added radius config files

freeradius/config/modules/mschap

@@ -0,0 +1,87 @@
+# -*- text -*-
+#
+#  $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
+
+# Microsoft CHAP authentication
+#
+#  This module supports MS-CHAP and MS-CHAPv2 authentication.
+#  It also enforces the SMB-Account-Ctrl attribute.
+#
+mschap {
+	#
+	#  If you are using /etc/smbpasswd, see the 'passwd'
+	#  module for an example of how to use /etc/smbpasswd
+
+	# if use_mppe is not set to no mschap will
+	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+	#
+	use_mppe = yes
+
+	# if mppe is enabled require_encryption makes
+	# encryption moderate
+	#
+	require_encryption = yes
+
+	# require_strong always requires 128 bit key
+	# encryption
+	#
+	require_strong = yes
+
+	# Windows sends us a username in the form of
+	# DOMAIN\user, but sends the challenge response
+	# based on only the user portion.  This hack
+	# corrects for that incorrect behavior.
+	#
+#	with_ntdomain_hack = no
+
+	# The module can perform authentication itself, OR
+	# use a Windows Domain Controller.  This configuration
+	# directive tells the module to call the ntlm_auth
+	# program, which will do the authentication, and return
+	# the NT-Key.  Note that you MUST have "winbindd" and
+	# "nmbd" running on the local machine for ntlm_auth
+	# to work.  See the ntlm_auth program documentation
+	# for details.
+	#
+	# If ntlm_auth is configured below, then the mschap
+	# module will call ntlm_auth for every MS-CHAP
+	# authentication request.  If there is a cleartext
+	# or NT hashed password available, you can set
+	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+	# and the mschap module will do the authentication itself,
+	# without calling ntlm_auth.
+	#
+	# Be VERY careful when editing the following line!
+	#
+	# You can also try setting the user name as:
+	#
+	#	... --username=%{mschap:User-Name} ...
+	#
+	# In that case, the mschap module will look at the User-Name
+	# attribute, and do prefix/suffix checks in order to obtain
+	# the "best" user name for the request.
+	#
+#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+
+	# The default is to wait 10 seconds for ntlm_auth to
+	# complete.  This is a long time, and if it's taking that
+	# long then you likely have other problems in your domain.
+	# The length of time can be decreased with the following
+	# option, which can save clients waiting if your ntlm_auth
+	# usually finishes quicker. Range 1 to 10 seconds.
+	#
+#	ntlm_auth_timeout = 10
+
+	# For Apple Server, when running on the same machine as
+	# Open Directory.  It has no effect on other systems.
+	#
+#	use_open_directory = yes
+
+	# On failure, set (or not) the MS-CHAP error code saying
+	# "retries allowed".
+#	allow_retry = yes
+
+	# An optional retry message.
+#	retry_msg = "Re-enter (or reset) the password"
+}

