/etc/freeradius/experimental.conf is in freeradius 2.1.12+dfsg-1.2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 | #
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id$
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
#
# Perform NT-Domain authentication. This only works
# with PAP authentication. That is, Authentication-Request
# packets containing a User-Password attribute.
#
# To use it, add 'smb' into the 'authenticate' section,
# and then in another module (usually the 'users' file),
# set 'Auth-Type := SMB'
#
# WARNING: this module is not only experimental, it's also
# a security threat. It's not recommended to use it until
# it gets fixed.
#
smb {
server = ntdomain.server.example.com
backup = backup.server.example.com
domain = NTDOMAIN
}
# See doc/rlm_fastusers before using this
# module or changing these values.
#
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
# Caching module
#
# Should be added in the post-auth section (after all other modules)
# and in the authorize section (before any other modules)
#
# authorize {
# caching {
# ok = return
# }
# [... other modules ...]
# }
# post-auth {
# [... other modules ...]
# caching
# }
#
# The caching module will cache the Auth-Type and reply items
# and send them back on any subsequent requests for the same key
#
# Configuration:
#
# filename: The gdbm file to use for the cache database
# (can be memory mapped for more speed)
#
# key: A string to xlat and use as a key. For instance,
# "%{Acct-Unique-Session-Id}"
#
# post-auth: If we find a cached entry, set the post-auth to that value
#
# cache-ttl: The time to cache the entry. The same time format
# as the counter module apply here.
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed.
# e.g. 1d == one day
#
# cache-size: The gdbm cache size to request (default 1000)
#
# hit-ratio: If set to non-zero we print out statistical
# information after so many cache requests
#
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
#
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = "%{Acct-Unique-Session-Id}"
#post-auth = ""
# cache-size = 2000
# cache-rejects = yes
}
# Simple module for logging of Account packets to radiusd.log
# You need to declare it in the accounting section for it to work
acctlog {
acctlog_update = ""
