repos/docker-radius
6
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 2 Activity

deps: update freeradius to 3.0.26

Browse Source
This commit is contained in:
Luke Tainton (ltainton)
2023-11-26 22:37:19 +00:00
parent 63014f2400
commit 561665a534
6 changed files with 1108 additions and 445 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
.github/workflows/build.yml vendored
View File

@@ -1,18 +1,25 @@
name: Build Docker Image
on:
push:
branches: master
branches: [master]
jobs:
build:
name: Push to GHCR
name: GitHub Container Registry
runs-on: ubuntu-latest
needs: release
steps:
- uses: actions/checkout@v2
- name: Login
run: echo ${{ secrets.GHCR_PAT }} | docker login ghcr.io -u dchidell --password-stdin
- name: Build
run: docker build . --file Dockerfile --tag ghcr.io/dchidell/radius-web:latest
- name: Push
- uses: actions/checkout@v4
- name: Set outputs
id: vars
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Check outputs
run: echo ${{ steps.vars.outputs.sha_short }}
- name: Login to GitHub Container Registry
run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin
- name: Build image for GitHub Package Registry
run: docker build . --file Dockerfile --tag ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }} --tag ghcr.io/luketainton/docker-radius:latest
- name: Push image to GitHub Package Registry
run: |
docker push ghcr.io/dchidell/radius-web:latest
docker push ghcr.io/luketainton/docker-radius:latest
docker push ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }}

8
Dockerfile
View File

@@ -1,11 +1,11 @@
FROM alpine:3.14 as build
LABEL maintainer="David Chidell (dchidell@cisco.com)"
FROM alpine:3.18 as build
LABEL maintainer="Luke Tainton <luke@tainton.uk>"
FROM build as webproc
ENV WEBPROCVERSION 0.4.0
ENV WEBPROCURL https://github.com/jpillora/webproc/releases/download/v$WEBPROCVERSION/webproc_"$WEBPROCVERSION"_linux_amd64.gz
RUN apk add --no-cache curl
RUN curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc
RUN curl -sL $WEBPROCURL | gzip -d - > /usr/local/bin/webproc
RUN chmod +x /usr/local/bin/webproc
FROM build as radius
@@ -16,4 +16,4 @@ ADD users /etc/raddb/users
ADD radiusd.conf /etc/raddb/radiusd.conf
RUN chmod -R o-w /etc/raddb/
ENTRYPOINT ["webproc","-o","restart","-c","/etc/raddb/users","-c", "/etc/raddb/clients.conf", "-c", "/etc/raddb/radiusd.conf","--","radiusd","-f","-l","stdout"]
EXPOSE 1812/udp 8080
EXPOSE 1812/udp 8080/tcp

4
README.md
View File

@@ -1,2 +1,2 @@
# docker-radius-web
A web based version of my radius container.
# docker-radius
FreeRADIUS container with web-based config file manager.