freeradius/config/radiusd.conf

@@ -0,0 +1,865 @@
+# -*- text -*-
+##
+## radiusd.conf	-- FreeRADIUS server configuration file.
+##
+##	http://www.freeradius.org/
+##	$Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $
+##
+
+######################################################################
+#
+#	Read "man radiusd" before editing this file.  See the section
+#	titled DEBUGGING.  It outlines a method where you can quickly
+#	obtain the configuration you want, without running into
+#	trouble.
+#
+#	Run the server in debugging mode, and READ the output.
+#
+#		$ radiusd -X
+#
+#	We cannot emphasize this point strongly enough.  The vast
+#	majority of problems can be solved by carefully reading the
+#	debugging output, which includes warnings about common issues,
+#	and suggestions for how they may be fixed.
+#
+#	There may be a lot of output, but look carefully for words like:
+#	"warning", "error", "reject", or "failure".  The messages there
+#	will usually be enough to guide you to a solution.
+#
+#	If you are going to ask a question on the mailing list, then
+#	explain what you are trying to do, and include the output from
+#	debugging mode (radiusd -X).  Failure to do so means that all
+#	of the responses to your question will be people telling you
+#	to "post the output of radiusd -X".
+
+######################################################################
+#
+#  	The location of other config files and logfiles are declared
+#  	in this file.
+#
+#  	Also general configuration for modules can be done in this
+#  	file, it is exported through the API to modules that ask for
+#  	it.
+#
+#	See "man radiusd.conf" for documentation on the format of this
+#	file.  Note that the individual configuration items are NOT
+#	documented in that "man" page.  They are only documented here,
+#	in the comments.
+#
+#	As of 2.0.0, FreeRADIUS supports a simple processing language
+#	in the "authorize", "authenticate", "accounting", etc. sections.
+#	See "man unlang" for details.
+#
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius
+radacctdir = ${logdir}/radacct
+
+#
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+#   This should be automatically set at configuration time.
+#
+#   If the server builds and installs, but fails at execution time
+#   with an 'undefined symbol' error, then you can use the libdir
+#   directive to work around the problem.
+#
+#   The cause is usually that a library has been installed on your
+#   system in a place where the dynamic linker CANNOT find it.  When
+#   executing as root (or another user), your personal environment MAY
+#   be set up to allow the dynamic linker to find the library.  When
+#   executing as a daemon, FreeRADIUS MAY NOT have the same
+#   personalized configuration.
+#
+#   To work around the problem, find out which library contains that symbol,
+#   and add the directory containing that library to the end of 'libdir',
+#   with a colon separating the directory names.  NO spaces are allowed.
+#
+#   e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+#   You can also try setting the LD_LIBRARY_PATH environment variable
+#   in a script which starts the server.
+#
+#   If that does not work, then you can re-configure and re-build the
+#   server to NOT use shared libraries, via:
+#
+#	./configure --disable-shared
+#	make
+#	make install
+#
+libdir = /usr/lib/freeradius
+
+#  pidfile: Where to place the PID of the RADIUS server.
+#
+#  The server may be signalled while it's running by using this
+#  file.
+#
+#  This file is written when ONLY running in daemon mode.
+#
+#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+#  chroot: directory where the server does "chroot".
+#
+#  The chroot is done very early in the process of starting the server.
+#  After the chroot has been performed it switches to the "user" listed
+#  below (which MUST be specified).  If "group" is specified, it switchs
+#  to that group, too.  Any other groups listed for the specified "user"
+#  in "/etc/group" are also added as part of this process.
+#
+#  The current working directory (chdir / cd) is left *outside* of the
+#  chroot until all of the modules have been initialized.  This allows
+#  the "raddb" directory to be left outside of the chroot.  Once the
+#  modules have been initialized, it does a "chdir" to ${logdir}.  This
+#  means that it should be impossible to break out of the chroot.
+#
+#  If you are worried about security issues related to this use of chdir,
+#  then simply ensure that the "raddb" directory is inside of the chroot,
+#  end be sure to do "cd raddb" BEFORE starting the server.
+#
+#  If the server is statically linked, then the only files that have
+#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the
+#  "cd raddb" as discussed above, then the "raddb" directory has to be
+#  inside of the chroot directory, too.
+#
+#chroot = /path/to/chroot/directory
+
+# user/group: The name (or #number) of the user/group to run radiusd as.
+#
+#   If these are commented out, the server will run as the user/group
+#   that started it.  In order to change to a different user/group, you
+#   MUST be root ( or have root privleges ) to start the server.
+#
+#   We STRONGLY recommend that you run the server with as few permissions
+#   as possible.  That is, if you're not using shadow passwords, the
+#   user and group items below should be set to radius'.
+#
+#  NOTE that some kernels refuse to setgid(group) when the value of
+#  (unsigned)group is above 60000; don't use group nobody on these systems!
+#
+#  On systems with shadow passwords, you might have to set 'group = shadow'
+#  for the server to be able to read the shadow password file.  If you can
+#  authenticate users while in debug mode, but not in daemon mode, it may be
+#  that the debugging mode server is running as a user that can read the
+#  shadow info, and the user listed below can not.
+#
+#  The server will also try to use "initgroups" to read /etc/groups.
+#  It will join all groups where "user" is a member.  This can allow
+#  for some finer-grained access controls.
+#
+user = freerad
+group = freerad
+
+#  panic_action: Command to execute if the server dies unexpectedly.
+#
+#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+#  The panic action is a command which will be executed if the server
+#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+#  SIGABRT or SIGFPE.
+#
+#  This can be used to start an interactive debugging session so
+#  that information regarding the current state of the server can
+#  be acquired.
+#
+#  The following string substitutions are available:
+#  - %e   The currently executing program e.g. /sbin/radiusd
+#  - %p   The PID of the currently executing program e.g. 12345
+#
+#  Standard ${} substitutions are also allowed.
+#
+#  An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+#  Again, don't use that on a production system.
+#
+#  An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
+#
+#  That command can be used on a production system.
+#
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+#
+#  Requests which take more time than this to process may be killed, and
+#  a REJECT message is returned.
+#
+#  WARNING: If you notice that requests take a long time to be handled,
