--- a/raddb/mods-config/files/authorize +++ b/raddb/mods-config/files/authorize @@ -1,162 +1,10 @@ -# -# Configuration file for the rlm_files module. -# Please see rlm_files(5) manpage for more information. -# -# This file contains authentication security and configuration -# information for each user. Accounting requests are NOT processed -# through this file. Instead, see 'accounting', in this directory. -# -# The first field is the user's name and can be up to -# 253 characters in length. This is followed (on the same line) with -# the list of authentication requirements for that user. This can -# include password, comm server name, comm server port number, protocol -# type (perhaps set by the "hints" file), and huntgroup name (set by -# the "huntgroups" file). -# -# If you are not sure why a particular reply is being sent by the -# server, then run the server in debugging mode (radiusd -X), and -# you will see which entries in this file are matched. -# -# When an authentication request is received from the comm server, -# these values are tested. Only the first match is used unless the -# "Fall-Through" variable is set to "Yes". -# -# A special user named "DEFAULT" matches on all usernames. -# You can have several DEFAULT entries. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# Indented (with the tab character) lines following the first -# line indicate the configuration values to be passed back to -# the comm server to allow the initiation of a user session. -# This can include things like the PPP configuration values -# or the host to log the user onto. -# -# You can include another `users' file with `$INCLUDE users.other' - -# -# For a list of RADIUS attributes, and links to their definitions, -# see: http://www.freeradius.org/rfc/attributes.html -# -# Entries below this point are examples included in the server for -# educational purposes. They may be deleted from the deployed -# configuration without impacting the operation of the server. -# - -# -# Deny access for a specific user. Note that this entry MUST -# be before any other 'Auth-Type' attribute which results in the user -# being authenticated. -# -# Note that there is NO 'Fall-Through' attribute, so the user will not -# be given any additional resources. -# -#lameuser Auth-Type := Reject -# Reply-Message = "Your account has been disabled." -# -# Deny access for a group of users. -# -# Note that there is NO 'Fall-Through' attribute, so the user will not -# be given any additional resources. -# -#DEFAULT Group == "disabled", Auth-Type := Reject -# Reply-Message = "Your account has been disabled." -# +openwrt Cleartext-Password := "openwrt" + Reply-Message := "Hello, %{User-Name}" -# -# This is a complete entry for "steve". Note that there is no Fall-Through -# entry so that no DEFAULT entry will be used, and the user will NOT -# get any attributes in addition to the ones listed here. -# -#steve Cleartext-Password := "testing" -# Service-Type = Framed-User, -# Framed-Protocol = PPP, -# Framed-IP-Address = 172.16.3.33, -# Framed-IP-Netmask = 255.255.255.0, -# Framed-Routing = Broadcast-Listen, -# Framed-Filter-Id = "std.ppp", -# Framed-MTU = 1500, -# Framed-Compression = Van-Jacobsen-TCP-IP -# -# The canonical testing user which is in most of the -# examples. -# -#bob Cleartext-Password := "hello" -# Reply-Message := "Hello, %{User-Name}" -# - -# -# This is an entry for a user with a space in their name. -# Note the double quotes surrounding the name. If you have -# users with spaces in their names, you must also change -# the "filter_username" policy to allow spaces. -# -# See raddb/policy.d/filter, filter_username {} section. -# -#"John Doe" Cleartext-Password := "hello" -# Reply-Message = "Hello, %{User-Name}" - -# -# Dial user back and telnet to the default host for that port -# -#Deg Cleartext-Password := "ge55ged" -# Service-Type = Callback-Login-User, -# Login-IP-Host = 0.0.0.0, -# Callback-Number = "9,5551212", -# Login-Service = Telnet, -# Login-TCP-Port = Telnet - -# -# Another complete entry. After the user "dialbk" has logged in, the -# connection will be broken and the user will be dialed back after which -# he will get a connection to the host "timeshare1". -# -#dialbk Cleartext-Password := "callme" -# Service-Type = Callback-Login-User, -# Login-IP-Host = timeshare1, -# Login-Service = PortMaster, -# Callback-Number = "9,1-800-555-1212" - -# -# user "swilson" will only get a static IP number if he logs in with -# a framed protocol on a terminal server in Alphen (see the huntgroups file). -# -# Note that by setting "Fall-Through", other attributes will be added from -# the following DEFAULT entries -# -#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" -# Framed-IP-Address = 192.0.2.65, -# Fall-Through = Yes - -# -# If the user logs in as 'username.shell', then authenticate them -# using the default method, give them shell access, and stop processing -# the rest of the file. -# -#DEFAULT Suffix == ".shell" -# Service-Type = Login-User, -# Login-Service = Telnet, -# Login-IP-Host = your.shell.machine - - -# -# The rest of this file contains the several DEFAULT entries. -# DEFAULT entries match with all login names. -# Note that DEFAULT entries can also Fall-Through (see first entry). -# A name-value pair from a DEFAULT entry will _NEVER_ override -# an already existing name-value pair. -# - -# Sample defaults for all framed connections. -# -#DEFAULT Service-Type == Framed-User -# Framed-IP-Address = 255.255.255.254, -# Framed-MTU = 576, -# Service-Type = Framed-User, -# Fall-Through = Yes +user1 Cleartext-Password := "password" + Reply-Message := "Hello, %{User-Name}" # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. @@ -181,26 +29,4 @@ DEFAULT Hint == "CSLIP" DEFAULT Hint == "SLIP" Framed-Protocol = SLIP -# -# Last default: rlogin to our main server. -# -#DEFAULT -# Service-Type = Login-User, -# Login-Service = Rlogin, -# Login-IP-Host = shellbox.ispdomain.com - -# # -# # Last default: shell on the local terminal server. -# # -# DEFAULT -# Service-Type = Administrative-User - - -# On no match, the user is denied access. - - -######################################################### -# You should add test accounts to the TOP of this file! # -# See the example user "bob" above. # -######################################################### --- a/raddb/clients.conf +++ b/raddb/clients.conf @@ -1,217 +1,12 @@ -# -*- text -*- -## -## clients.conf -- client configuration directives -## -## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ - -####################################################################### -# -# Define RADIUS clients (usually a NAS, Access Point, etc.). - -# -# Defines a RADIUS client. -# -# '127.0.0.1' is another name for 'localhost'. It is enabled by default, -# to allow testing of the server after an initial installation. If you -# are not going to be permitting RADIUS queries from localhost, we suggest -# that you delete, or comment out, this entry. -# -# - -# -# Each client has a "short name" that is used to distinguish it from -# other clients. -# -# In version 1.x, the string after the word "client" was the IP -# address of the client. In 2.0, the IP address is configured via -# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x -# format is still accepted. -# client localhost { - # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for - # a client. - # - # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR - # notation '/' to specify ranges. - # - # ipaddr will accept domain names e.g. example.org resolving - # them via DNS. - # - # If both A and AAAA records are found, A records will be - # used in preference to AAAA. ipaddr = 127.0.0.1 - - # Same as ipaddr but allows v4 addresses only. Requires A - # record for domain names. -# ipv4addr = * # any. 127.0.0.1 == localhost - - # Same as ipaddr but allows v6 addresses only. Requires AAAA - # record for domain names. -# ipv6addr = :: # any. ::1 == localhost - - # - # A note on DNS: We STRONGLY recommend using IP addresses - # rather than host names. Using host names means that the - # server will do DNS lookups when it starts, making it - # dependent on DNS. i.e. If anything goes wrong with DNS, - # the server won't start! - # - # The server also looks up the IP address from DNS once, and - # only once, when it starts. If the DNS record is later - # updated, the server WILL NOT see that update. - # - - # - # The transport protocol. - # - # If unspecified, defaults to "udp", which is the traditional - # RADIUS transport. It may also be "tcp", in which case the - # server will accept connections from this client ONLY over TCP. - # proto = * - - # - # The shared secret use to "encrypt" and "sign" packets between - # the NAS and FreeRADIUS. You MUST change this secret from the - # default, otherwise it's not a secret any more! - # - # The secret can be any string, up to 8k characters in length. - # - # Control codes can be entered vi octal encoding, - # e.g. "\101\102" == "AB" - # Quotation marks can be entered by escaping them, - # e.g. "foo\"bar" - # - # A note on security: The security of the RADIUS protocol - # depends COMPLETELY on this secret! We recommend using a - # shared secret that is composed of: - # - # upper case letters - # lower case letters - # numbers - # - # And is at LEAST 8 characters long, preferably 16 characters in - # length. The