289
clients.conf
View File

@@ -3,3 +3,292 @@ client ALL-DEVICES {
nastype = cisco
ipaddr = 0.0.0.0/0
}
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 60f9f4bf8a32804182e4516ac69ac510d25215d1 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
# client localhost {
# # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
# # a client.
# #
# # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
# # notation '/<mask>' to specify ranges.
# #
# # ipaddr will accept domain names e.g. example.org resolving
# # them via DNS.
# #
# # If both A and AAAA records are found, A records will be
# # used in preference to AAAA.
# ipaddr = 127.0.0.1
# # Same as ipaddr but allows v4 addresses only. Requires A
# # record for domain names.
# # ipv4addr = * # any. 127.0.0.1 == localhost
# # Same as ipaddr but allows v6 addresses only. Requires AAAA
# # record for domain names.
# # ipv6addr = :: # any. ::1 == localhost
# #
# # A note on DNS: We STRONGLY recommend using IP addresses
# # rather than host names. Using host names means that the
# # server will do DNS lookups when it starts, making it
# # dependent on DNS. i.e. If anything goes wrong with DNS,
# # the server won't start!
# #
# # The server also looks up the IP address from DNS once, and
# # only once, when it starts. If the DNS record is later
# # updated, the server WILL NOT see that update.
# #
# #
# # The transport protocol.
# #
# # If unspecified, defaults to "udp", which is the traditional
# # RADIUS transport. It may also be "tcp", in which case the
# # server will accept connections from this client ONLY over TCP.
# #
# proto = *
# #
# # The shared secret use to "encrypt" and "sign" packets between
# # the NAS and FreeRADIUS. You MUST change this secret from the
# # default, otherwise it's not a secret any more!
# #
# # The secret can be any string, up to 8k characters in length.
# #
# # Control codes can be entered vi octal encoding,
# # e.g. "\101\102" == "AB"
# # Quotation marks can be entered by escaping them,
# # e.g. "foo\"bar"
# #
# # A note on security: The security of the RADIUS protocol
# # depends COMPLETELY on this secret! We recommend using a
# # shared secret that is composed of:
# #
# # upper case letters
# # lower case letters
# # numbers
# #
# # And is at LEAST 8 characters long, preferably 16 characters in
# # length. The secret MUST be random, and should not be words,
# # phrase, or anything else that is recognisable.
# #
# # The default secret below is only for testing, and should
# # not be used in any real environment.
# #
# secret = testing123
# #
# # Old-style clients do not send a Message-Authenticator
# # in an Access-Request. RFC 5080 suggests that all clients
# # SHOULD include it in an Access-Request. The configuration
# # item below allows the server to require it. If a client
# # is required to include a Message-Authenticator and it does
# # not, then the packet will be silently discarded.
# #
# # allowed values: yes, no
# require_message_authenticator = no
# #
# # The short name is used as an alias for the fully qualified
# # domain name, or the IP address.
# #
# # It is accepted for compatibility with 1.x, but it is no
# # longer necessary in >= 2.0
# #
# # shortname = localhost
# #
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous use checks
# #
# #
# # The nas_type tells 'checkrad.pl' which NAS-specific method to
# # use to query the NAS for simultaneous use.
# #
# # Permitted NAS types are:
# #
# # cisco
# # computone
# # livingston
# # juniper
# # max40xx
# # multitech
# # netserver
# # pathras
# # patton
# # portslave
# # tc
# # usrhiper
# # other # for all other types
# #
# nas_type = other # localhost isn't usually a NAS...
# #
# # The following two configurations are for future use.
# # The 'naspasswd' file is currently used to store the NAS
# # login name and password, which is used by checkrad.pl
# # when querying the NAS for simultaneous use.
# #
# # login = !root
# # password = someadminpas
# #
# # As of 2.0, clients can also be tied to a virtual server.
# # This is done by setting the "virtual_server" configuration
# # item, as in the example below.
# #
# # virtual_server = home1
# #
# # A pointer to the "home_server_pool" OR a "home_server"
# # section that contains the CoA configuration for this
# # client. For an example of a coa home server or pool,
# # see raddb/sites-available/originate-coa
# # coa_server = coa
# #
# # Response window for proxied packets. If non-zero,
# # then the lower of (home, client) response_window
# # will be used.
# #
# # i.e. it can be used to lower the response_window
# # packets from one client to a home server. It cannot
# # be used to raise the response_window.
# #
# # response_window = 10.0
# #
# # Connection limiting for clients using "proto = tcp".
# #
# # This section is ignored for clients sending UDP traffic
# #
# limit {
# #
# # Limit the number of simultaneous TCP connections from a client
# #
# # The default is 16.
# # Setting this to 0 means "no limit"
# max_connections = 16
# # The per-socket "max_requests" option does not exist.
# #
# # The lifetime, in seconds, of a TCP connection. After
# # this lifetime, the connection will be closed.
# #
# # Setting this to 0 means "forever".
# lifetime = 0
# #
# # The idle timeout, in seconds, of a TCP connection.
# # If no packets have been received over the connection for
# # this time, the connection will be closed.
# #
# # Setting this to 0 means "no timeout".
# #
# # We STRONGLY RECOMMEND that you set an idle timeout.
# #
# idle_timeout = 30
# }
# }
# IPv6 Client
# client localhost_ipv6 {
# ipv6addr = ::1
# secret = testing123
# }
# All IPv6 Site-local clients
#client sitelocal_ipv6 {
# ipv6addr = fe80::/16
# secret = testing123
#}
#client example.org {
# ipaddr = radius.example.org
# secret = testing123
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client private-network-1 {
# ipaddr = 192.0.2.0/24
# secret = testing123-1
#}
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
# There are additional considerations when using clients from SQL.
#
# A client can be link to a virtual server via modules such as SQL.
# This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients are added
# to the global list for that virtual server.
#
# If there is a listener, and the first listener does not have a
# "clients=..." configuration item, SQL clients are added to the
# global list.
#
# If there is a listener, and the first one does have a "clients=..."
# configuration item, SQL clients are added to that list. The client
# { ...} ` configured in that list are also added for that listener.
#
# The only issue is if you have multiple listeners in a virtual
# server, each with a different client list, then the SQL clients are
# added only to the first listener.
#
#clients per_socket_clients {
# client socket_client {
# ipaddr = 192.0.2.4
# secret = testing123
# }
#}