+#  then this MAY INDICATE a bug in the server, in one of the modules
+#  used to handle a request, OR in your local configuration.
+#
+#  This problem is most often seen when using an SQL database.  If it takes
+#  more than a second or two to receive an answer from the SQL database,
+#  then it probably means that you haven't indexed the database.  See your
+#  SQL server documentation for more information.
+#
+#  Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+#  a reply which was sent to the NAS.
+#
+#  The RADIUS request is normally cached internally for a short period
+#  of time, after the reply is sent to the NAS.  The reply packet may be
+#  lost in the network, and the NAS will not see it.  The NAS will then
+#  re-send the request, and the server will respond quickly with the
+#  cached reply.
+#
+#  If this value is set too low, then duplicate requests from the NAS
+#  MAY NOT be detected, and will instead be handled as seperate requests.
+#
+#  If this value is set too high, then the server will cache too many
+#  requests, and some new requests may get blocked.  (See 'max_requests'.)
+#
+#  Useful range of values: 2 to 10
+#
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+#  track of.  This should be 256 multiplied by the number of clients.
+#  e.g. With 4 clients, this number should be 1024.
+#
+#  If this number is too low, then when the server becomes busy,
+#  it will not respond to any new requests, until the 'cleanup_delay'
+#  time has passed, and it has removed the old requests.
+#
+#  If this number is set too high, then the server will use a bit more
+#  memory for no real benefit.
+#
+#  If you aren't sure what it should be set to, it's better to set it
+#  too high than too low.  Setting it to 1000 per client is probably
+#  the highest it should be.
+#
+#  Useful range of values: 256 to infinity
+#
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+#  replies out from that address. This directive is most useful for
+#  hosts with multiple IP addresses on one interface.
+#
+#  If you want the server to listen on additional addresses, or on
+#  additionnal ports, you can use multiple "listen" sections.
+#
+#  Each section make the server listen for only one type of packet,
+#  therefore authentication and accounting have to be configured in
+#  different sections.
+#
+#  The server ignore all "listen" section if you are using '-i' and '-p'
+#  on the command line.
+#
+listen {
+	#  Type of packets to listen for.
+	#  Allowed values are:
+	#	auth	listen for authentication packets
+	#	acct	listen for accounting packets
+	#	proxy   IP to use for sending proxied packets
+	#	detail  Read from the detail file.  For examples, see
+	#               raddb/sites-available/copy-acct-to-home-server
+	#	status  listen for Status-Server packets.  For examples,
+	#		see raddb/sites-available/status
+	#	coa     listen for CoA-Request and Disconnect-Request
+	#		packets.  For examples, see the file
+	#		raddb/sites-available/coa
+	#
+	type = auth
+
+	#  Note: "type = proxy" lets you control the source IP used for
+	#        proxying packets, with some limitations:
+	#
+	#    * A proxy listener CANNOT be used in a virtual server section.
+	#    * You should probably set "port = 0".
+	#    * Any "clients" configuration will be ignored.
+	#
+	#  See also proxy.conf, and the "src_ipaddr" configuration entry
+	#  in the sample "home_server" section.  When you specify the
+	#  source IP address for packets sent to a home server, the
+	#  proxy listeners are automatically created.
+
+	#  IP address on which to listen.
+	#  Allowed values are:
+	#	dotted quad (1.2.3.4)
+	#       hostname    (radius.example.com)
+	#       wildcard    (*)
+	ipaddr = *
+
+	#  OR, you can use an IPv6 address, but not both
+	#  at the same time.
+#	ipv6addr = ::	# any.  ::1 == localhost
+
+	#  Port on which to listen.
+	#  Allowed values are:
+	#	integer port number (1812)
+	#	0 means "use /etc/services for the proper port"
+	port = 0
+
+	#  Some systems support binding to an interface, in addition
+	#  to the IP address.  This feature isn't strictly necessary,
+	#  but for sites with many IP addresses on one interface,
+	#  it's useful to say "listen on all addresses for eth0".
+	#
+	#  If your system does not support this feature, you will
+	#  get an error if you try to use it.
+	#
+#	interface = eth0
+
+	#  Per-socket lists of clients.  This is a very useful feature.
+	#
+	#  The name here is a reference to a section elsewhere in
+	#  radiusd.conf, or clients.conf.  Having the name as
+	#  a reference allows multiple sockets to use the same
+	#  set of clients.
+	#
+	#  If this configuration is used, then the global list of clients
+	#  is IGNORED for this "listen" section.  Take care configuring
+	#  this feature, to ensure you don't accidentally disable a
+	#  client you need.
+	#
+	#  See clients.conf for the configuration of "per_socket_clients".
+	#
+#	clients = per_socket_clients
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+	ipaddr = *
+#	ipv6addr = ::
+	port = 0
+	type = acct
+#	interface = eth0
+#	clients = per_socket_clients
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+#  The default is 'off' because it would be overall better for the net
+#  if people had to knowingly turn this feature on, since enabling it
+#  means that each client request will result in AT LEAST one lookup
+#  request to the nameserver.   Enabling hostname_lookups will also
+#  mean that your server may stop randomly for 30 seconds from time
+#  to time, if the DNS requests take too long.
+#
+#  Turning hostname lookups off also means that the server won't block
+#  for 30 seconds, if it sees an IP address which has no name associated
+#  with it.
+#
+#  allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+#  if you're debugging a problem with the server.
+#
+#  allowed values: {no, yes}
+#
+allow_core_dumps = no
+
+#  Regular expressions
+#
+#  These items are set at configure time.  If they're set to "yes",
+#  then setting them to "no" turns off regular expression support.
+#
+#  If they're set to "no" at configure time, then setting them to "yes"
+#  WILL NOT WORK.  It will give you an error.
+#
+regular_expressions	= yes
+extended_expressions	= yes
+
+#
+#  Logging section.  The various "log_*" configuration items
+#  will eventually be moved here.
+#
+log {
+	#
+	#  Destination for log messages.  This can be one of:
+	#
+	#	files - log to "file", as defined below.
+	#	syslog - to syslog (see also the "syslog_facility", below.
+	#	stdout - standard output
+	#	stderr - standard error.
+	#
+	#  The command-line option "-X" over-rides this option, and forces
+	#  logging to go to stdout.
+	#
+	destination = files
+
+	#
+	#  The logging messages for the server are appended to the
+	#  tail of this file if destination == "files"
+	#
+	#  If the server is running in debugging mode, this file is
+	#  NOT used.
+	#
+	file = ${logdir}/radius.log
+
+	#
+	#  If this configuration parameter is set, then log messages for
+	#  a *request* go to this file, rather than to radius.log.
+	#
+	#  i.e. This is a log file per request, once the server has accepted
+	#  the request as being from a valid client.  Messages that are