secret MUST be random, and should not be words, - # phrase, or anything else that is recognisable. - # - # The default secret below is only for testing, and should - # not be used in any real environment. - # secret = testing123 - - # - # Old-style clients do not send a Message-Authenticator - # in an Access-Request. RFC 5080 suggests that all clients - # SHOULD include it in an Access-Request. The configuration - # item below allows the server to require it. If a client - # is required to include a Message-Authenticator and it does - # not, then the packet will be silently discarded. - # - # allowed values: yes, no require_message_authenticator = no - - # - # The short name is used as an alias for the fully qualified - # domain name, or the IP address. - # - # It is accepted for compatibility with 1.x, but it is no - # longer necessary in >= 2.0 - # -# shortname = localhost - - # - # the following three fields are optional, but may be used by - # checkrad.pl for simultaneous use checks - # - - # - # The nas_type tells 'checkrad.pl' which NAS-specific method to - # use to query the NAS for simultaneous use. - # - # Permitted NAS types are: - # - # cisco - # computone - # livingston - # juniper - # max40xx - # multitech - # netserver - # pathras - # patton - # portslave - # tc - # usrhiper - # other # for all other types - - # - nas_type = other # localhost isn't usually a NAS... - - # - # The following two configurations are for future use. - # The 'naspasswd' file is currently used to store the NAS - # login name and password, which is used by checkrad.pl - # when querying the NAS for simultaneous use. - # -# login = !root -# password = someadminpas - - # - # As of 2.0, clients can also be tied to a virtual server. - # This is done by setting the "virtual_server" configuration - # item, as in the example below. - # -# virtual_server = home1 - - # - # A pointer to the "home_server_pool" OR a "home_server" - # section that contains the CoA configuration for this - # client. For an example of a coa home server or pool, - # see raddb/sites-available/originate-coa -# coa_server = coa - - # - # Response window for proxied packets. If non-zero, - # then the lower of (home, client) response_window - # will be used. - # - # i.e. it can be used to lower the response_window - # packets from one client to a home server. It cannot - # be used to raise the response_window. - # -# response_window = 10.0 - - # - # Connection limiting for clients using "proto = tcp". - # - # This section is ignored for clients sending UDP traffic - # + nas_type = other limit { - # - # Limit the number of simultaneous TCP connections from a client - # - # The default is 16. - # Setting this to 0 means "no limit" max_connections = 16 - - # The per-socket "max_requests" option does not exist. - - # - # The lifetime, in seconds, of a TCP connection. After - # this lifetime, the connection will be closed. - # - # Setting this to 0 means "forever". lifetime = 0 - - # - # The idle timeout, in seconds, of a TCP connection. - # If no packets have been received over the connection for - # this time, the connection will be closed. - # - # Setting this to 0 means "no timeout". - # - # We STRONGLY RECOMMEND that you set an idle timeout. - # idle_timeout = 30 } } @@ -222,47 +17,15 @@ client localhost_ipv6 { secret = testing123 } -# All IPv6 Site-local clients -#client sitelocal_ipv6 { -# ipv6addr = fe80::/16 -# secret = testing123 -#} - -#client example.org { -# ipaddr = radius.example.org -# secret = testing123 -#} +client openwrt-network1 { + ipaddr = 192.168.0.0/16 + secret = testing123 +} + +client openwrt-network2 { + ipaddr = 10.0.0.0/8 + secret = testing123 +} -# -# You can now specify one secret for a network of clients. -# When a client request comes in, the BEST match is chosen. -# i.e. The entry from the smallest possible network. -# -#client private-network-1 { -# ipaddr = 192.0.2.0/24 -# secret = testing123-1 -#} -#client private-network-2 { -# ipaddr = 198.51.100.0/24 -# secret = testing123-2 -#} -####################################################################### -# -# Per-socket client lists. The configuration entries are exactly -# the same as above, but they are nested inside of a section. -# -# You can have as many per-socket client lists as you have "listen" -# sections, or you can re-use a list among multiple "listen" sections. -# -# Un-comment this section, and edit a "listen" section to add: -# "clients = per_socket_clients". That IP address/port combination -# will then accept ONLY the clients listed in this section. -# -#clients per_socket_clients { -# client socket_client { -# ipaddr = 192.0.2.4 -# secret = testing123 -# } -#}