280
radiusd.conf
View File

@@ -1,17 +1,41 @@
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.17
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.26
##
## http://www.freeradius.org/
## $Id: 59e59f3ac443e75663333a5b7732664b67c5567d $
## $Id: 154b50d6106130b3e3729d2679539c259855e381 $
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
# The format of this (and other) configuration file is
# documented in "man unlang". There are also READMEs in many
# subdirectories:
#
# raddb/README.rst
# How to upgrade from v2.
#
# raddb/mods-available/README.rst
# How to use mods-available / mods-enabled.
# All of the modules are in individual files,
# along with configuration items and full documentation.
#
# raddb/sites-available/README
# virtual servers, "listen" sections, clients, etc.
# The "sites-available" directory contains many
# worked examples of common configurations.
#
# raddb/certs/README.md
# How to create certificates for EAP or RadSec.
#
# Every configuration item in the server is documented
# extensively in the comments in the example configuration
# files.
#
# Before editing this (or any other) configuration file, PLEASE
# read "man radiusd". See the section titled DEBUGGING. It
# outlines a method where you can quickly create the
# configuration you want, with minimal effort.
#
# Run the server in debugging mode, and READ the output.
#
@@ -26,29 +50,35 @@
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# More documentation on "radiusd -X" is available on the wiki:
# https://wiki.freeradius.org/radiusd-X
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
#
# Guidelines for posting to the mailing list are on the wiki:
# https://wiki.freeradius.org/list-help
#
# Please read those guidelines before posting to the list.
#
# Further documentation is available in the "doc" directory
# of the server distribution, or on the wiki at:
# https://wiki.freeradius.org/
#
# New users to RADIUS should read the Technical Guide. That guide
# explains how RADIUS works, how FreeRADIUS works, and what each
# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
# More documentation on dictionaries, modules, unlang, etc. is also
# available on the Network RADIUS web site:
# https://networkradius.com/freeradius-documentation/
#
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# The "unlang" policy language can be used to create complex
# if / else policies. See "man unlang" for details.
#
prefix = /usr
exec_prefix = ${prefix}
@@ -68,10 +98,10 @@ confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
run_dir = /run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
db_dir = ${localstatedir}/lib/radiusd
cachedir = ${localstatedir}/cache/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -107,27 +137,24 @@ db_dir = ${raddbdir}
#
libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
#
# correct_escapes: use correct backslash escaping
#
# This setting is for compatibility with 3.0.4 and earlier. If
# you're running a copy of the configuration from 3.0.4, you can
# change this setting to "no" in order to run a new binary using the
# old configuration files.
#
# If you've created the configuration after 2014, this should be set
# to "true", and you can ignore it.
#
# Prior to version 3.0.5, the handling of backslashes was a little
# awkward, i.e. "wrong". In some cases, to get one backslash into
# a regex, you had to put 4 in the config files.
#
# Version 3.0.5 fixes that. However, for backwards compatibility,
# Version 3.0.5 fixed that. However, for backwards compatibility,
# the new method of escaping is DISABLED BY DEFAULT. This means
# that upgrading to 3.0.5 won't break your configuration.
# that upgrading from a 3.0.4 or below won't break your configuration.
#
# If you don't have double backslashes (i.e. \\) in your configuration,
# this won't matter to you. If you do have them, fix that to use only
@@ -208,7 +235,7 @@ max_request_time = 30
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
# Useful range of values: 2 to 30
#
cleanup_delay = 5
@@ -249,6 +276,17 @@ max_requests = 16384
#
hostname_lookups = no
#
# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when
# the server sends an Access-Challenge, and then client does not
# respond to it. The goal is to allow administrators to log
# something when the client does not respond.
#
# See sites-available/default, "Post-Auth-Type Client-Lost" for more
# information.
#
#postauth_client_lost = no
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
@@ -265,7 +303,7 @@ log {
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = stdout
destination = files
#
# Highlight important messages sent to stderr and stdout.
@@ -298,11 +336,30 @@ log {
#
stripped_names = no
# Log authentication requests to the log file.
# Log all (accept and reject) authentication results to the log file.
#
# This is the same as setting "auth_accept = yes" and
# "auth_reject = yes"
#
# allowed values: {no, yes}
#
auth = yes
auth = no
# Log Access-Accept results to the log file.
#
# This is only used if "auth = no"
#
# allowed values: {no, yes}
#
# auth_accept = no
# Log Access-Reject results to the log file.
#
# This is only used if "auth = no"
#
# allowed values: {no, yes}
#
# auth_reject = no
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
@@ -310,8 +367,8 @@ log {
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
auth_badpass = no
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
@@ -328,11 +385,102 @@ log {
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