+	#  not associated with a request still go to radius.log.
+	#
+	#  Not all log messages in the server core have been updated to use
+	#  this new internal API.  As a result, some messages will still
+	#  go to radius.log.  Please submit patches to fix this behavior.
+	#
+	#  The file name is expanded dynamically.  You should ONLY user
+	#  server-side attributes for the filename (e.g. things you control).
+	#  Using this feature MAY also slow down the server substantially,
+	#  especially if you do thinks like SQL calls as part of the
+	#  expansion of the filename.
+	#
+	#  The name of the log file should use attributes that don't change
+	#  over the lifetime of a request, such as User-Name,
+	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
+	#  messages will be distributed over multiple files.
+	#
+	#  Logging can be enabled for an individual request by a special
+	#  dynamic expansion macro:  %{debug: 1}, where the debug level
+	#  for this request is set to '1' (or 2, 3, etc.).  e.g.
+	#
+	#	...
+	#	update control {
+	#	       Tmp-String-0 = "%{debug:1}"
+	#	}
+	#	...
+	#
+	#  The attribute that the value is assigned to is unimportant,
+	#  and should be a "throw-away" attribute with no side effects.
+	#
+	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
+
+	#
+	#  Which syslog facility to use, if ${destination} == "syslog"
+	#
+	#  The exact values permitted here are OS-dependent.  You probably
+	#  don't want to change this.
+	#
+	syslog_facility = daemon
+
+	#  Log the full User-Name attribute, as it was found in the request.
+	#
+	# allowed values: {no, yes}
+	#
+	stripped_names = no
+
+	#  Log authentication requests to the log file.
+	#
+	#  allowed values: {no, yes}
+	#
+	auth = no
+
+	#  Log passwords with the authentication requests.
+	#  auth_badpass  - logs password if it's rejected
+	#  auth_goodpass - logs password if it's correct
+	#
+	#  allowed values: {no, yes}
+	#
+	auth_badpass = no
+	auth_goodpass = no
+
+	#  Log additional text at the end of the "Login OK" messages.
+	#  for these to work, the "auth" and "auth_goopass" or "auth_badpass"
+	#  configurations above have to be set to "yes".
+	#
+	#  The strings below are dynamically expanded, which means that
+	#  you can put anything you want in them.  However, note that
+	#  this expansion can be slow, and can negatively impact server
+	#  performance.
+	#
+#	msg_goodpass = ""
+#	msg_badpass = ""
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+#
+#  There may be multiple methods of attacking on the server.  This
+#  section holds the configuration items which minimize the impact
+#  of those attacks
+#
+security {
+	#
+	#  max_attributes: The maximum number of attributes
+	#  permitted in a RADIUS packet.  Packets which have MORE
+	#  than this number of attributes in them will be dropped.
+	#
+	#  If this number is set too low, then no RADIUS packets
+	#  will be accepted.
+	#
+	#  If this number is set too high, then an attacker may be
+	#  able to send a small number of packets which will cause
+	#  the server to use all available memory on the machine.
+	#
+	#  Setting this number to 0 means "allow any number of attributes"
+	max_attributes = 200
+
+	#
+	#  reject_delay: When sending an Access-Reject, it can be
+	#  delayed for a few seconds.  This may help slow down a DoS
+	#  attack.  It also helps to slow down people trying to brute-force
+	#  crack a users password.
+	#
+	#  Setting this number to 0 means "send rejects immediately"
+	#
+	#  If this number is set higher than 'cleanup_delay', then the
+	#  rejects will be sent at 'cleanup_delay' time, when the request
+	#  is deleted from the internal cache of requests.
+	#
+	#  Useful ranges: 1 to 5
+	reject_delay = 1
+
+	#
+	#  status_server: Whether or not the server will respond
+	#  to Status-Server requests.
+	#
+	#  When sent a Status-Server message, the server responds with
+	#  an Access-Accept or Accounting-Response packet.
+	#
+	#  This is mainly useful for administrators who want to "ping"
+	#  the server, without adding test users, or creating fake
+	#  accounting packets.
+	#
+	#  It's also useful when a NAS marks a RADIUS server "dead".
+	#  The NAS can periodically "ping" the server with a Status-Server
+	#  packet.  If the server responds, it must be alive, and the
+	#  NAS can start using it for real requests.
+	#
+	#  See also raddb/sites-available/status
+	#
+	status_server = yes
+
+	#
+	#  allow_vulnerable_openssl: Allow the server to start with
+	#  versions of OpenSSL known to have critical vulnerabilities.
+	#
+	#  This check is based on the version number reported by libssl
+	#  and may not reflect patches applied to libssl by
+	#  distribution maintainers.
+	#
+	allow_vulnerable_openssl = no
+}
+
+# PROXY CONFIGURATION
+#
+#  proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+#  The server has proxying turned on by default.  If your system is NOT
+#  set up to proxy requests to another server, then you can turn proxying
+#  off here.  This will save a small amount of resources on the server.
+#
+#  If you have proxying turned off, and your configuration files say
+#  to proxy a request, then an error message will be logged.
+#
+#  To disable proxying, change the "yes" to "no", and comment the
+#  $INCLUDE line.
+#
+#  allowed values: {no, yes}
+#
+proxy_requests  = yes
+$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+#  Client configuration is defined in "clients.conf".
+#
+
+#  The 'clients.conf' file contains all of the information from the old
+#  'clients' and 'naslist' configuration files.  We recommend that you
+#  do NOT use 'client's or 'naslist', although they are still
+#  supported.
+#
+#  Anything listed in 'clients.conf' will take precedence over the
+#  information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+#  The thread pool is a long-lived group of threads which
+#  take turns (round-robin) handling any incoming requests.
+#
+#  You probably want to have a few spare threads around,
+#  so that high-load situations can be handled immediately.  If you
+#  don't have any spare threads, then the request handling will
+#  be delayed while a new thread is created, and added to the pool.
+#
+#  You probably don't want too many spare threads around,
+#  otherwise they'll be sitting there taking up resources, and
+#  not doing anything productive.
+#
+#  The numbers given below should be adequate for most situations.
+#
+thread pool {
+	#  Number of servers to start initially --- should be a reasonable
+	#  ballpark figure.
+	start_servers = 5
+
+	#  Limit on the total number of servers running.
+	#
+	#  If this limit is ever reached, clients will be LOCKED OUT, so it
+	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
+	#  keep a runaway server from taking the system with it as it spirals
+	#  down...
+	#
+	#  You may find that the server is regularly reaching the
+	#  'max_servers' number of threads, and that increasing
+	#  'max_servers' doesn't seem to make much difference.
+	#
+	#  If this is the case, then the problem is MOST LIKELY that
+	#  your back-end databases are taking too long to respond, and
+	#  are preventing the server from responding in a timely manner.
+	#
+	#  The solution is NOT do keep increasing the 'max_servers'