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
}
# Another implementation of the EAP module.
#
# This module requires the libeap.so file from the hostap
# software (http://hostap.epitest.fi/hostapd/). It has been
# tested on the development version of hostapd (0.6.1) ONLY.
#
# In order to use it, you MUST build a "libeap.so" in hostapd,
# which is not done by default.
#
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
# to point to the location of the hostap include files.
#
# This module CANNOT be used in the same way as the current
# FreeRADIUS "eap" module. There is NO way to look inside of
# a tunneled request. There is NO way to proxy a tunneled
# request. There is NO way to even look at the user name inside
# of the tunneled request. There is NO way to control the
# choice of EAP types inside of the tunnel. You MUST force
# the server to choose "eap2" for authentication, because this
# module has no "authorize" section.
#
# If you want to use this module for experimentation, please
# post your comments to the freeradius-devel list:
#
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
#
# If you want to use this module in a production (i.e. real-world)
# environment:
#
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
#
# The module needs additional work to make it ready for
# production use.. Please supply patches, or sponsor the
# work by hiring a developer. Do NOT ask when the work will
# be done, because there is no plan to finish this module
# unless there is demand for it.
#
eap2 {
# EAP types are chosen in the order that they are
# listed in this section. There is no "default_eap_type"
# as with rlm_eap. Instead, the *first* EAP type is
# used as the default type.
#
peap {
}
ttls {
}
# This is the ONLY EAP type that has any configuration.
# All other EAP types have no configuration.
#
tls {
ca_cert = ${confdir}/certs/ca.pem
server_cert = ${confdir}/certs/server.pem
private_key_file = ${confdir}/certs/server.pem
private_key_password = whatever
}
#
# These next two methods do not supply keying material.
#
md5 {
}
mschapv2 {
}
fast {
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
eap_fast_a_id = xxxxxx
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
# LEAP is NOT supported by this module.
# Use the "eap" module instead.
# For other methods that MIGHT work, see the
# configuration of hostap. The methods are statically
# linked in at compile time, and cannot be controlled
# here.
}
# Configuration for experimental EAP types. The sub-sections
# can be copied into eap.conf.
eap {
ikev2 {
# Server auth type
# Allowed values are:
# cert - for certificate based server authentication,
# other required settings for this type are
# 'private_key_file' and 'certificate_file'
# secret - for shared secret based server authentication,
# other required settings for this type is 'id'
# Default value of this option is 'secret'
# server_authtype=cert
# Allowed default client auth types
# Allowed values are:
# secret - for shared secret based client authentication
# cert - for certificate based client authentication
# both - shared secret and certificate is allowed
# none - authentication will always fail
# Default value for this option is 'both'. This option could
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
# option.
# default_authtype = both
# path to trusted CA certificate file
CA_file="/path/to/CA/cacert.pem"
# path to CRL file, if not set, then there will be no
# checks against CRL
# crl_file="/path/to/crl.pem"
# path to file with user settings
#
# Note that this file is read ONLY on module initialization!
#
# default ${confdir}/eap_ikev2_users
# usersfile=${confdir}/eap_ikev2_users
#
# Sample "eap_ikev2_users" file entry:
#
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
## where:
## username - client user name from IKE-AUTH (IDr) or CommonName
## from x509 certificate
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
## allowable attributes for EAP-IKEv2-IDType:
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
## DER_ASN1_GN KEY_ID
## EAP-IKEv2-Secret - shared secret
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
## type. Allowed values are: secret,cert,both,none.
## For the meaning of this values, please see the
## description of 'default_authtype'.
## This attribute can overwrite 'default_authtype' value.
# path to file with server private key
private_key_file="/path/to/srv-private-key.pem"
# password to private key file
private_key_password="passwd"
# path to file with server certificate
certificate_file="/path/to/srv-cert.pem"
# server identity string
id="deMaio"
# Server identity type. Allowed values are:
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
# KEY_ID
# Default value is: KEY_ID
# id_type = KEY_ID
# MTU (default: 1398)
# fragment_size = 1398
# maximal allowed number of resends SA_INIT after receiving
# 'invalid KEY' notification (default 3)
# DH_counter_max = 3
# option which is used to control whenever send CERT REQ
# payload or not.
# Allowed values for this option are "yes" or "no".
#Default value is "no".
# certreq = "yes"
# option which cotrols fast reconnect capability.
# Allowed valuse for this option are "yes" or "no".
# Default value is "yes".
# enable_fast_reauth = "no"
# option which is used to control performing of DH exchange
# during fast rekeying protocol run.
# Allowed values for this option are "yes" or "no".
# Default value is "no"
# fast_DH_exchange = "yes"
# Option which is used to set up expiration time of inactive
# IKEv2 session.
# After selected period of time (in seconds), inactive
# session data will be deleted.
# Default value of this option is set to 900 seconds
# fast_timer_expire = 900
# list of server proposals of available cryptographic
# suites
proposals {
# proposal number #1
proposal {
# Supported transforms types: encryption,
# prf, integrity, dhgroup. For multiple
# transforms just simple repeat key (i.e.
# integity).
# encryption algorithm
# supported algorithms:
# null,3des,aes_128_cbc,aes_192_cbc,
# aes_256_cbc,idea
# blowfish:n, where n range from 8 to 448 bits,
# step 8 bits
# cast:n, where n range from 40 to 128 bits,
# step 8 bits
encryption = 3des
# pseudo random function. Supported prf's:
# hmac_md5, hmac_sha1, hmac_tiger
prf = hmac_sha1
# integrity algorithm. Supported algorithms:
# hmac_md5_96, hmac_sha1_96,des_mac
integrity = hmac_sha1_96
integrity = hmac_md5_96
# Diffie-Hellman groups:
# modp768, modp1024, modp1536, modp2048,
# modp3072, modp4096, modp6144, modp8192
dhgroup = modp2048
}
# proposal number #2
proposal {
encryption = 3des
prf = hmac_md5
integrity = hmac_md5_96
dhgroup = modp1024
}
# proposal number #3
proposal {
encryption=3des
prf=hmac_md5
integrity=hmac_md5_96
dhgroup=modp2048
}
}
}
}
|