# Suppress "secret" attributes when printing them in debug mode.
#
# Secrets are NOT tracked across xlat expansions. If your
# configuration puts secrets into other strings, they will
# still get printed.
#
# Setting this to "yes" means that the server prints
#
# <<< secret >>>
#
# instead of the value, for attriburtes which contain secret
# information. e.g. User-Name, Tunnel-Password, etc.
#
# This configuration is disabled by default. It is extremely
# important for administrators to be able to debug user logins
# by seeing what is actually being sent.
#
# suppress_secrets = no
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
#
# ENVIRONMENT VARIABLES
#
# You can reference environment variables using an expansion like
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
# environment variables. This section lets you do that.
#
# The main purpose of this section is to allow administrators to keep
# RADIUS-specific configuration in the RADIUS configuration files.
# For example, if you need to set an environment variable which is
# used by a module. You could put that variable into a shell script,
# but that's awkward. Instead, just list it here.
#
# Note that these environment variables are set AFTER the
# configuration file is loaded. So you cannot set FOO here, and
# expect to reference it via `$ENV{FOO}` in another configuration file.
# You should instead just use a normal configuration variable for
# that.
#
ENV {
#
# Set environment varable `FOO` to value '/bar/baz'.
#
# NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
# values.
#
# FOO = '/bar/baz'
#
# Delete environment variable `BAR`.
#
# BAR
#
# `LD_PRELOAD` is special. It is normally set before the
# application runs, and is interpreted by the dynamic linker.
# Which means you cannot set it inside of an application, and
# expect it to load libraries.
#
# Since this functionality is useful, we extend it here.
#
# You can set
#
# LD_PRELOAD = /path/to/library.so
#
# and the server will load the named libraries. Multiple
# libraries can be loaded by specificing multiple individual
# `LD_PRELOAD` entries.
#
#
# LD_PRELOAD = /path/to/library1.so
# LD_PRELOAD = /path/to/library2.so
}
#
# TEMPLATES
#
# Template files hold common definitions that can be used in other
# server sections. When a template is referenced, the configuration
# items within the referenced template are copied to the referencing
# section.
#
# Using templates reduces repetition of common configuration items,
# which in turn makes the server configuration easier to maintain.
#
# See templates.conf for examples of using templates, and the
# referencing syntax.
#
# $INCLUDE templates.conf
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
@@ -435,8 +583,7 @@ security {
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# As of Version 3.0.5, "reject_delay" has sub-second resolution.
# e.g. "reject_delay = 1.4" seconds is possible.
# This number can be a decimal, e.g. 3.4
#
# Useful ranges: 1 to 5
reject_delay = 1
@@ -469,7 +616,7 @@ security {
# and may not reflect patches applied to libssl by
# distribution maintainers.
#
allow_vulnerable_openssl = 'CVE-2016-6309'
allow_vulnerable_openssl = no
}
# PROXY CONFIGURATION
@@ -652,25 +799,40 @@ modules {
#
#
# As of 3.0, modules are in mods-enabled/. Files matching
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
# initialized ONLY if they are referenced in a processing
# section, such as authorize, authenticate, accounting,
# pre/post-proxy, etc.
# Some modules have ordering issues. e.g. "sqlippool" uses
# the configuration from "sql". In that case, the "sql"
# module must be read off of disk before the "sqlippool".
# However, the directory inclusion below just reads the
# directory from start to finish. Which means that the
# modules are read off of disk randomly.
#
# You can list individual modules *before* the directory
# inclusion. Those modules will be loaded first. Then, when
# the directory is read, those modules will be skipped and
# not read twice.
#
# $INCLUDE mods-enabled/sql
#
# All modules are in ther mods-enabled/ directory. Files
# matching the regex /[a-zA-Z0-9_.]+/ are read. The
# modules are initialized ONLY if they are referenced in a
# processing section, such as authorize, authenticate,
# accounting, pre/post-proxy, etc.
#
$INCLUDE mods-enabled/
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
# This section sets the instantiation order of the modules. listed
# here will get started up BEFORE the sections like authorize,
# authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
# This section is not strictly needed. When a section like authorize
# refers to a module, the module is automatically loaded and
# initialized. However, some modules may not be listed in any of the
# processing sections, so they should be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initialized. If one module needs

207
users
View File

@@ -1,2 +1,207 @@
cisco Cleartext-Password := "cisco"
#
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'accounting', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name. If you have
# users with spaces in their names, you must also change
# the "filter_username" policy to allow spaces.
#
# See raddb/policy.d/filter, filter_username {} section.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.0.2.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user "bob" above. #
#########################################################