+	#  value, but instead to fix the underlying cause of the
+	#  problem: slow database, or 'hostname_lookups=yes'.
+	#
+	#  For more information, see 'max_request_time', above.
+	#
+	max_servers = 32
+
+	#  Server-pool size regulation.  Rather than making you guess
+	#  how many servers you need, FreeRADIUS dynamically adapts to
+	#  the load it sees, that is, it tries to maintain enough
+	#  servers to handle the current load, plus a few spare
+	#  servers to handle transient load spikes.
+	#
+	#  It does this by periodically checking how many servers are
+	#  waiting for a request.  If there are fewer than
+	#  min_spare_servers, it creates a new spare.  If there are
+	#  more than max_spare_servers, some of the spares die off.
+	#  The default values are probably OK for most sites.
+	#
+	min_spare_servers = 3
+	max_spare_servers = 10
+
+	#  When the server receives a packet, it places it onto an
+	#  internal queue, where the worker threads (configured above)
+	#  pick it up for processing.  The maximum size of that queue
+	#  is given here.
+	#
+	#  When the queue is full, any new packets will be silently
+	#  discarded.
+	#
+	#  The most common cause of the queue being full is that the
+	#  server is dependent on a slow database, and it has received
+	#  a large "spike" of traffic.  When that happens, there is
+	#  very little you can do other than make sure the server
+	#  receives less traffic, or make sure that the database can
+	#  handle the load.
+	#
+#	max_queue_size = 65536
+
+	#  There may be memory leaks or resource allocation problems with
+	#  the server.  If so, set this value to 300 or so, so that the
+	#  resources will be cleaned up periodically.
+	#
+	#  This should only be necessary if there are serious bugs in the
+	#  server which have not yet been fixed.
+	#
+	#  '0' is a special value meaning 'infinity', or 'the servers never
+	#  exit'
+	max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+#
+#  The names and configuration of each module is located in this section.
+#
+#  After the modules are defined here, they may be referred to by name,
+#  in other sections of this configuration file.
+#
+modules {
+	#
+	#  Each module has a configuration as follows:
+	#
+	#	name [ instance ] {
+	#		config_item = value
+	#		...
+	#	}
+	#
+	#  The 'name' is used to load the 'rlm_name' library
+	#  which implements the functionality of the module.
+	#
+	#  The 'instance' is optional.  To have two different instances
+	#  of a module, it first must be referred to by 'name'.
+	#  The different copies of the module are then created by
+	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+	#
+	#  The instance names can then be used in later configuration
+	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
+	#  for an example.
+	#
+
+	#
+	#  As of 2.0.5, most of the module configurations are in a
+	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
+	#  are loaded.  The modules are initialized ONLY if they are
+	#  referenced in a processing section, such as authorize,
+	#  authenticate, accounting, pre/post-proxy, etc.
+	#
+	$INCLUDE ${confdir}/modules/
+
+	#  Extensible Authentication Protocol
+	#
+	#  For all EAP related authentications.
+	#  Now in another file, because it is very large.
+	#
+	$INCLUDE eap.conf
+
+	#  Include another file that has the SQL-related configuration.
+	#  This is another file only because it tends to be big.
+	#
+#	$INCLUDE sql.conf
+
+	#
+	#  This module is an SQL enabled version of the counter module.
+	#
+	#  Rather than maintaining seperate (GDBM) databases of
+	#  accounting info for each counter, this module uses the data
+	#  stored in the raddacct table by the sql modules. This
+	#  module NEVER does any database INSERTs or UPDATEs.  It is
+	#  totally dependent on the SQL module to process Accounting
+	#  packets.
+	#
+#	$INCLUDE sql/mysql/counter.conf
+
+	#
+	#  IP addresses managed in an SQL table.
+	#
+#	$INCLUDE sqlippool.conf
+}
+
+# Instantiation
+#
+#  This section orders the loading of the modules.  Modules
+#  listed here will get loaded BEFORE the later sections like
+#  authorize, authenticate, etc. get examined.
+#
+#  This section is not strictly needed.  When a section like
+#  authorize refers to a module, it's automatically loaded and
+#  initialized.  However, some modules may not be listed in any
+#  of the following sections, so they can be listed here.
+#
+#  Also, listing modules here ensures that you have control over
+#  the order in which they are initalized.  If one module needs
+#  something defined by another module, you can list them in order
+#  here, and ensure that the configuration will be OK.
+#
+instantiate {
+	#
+	#  Allows the execution of external scripts.
+	#  The entire command line (and output) must fit into 253 bytes.
+	#
+	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
+	exec
+
+	#
+	#  The expression module doesn't do authorization,
+	#  authentication, or accounting.  It only does dynamic
+	#  translation, of the form:
+	#
+	#	Session-Timeout = `%{expr:2 + 3}`
+	#
+	#  This module needs to be instantiated, but CANNOT be
+	#  listed in any other section.  See 'doc/rlm_expr' for
+	#  more information.
+	#
+	#  rlm_expr is also responsible for registering many
+	#  other xlat functions such as md5, sha1 and lc.
+	#
+	#  We do not recommend removing it's listing here.
+	expr
+
+	#
+	# We add the counter module here so that it registers
+	# the check-name attribute before any module which sets
+	# it
+#	daily
+	expiration
+	logintime
+
+	# subsections here can be thought of as "virtual" modules.
+	#
+	# e.g. If you have two redundant SQL servers, and you want to
+	# use them in the authorize and accounting sections, you could
+	# place a "redundant" block in each section, containing the
+	# exact same text.  Or, you could uncomment the following
+	# lines, and list "redundant_sql" in the authorize and
+	# accounting sections.
+	#
+	#redundant redundant_sql {
+	#	sql1
+	#	sql2
+	#}
+}
+
+######################################################################
+#
+#	Policies that can be applied in multiple places are listed
+#	globally.  That way, they can be defined once, and referred
+#	to multiple times.
+#
+######################################################################
+$INCLUDE policy.conf
+
+######################################################################
+#
+#	Load virtual servers.
+#
+#	This next $INCLUDE line loads files in the directory that
+#	match the regular expression: /[a-zA-Z0-9_.]+/
+#
+#	It allows you to define new virtual servers simply by placing
+#	a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+#	All of the other configuration sections like "authorize {}",
+#	"authenticate {}", "accounting {}", have been moved to the
+#	the file:
+#
+#		raddb/sites-available/default
+#
+#	This is the "default" virtual server that has the same
+#	configuration as in version 1.0.x and 1.1.x.  The default
+#	installation enables this virtual server.  You should
+#	edit it to create policies for your local site.
+#
+#	For more documentation on virtual servers, see:
+#
+#		raddb/sites-available/README
+#
+######################################################################

