", or "load-balance", or - # "redundant-load-balance" - # * The section contains modules ONLY, and no sub-sections - # * all modules in the section are using the same rlm_ - # driver, e.g. They are all sql, or all ldap, etc. - # - # When those conditions are satisfied, the server will - # automatically register a dynamic expansion, using the - # name of the "virtual" module. In the example below, - # it will be "redundant_sql". You can then use this expansion - # just like any other: - # - # update reply { - # Filter-Id := "%{redundant_sql: ... }" - # } - # - # In this example, the expansion is done via module "sql1", - # and if that expansion fails, using module "sql2". - # - # For best results, configure the "pool" subsection of the - # module so that "retry_delay" is non-zero. That will allow - # the redundant block to quickly ignore all "down" SQL - # databases. If instead we have "retry_delay = 0", then - # every time the redundant block is used, the server will try - # to open a connection to every "down" database, causing - # problems. - # - #redundant redundant_sql { - # sql1 - # sql2 - #} + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + # The "virtual" module defined here can also be used with + # dynamic expansions, under a few conditions: + # + # * The section is "redundant", or "load-balance", or + # "redundant-load-balance" + # * The section contains modules ONLY, and no sub-sections + # * all modules in the section are using the same rlm_ + # driver, e.g. They are all sql, or all ldap, etc. + # + # When those conditions are satisfied, the server will + # automatically register a dynamic expansion, using the + # name of the "virtual" module. In the example below, + # it will be "redundant_sql". You can then use this expansion + # just like any other: + # + # update reply { + # Filter-Id := "%{redundant_sql: ... }" + # } + # + # In this example, the expansion is done via module "sql1", + # and if that expansion fails, using module "sql2". + # + # For best results, configure the "pool" subsection of the + # module so that "retry_delay" is non-zero. That will allow + # the redundant block to quickly ignore all "down" SQL + # databases. If instead we have "retry_delay = 0", then + # every time the redundant block is used, the server will try + # to open a connection to every "down" database, causing + # problems. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} } ###################################################################### @@ -749,36 +911,36 @@ instantiate { # ###################################################################### policy { - $INCLUDE policy.d/ + $INCLUDE policy.d/ } ###################################################################### # -# Load virtual servers. +# Load virtual servers. # -# This next $INCLUDE line loads files in the directory that -# match the regular expression: /[a-zA-Z0-9_.]+/ +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ # -# It allows you to define new virtual servers simply by placing -# a file into the raddb/sites-enabled/ directory. +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. # $INCLUDE sites-enabled/ ###################################################################### # -# All of the other configuration sections like "authorize {}", -# "authenticate {}", "accounting {}", have been moved to the -# the file: +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: # -# raddb/sites-available/default +# raddb/sites-available/default # -# This is the "default" virtual server that has the same -# configuration as in version 1.0.x and 1.1.x. The default -# installation enables this virtual server. You should -# edit it to create policies for your local site. +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. # -# For more documentation on virtual servers, see: +# For more documentation on virtual servers, see: # -# raddb/sites-available/README +# raddb/sites-available/README # ###################################################################### \ No newline at end of file diff --git a/users b/users index 7d17378..b5401ed 100644 --- a/users +++ b/users @@ -1,2 +1,207 @@ - cisco Cleartext-Password := "cisco" +# +# +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. +# +# This file contains authentication security and configuration +# information for each user. Accounting requests are NOT processed +# through this file. Instead, see 'accounting', in this directory. +# +# The first field is the user's name and can be up to +# 253 characters in length. This is followed (on the same line) with +# the list of authentication requirements for that user. This can +# include password, comm server name, comm server port number, protocol +# type (perhaps set by the "hints" file), and huntgroup name (set by +# the "huntgroups" file). +# +# If you are not sure why a particular reply is being sent by the +# server, then run the server in debugging mode (radiusd -X), and +# you will see which entries in this file are matched. +# +# When an authentication request is received from the comm server, +# these values are tested. Only the first match is used unless the +# "Fall-Through" variable is set to "Yes". +# +# A special user named "DEFAULT" matches on all usernames. +# You can have several DEFAULT entries. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the configuration values to be passed back to +# the comm server to allow the initiation of a user session. +# This can include things like the PPP configuration values +# or the host to log the user onto. +# +# You can include another `users' file with `$INCLUDE users.other' + +# +# For a list of RADIUS attributes, and links to their definitions, +# see: http://www.freeradius.org/rfc/attributes.html +# +# Entries below this point are examples included in the server for +# educational purposes. They may be deleted from the deployed +# configuration without impacting the operation of the server. +# + +# +# Deny access for a specific user. Note that this entry MUST +# be before any other 'Auth-Type' attribute which results in the user +# being authenticated. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#lameuser Auth-Type := Reject +# Reply-Message = "Your account has been disabled." + +# +# Deny access for a group of users. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#DEFAULT Group == "disabled", Auth-Type := Reject +# Reply-Message = "Your account has been disabled." +# + +# +# This is a complete entry for "steve". Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used, and the user will NOT +# get any attributes in addition to the ones listed here. +# +#steve Cleartext-Password := "testing" +# Service-Type = Framed-User, +# Framed-Protocol = PPP, +# Framed-IP-Address = 172.16.3.33, +# Framed-IP-Netmask = 255.255.255.0, +# Framed-Routing = Broadcast-Listen, +# Framed-Filter-Id = "std.ppp", +# Framed-MTU = 1500, +# Framed-Compression = Van-Jacobsen-TCP-IP + +# +# The canonical testing user which is in most of the +# examples. +# +#bob Cleartext-Password := "hello" +# Reply-Message := "Hello, %{User-Name}" +# + +# +# This is an entry for a user with a space in their name. +# Note the double quotes surrounding the name. If you have +# users with spaces in their names, you must also change +# the "filter_username" policy to allow spaces. +# +# See raddb/policy.d/filter, filter_username {} section. +# +#"John Doe" Cleartext-Password := "hello" +# Reply-Message = "Hello, %{User-Name}" + +# +# Dial user back and telnet to the default host for that port +# +#Deg Cleartext-Password := "ge55ged" +# Service-Type = Callback-Login-User, +# Login-IP-Host = 0.0.0.0, +# Callback-Number = "9,5551212", +# Login-Service = Telnet, +# Login-TCP-Port = Telnet + +# +# Another complete entry. After the user "dialbk" has logged in, the +# connection will be broken and the user will be dialed back after which +# he will get a connection to the host "timeshare1". +# +#dialbk Cleartext-Password := "callme" +# Service-Type = Callback-Login-User, +# Login-IP-Host = timeshare1, +# Login-Service = PortMaster, +# Callback-Number = "9,1-800-555-1212" + +# +# user "swilson" will only get a static IP number if he logs in with +# a framed protocol on a terminal server in Alphen (see the huntgroups file). +# +# Note that by setting "Fall-Through", other attributes will be added from +# the following DEFAULT entries +# +#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" +# Framed-IP-Address = 192.0.2.65, +# Fall-Through = Yes + +# +# If the user logs in as 'username.shell', then authenticate them +# using the default method, give them shell access, and stop processing +# the rest of the file. +# +#DEFAULT Suffix == ".shell" +# Service-Type = Login-User, +# Login-Service = Telnet, +# Login-IP-Host = your.shell.machine + + +# +# The rest of this file contains the several DEFAULT entries. +# DEFAULT entries match with all login names. +# Note that DEFAULT entries can also Fall-Through (see first entry). +# A name-value pair from a DEFAULT entry will _NEVER_ override +# an already existing name-value pair. +# + +# Sample defaults for all framed connections. +# +#DEFAULT Service-Type == Framed-User +# Framed-IP-Address = 255.255.255.254, +# Framed-MTU = 576, +# Service-Type = Framed-User, +# Fall-Through = Yes + +# +# Default for PPP: dynamic IP address, PPP mode, VJ-compression. +# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected +# by the terminal server in which case there may not be a "P" suffix. +# The terminal server sends "Framed-Protocol = PPP" for auto PPP. +# +DEFAULT Framed-Protocol == PPP + Framed-Protocol = PPP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. +# +DEFAULT Hint == "CSLIP" + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for SLIP: dynamic IP address, SLIP mode. +# +DEFAULT Hint == "SLIP" + Framed-Protocol = SLIP + +# +# Last default: rlogin to our main server. +# +#DEFAULT +# Service-Type = Login-User, +# Login-Service = Rlogin, +# Login-IP-Host = shellbox.ispdomain.com + +# # +# # Last default: shell on the local terminal server. +# # +# DEFAULT +# Service-Type = Administrative-User + + +# On no match, the user is denied access. + + +######################################################### +# You should add test accounts to the TOP of this file! # +# See the example user "bob" above. # +#########################################################