freeradius/config/tmp/freeradius/acct_users

@@ -0,0 +1,23 @@
+#
+#	$Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
+#
+#	This is like the 'users' file, but it is processed only for
+#	accounting packets.
+#
+
+#  Select between different accounting methods based for example on the
+#  Realm, the Huntgroup-Name or any combinaison of the attribute/value
+#  pairs contained in an accounting packet.
+#
+#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
+#
+#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
+#
+#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
+#
+#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
+
+#  Replace the User-Name with the Stripped-User-Name, if it exists.
+#
+#DEFAULT
+#	User-Name := "%{Stripped-User-Name:-%{User-Name}}"

freeradius/config/tmp/freeradius/attrs

@@ -0,0 +1,129 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
+#
+#	This file contains security and configuration information
+#	for each realm. The first field is the realm name and
+#	can be up to 253 characters in length. This is followed (on
+#	the next line) with the list of filter rules to be used to
+#	decide what attributes and/or values we allow proxy servers
+#	to pass to the NAS for this realm.
+#
+#	When a proxy-reply packet is received from a home server,
+#	these attributes and values are tested. Only the first match
+#	is used unless the "Fall-Through" variable is set to "Yes".
+#	In that case the rules defined in the DEFAULT case are
+#	processed as well.
+#
+#	A special realm named "DEFAULT" matches on all realm names.
+#	You can have only one DEFAULT entry. All entries are processed
+#	in the order they appear in this file. The first entry that
+#	matches the login-request will stop processing unless you use
+#	the Fall-Through variable.
+#
+#	Indented (with the tab character) lines following the first
+#	line indicate the filter rules.
+#
+#	You can include another `attrs' file with `$INCLUDE attrs.other'
+#
+
+#
+# This is a complete entry for realm "fisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
+#
+# These rules allow:
+#     o  Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
+#     o  PPP sessions ( no SLIP, CSLIP, etc. )
+#     o  dynamic ip assignment ( can't assign a static ip )
+#     o  an idle timeout value set to 600 seconds (10 min) or less
+#     o  a max session time set to 28800 seconds (8 hours) or less
+#
+#fisp
+#	Service-Type == Framed-User,
+#	Framed-Protocol == PPP,
+#	Framed-IP-Address == 255.255.255.254,
+#	Idle-Timeout <= 600,
+#	Session-Timeout <= 28800
+
+#
+# This is a complete entry for realm "tisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
+#
+# These rules allow:
+#       o Only Login-User Service-Type ( no framed/ppp sessions )
+#       o Telnet sessions only ( no rlogin, tcp-clear )
+#       o Login hosts of either 192.168.1.1 or 192.168.1.2
+#
+#tisp
+#	Service-Type == Login-User,
+#	Login-Service == Telnet,
+#	Login-TCP-Port == 23,
+#	Login-IP-Host == 192.168.1.1,
+#	Login-IP-Host == 192.168.1.2
+
+#
+# The following example can be used for a home server which is only
+# allowed to supply a Reply-Message, a Session-Timeout attribute of
+# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
+# Acct-Interim-Interval attribute between 300 and 3600.
+# All other attributes sent back will be filtered out.
+#
+#strictrealm
+#	Reply-Message =* ANY,
+#	Session-Timeout <= 86400,
+#	Idle-Timeout <= 600,
+#	Acct-Interim-Interval >= 300,
+#	Acct-Interim-Interval <= 3600
+
+#
+# This is a complete entry for realm "spamrealm". Fall-Through is used,
+# so that the DEFAULT filter rules are used in addition to these.
+#
+# These rules allow:
+#       o Force the application of Filter-ID attribute to be returned
+#         in the proxy reply, whether the proxy sent it or not.
+#       o The standard DEFAULT rules as defined below
+#
+#spamrealm
+#	Framed-Filter-Id := "nosmtp.in",
+#	Fall-Through = Yes
+
+#
+# The rest of this file contains the DEFAULT entry.
+# DEFAULT matches with all realm names. (except if the realm previously
+# matched an entry with no Fall-Through)
+#
+
+DEFAULT
+	Service-Type == Framed-User,
+	Service-Type == Login-User,
+	Login-Service == Telnet,
+	Login-Service == Rlogin,
+	Login-Service == TCP-Clear,
+	Login-TCP-Port <= 65536,
+	Framed-IP-Address == 255.255.255.254,
+	Framed-IP-Netmask == 255.255.255.255,
+	Framed-Protocol == PPP,
+	Framed-Protocol == SLIP,
+	Framed-Compression == Van-Jacobson-TCP-IP,
+	Framed-MTU >= 576,
+	Framed-Filter-ID =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	EAP-Message =* ANY,
+	Message-Authenticator =* ANY,
+	MS-MPPE-Recv-Key =* ANY,
+	MS-MPPE-Send-Key =* ANY,
+	MS-CHAP-MPPE-Keys =* ANY,
+	State =* ANY,
+	Session-Timeout <= 28800,
+	Idle-Timeout <= 600,
+        Calling-Station-Id =* ANY,
+        Operator-Name =* ANY,
+	Port-Limit <= 2

freeradius/config/tmp/freeradius/attrs.access_challenge

@@ -0,0 +1,19 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
+#
+#	This configuration file is used to remove almost all of the
+#	attributes From an Access-Challenge message.  The RFC's say
+#	that an Access-Challenge packet can contain only a few
+#	attributes.  We enforce that here.
+#
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	Session-Timeout =* ANY,
+	Idle-Timeout =* ANY

freeradius/config/tmp/freeradius/attrs.access_reject

@@ -0,0 +1,17 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
+#
+#	This configuration file is used to remove almost all of the attributes
+#	From an Access-Reject message.  The RFC's say that an Access-Reject
+#	packet can contain only a few attributes.  We enforce that here.
+#
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Reply-Message =* ANY,
+	MS-CHAP-Error =* ANY,
+	Proxy-State =* ANY

freeradius/config/tmp/freeradius/attrs.accounting_response

@@ -0,0 +1,15 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
+#
+#	This configuration file is used to remove almost all of the attributes
+#	From an Accounting-Response message.  The RFC's say that an
+#	Accounting-Response packet can contain only a few attributes.
+#	We enforce that here.
+#
+DEFAULT
+	Vendor-Specific =* ANY,
+	Message-Authenticator =* ANY,
+	Proxy-State =* ANY

freeradius/config/tmp/freeradius/attrs.pre-proxy

@@ -0,0 +1,62 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
+#
+#	This file contains security and configuration information
+#	for each realm. It can be used be an rlm_attr_filter module
+#	instance to filter attributes before sending packets to the
+#	home server of a realm.
+#
+#	When a packet is sent to a home server, these attributes
+#	and values are tested. Only the first match is used unless
+#	the "Fall-Through" variable is set to "Yes". In that case
+#	the rules defined in the DEFAULT case are processed as well.
+#
+#	A special realm named "DEFAULT" matches on all realm names.
+#	You can have only one DEFAULT entry. All entries are processed
+#	in the order they appear in this file. The first entry that
+#	matches the login-request will stop processing unless you use
+#	the Fall-Through variable.
+#
+#	The first line indicates the realm to which the rules apply.
+#	Indented (with the tab character) lines following the first
+#	line indicate the filter rules.
+#
+
+# This is a complete entry for 'nochap' realm. It allows to send very
+# basic attributes to the home server. Note that there is no Fall-Through
+# entry so that no DEFAULT entry will be used. Only the listed attributes
+# will be sent in the packet, all other attributes will be filtered out.
+#
+#nochap
+#	User-Name =* ANY,
+#	User-Password =* ANY,
+#	NAS-Ip-Address =* ANY,
+#	NAS-Identifier =* ANY
+
+# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
+# if its value is different from 'Ethernet'. Then the default rules are
+# applied.
+#
+#brokenas
+#	NAS-Port-Type == Ethernet
+#	Fall-Through = Yes
+
+# The rest of this file contains the DEFAULT entry.
+# DEFAULT matches with all realm names.
+
+DEFAULT
+	User-Name =* ANY,
+	User-Password =* ANY,
+	CHAP-Password =* ANY,
+	CHAP-Challenge =* ANY,
+	MS-CHAP-Challenge =* ANY,
+	MS-CHAP-Response =* ANY,
+	EAP-Message =* ANY,
+	Message-Authenticator =* ANY,
+	State =* ANY,
+	NAS-IP-Address =* ANY,
+	NAS-Identifier =* ANY,
+	Proxy-State =* ANY

freeradius/config/tmp/freeradius/clients.conf

@@ -0,0 +1,241 @@
+# -*- text -*-
+##
+## clients.conf -- client configuration directives
+##
+##  $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
+
+#######################################################################
+#
+#  Define RADIUS clients (usually a NAS, Access Point, etc.).
+
+#
+#  Defines a RADIUS client.
+#
+#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
+#  to allow testing of the server after an initial installation.  If you
+#  are not going to be permitting RADIUS queries from localhost, we suggest
+#  that you delete, or comment out, this entry.
+#
+#
+
+#
+#  Each client has a "short name" that is used to distinguish it from
+#  other clients.
+#
+#  In version 1.x, the string after the word "client" was the IP
+#  address of the client.  In 2.0, the IP address is configured via
+#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
+#  format is still accepted.
+#
+client localhost {
+  #  Allowed values are:
+  # dotted quad (1.2.3.4)
+  #       hostname    (radius.example.com)
+  ipaddr = 127.0.0.1
+
+  #  OR, you can use an IPv6 address, but not both
+  #  at the same time.
+# ipv6addr = :: # any.  ::1 == localhost
+
+  #
+  #  A note on DNS:  We STRONGLY recommend using IP addresses
+  #  rather than host names.  Using host names means that the
+  #  server will do DNS lookups when it starts, making it
+  #  dependent on DNS.  i.e. If anything goes wrong with DNS,
+  #  the server won't start!
+  #
+  #  The server also looks up the IP address from DNS once, and
+  #  only once, when it starts.  If the DNS record is later
+  #  updated, the server WILL NOT see that update.
+  #
+
+  #  One client definition can be applied to an entire network.
+  #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
+  #  "netmask = 8"
+  #
+  #  If not specified, the default netmask is 32 (i.e. /32)
+  #
+  #  We do NOT recommend using anything other than 32.  There
+  #  are usually other, better ways to achieve the same goal.
+  #  Using netmasks of other than 32 can cause security issues.
+  #
+  #  You can specify overlapping networks (127/8 and 127.0/16)
+  #  In that case, the smallest possible network will be used
+  #  as the "best match" for the client.
+  #
+  #  Clients can also be defined dynamically at run time, based
+  #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
+  #  etc.
+  #  See raddb/sites-available/dynamic-clients for details.
+  #
+
+# netmask = 32
+
+  #
+  #  The shared secret use to "encrypt" and "sign" packets between
+  #  the NAS and FreeRADIUS.  You MUST change this secret from the
+  #  default, otherwise it's not a secret any more!
+  #
+  #  The secret can be any string, up to 8k characters in length.
+  #
+  #  Control codes can be entered vi octal encoding,
+  # e.g. "\101\102" == "AB"
+  #  Quotation marks can be entered by escaping them,
+  # e.g. "foo\"bar"
+  #
+  #  A note on security:  The security of the RADIUS protocol
+  #  depends COMPLETELY on this secret!  We recommend using a
+  #  shared secret that is composed of:
+  #
+  # upper case letters
+  # lower case letters
+  # numbers
+  #
+  #  And is at LEAST 8 characters long, preferably 16 characters in
+  #  length.  The secret MUST be random, and should not be words,
+  #  phrase, or anything else that is recognizable.
+  #
+  #  The default secret below is only for testing, and should
+  #  not be used in any real environment.
+  #
+  secret    = toor42
+
+  #
+  #  Old-style clients do not send a Message-Authenticator
+  #  in an Access-Request.  RFC 5080 suggests that all clients
+  #  SHOULD include it in an Access-Request.  The configuration
+  #  item below allows the server to require it.  If a client
+  #  is required to include a Message-Authenticator and it does
+  #  not, then the packet will be silently discarded.
+  #
+  #  allowed values: yes, no
+  require_message_authenticator = no
+
+  #
+  #  The short name is used as an alias for the fully qualified
+  #  domain name, or the IP address.
+  #
+  #  It is accepted for compatibility with 1.x, but it is no
+  #  longer necessary in 2.0
+  #
+# shortname = localhost
+
+  #
+  # the following three fields are optional, but may be used by
+  # checkrad.pl for simultaneous use checks
+  #
+
+  #
+  # The nastype tells 'checkrad.pl' which NAS-specific method to
+  #  use to query the NAS for simultaneous use.
+  #
+  #  Permitted NAS types are:
+  #
+  # cisco
+  # computone
+  # livingston
+  # juniper
+  # max40xx
+  # multitech
+  # netserver
+  # pathras
+  # patton
+  # portslave
+  # tc
+  # usrhiper
+  # other   # for all other types
+
+  #
+  nastype     = other # localhost isn't usually a NAS...
+
+  #
+  #  The following two configurations are for future use.
+  #  The 'naspasswd' file is currently used to store the NAS
+  #  login name and password, which is used by checkrad.pl
+  #  when querying the NAS for simultaneous use.
+  #
+# login       = !root
+# password    = someadminpas
+
+  #
+  #  As of 2.0, clients can also be tied to a virtual server.
+  #  This is done by setting the "virtual_server" configuration
+  #  item, as in the example below.
+  #
+# virtual_server = home1
+
+  #
+  #  A pointer to the "home_server_pool" OR a "home_server"
+  #  section that contains the CoA configuration for this
+  #  client.  For an example of a coa home server or pool,
+  #  see raddb/sites-available/originate-coa
+# coa_server = coa
+}
+
+# IPv6 Client
+#client ::1 {
+# secret    = testing123
+# shortname = localhost
+#}
+#
+# All IPv6 Site-local clients
+#client fe80::/16 {
+# secret    = testing123
+# shortname = localhost
+#}
+
+#client some.host.org {
+# secret    = testing123
+# shortname = localhost
+#}
+
+#
+#  You can now specify one secret for a network of clients.
+#  When a client request comes in, the BEST match is chosen.
+#  i.e. The entry from the smallest possible network.
+#
+#client 192.168.0.0/24 {
+# secret    = testing123-1
+# shortname = private-network-1
+#}
+#
+#client 192.168.0.0/16 {
+# secret    = testing123-2
+# shortname = private-network-2
+#}
+
+
+#client 10.10.10.10 {
+# # secret and password are mapped through the "secrets" file.
+# secret      = testing123
+# shortname   = liv1
+#       # the following three fields are optional, but may be used by
+#       # checkrad.pl for simultaneous usage checks
+# nastype     = livingston
+# login       = !root
+# password    = someadminpas
+#}
+
+#######################################################################
+#
+#  Per-socket client lists.  The configuration entries are exactly
+#  the same as above, but they are nested inside of a section.
+#
+#  You can have as many per-socket client lists as you have "listen"
+#  sections, or you can re-use a list among multiple "listen" sections.
+#
+#  Un-comment this section, and edit a "listen" section to add:
+#  "clients = per_socket_clients".  That IP address/port combination
+#  will then accept ONLY the clients listed in this section.
+#
+#clients per_socket_clients {
+# client 192.168.3.4 {
+#   secret = testing123
+#        }
+#}
+
+client router {
+  ipaddr = 0.0.0.0
+  netmask = 0
+  secret = toor42
+}

freeradius/config/tmp/freeradius/dictionary

@@ -0,0 +1,32 @@
+#
+#	This is the master dictionary file, which references the
+#	pre-defined dictionary files included with the server.
+#
+#	Any new/changed attributes MUST be placed in this file, as
+#	the pre-defined dictionaries SHOULD NOT be edited.
+#
+#	$Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
+#
+
+#
+#	The filename given here should be an absolute path. 
+#
+$INCLUDE	/usr/share/freeradius/dictionary
+
+#
+#	Place additional attributes or $INCLUDEs here.  They will
+#	over-ride the definitions in the pre-defined dictionaries.
+#
+#	See the 'man' page for 'dictionary' for information on
+#	the format of the dictionary files.
+
+#
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them here.  The numbers you pick should be between
+#	3000 and 4000.
+#
+
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer

freeradius/config/tmp/freeradius/eap.conf

@@ -0,0 +1,688 @@
+# -*- text -*-
+##
+##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+##  $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
+
+#######################################################################
+#
+#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
+#  is smart enough to figure this out on its own.  The most
+#  common side effect of setting 'Auth-Type := EAP' is that the
+#  users then cannot use ANY other authentication method.
+#
+#  EAP types NOT listed here may be supported via the "eap2" module.
+#  See experimental.conf for documentation.
+#
+  eap {
+    #  Invoke the default supported EAP type when
+    #  EAP-Identity response is received.
+    #
+    #  The incoming EAP messages DO NOT specify which EAP
+    #  type they will be using, so it MUST be set here.
+    #
+    #  For now, only one default EAP type may be used at a time.
+    #
+    #  If the EAP-Type attribute is set by another module,
+    #  then that EAP type takes precedence over the
+    #  default type configured here.
+    #
+    default_eap_type = peap
+
+    #  A list is maintained to correlate EAP-Response
+    #  packets with EAP-Request packets.  After a
+    #  configurable length of time, entries in the list
+    #  expire, and are deleted.
+    #
+    timer_expire     = 60
+
+    #  There are many EAP types, but the server has support
+    #  for only a limited subset.  If the server receives
+    #  a request for an EAP type it does not support, then
+    #  it normally rejects the request.  By setting this
+    #  configuration to "yes", you can tell the server to
+    #  instead keep processing the request.  Another module
+    #  MUST then be configured to proxy the request to
+    #  another RADIUS server which supports that EAP type.
+    #
+    #  If another module is NOT configured to handle the
+    #  request, then the request will still end up being
+    #  rejected.
+    ignore_unknown_eap_types = no
+
+    # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
+    # a User-Name attribute in an Access-Accept, it copies one
+    # more byte than it should.
+    #
+    # We can work around it by configurably adding an extra
+    # zero byte.
+    cisco_accounting_username_bug = no
+
+    #
+    #  Help prevent DoS attacks by limiting the number of
+    #  sessions that the server is tracking.  For simplicity,
+    #  this is taken from the "max_requests" directive in
+    #  radiusd.conf.
+    max_sessions = ${max_requests}
+
+    # Supported EAP-types
+
+    #
+    #  We do NOT recommend using EAP-MD5 authentication
+    #  for wireless connections.  It is insecure, and does
+    #  not provide for dynamic WEP keys.
+    #
+    md5 {
+    }
+
+    # Cisco LEAP
+    #
+    #  We do not recommend using LEAP in new deployments.  See:
+    #  http://www.securiteam.com/tools/5TP012ACKE.html
+    #
+    #  Cisco LEAP uses the MS-CHAP algorithm (but not
+    #  the MS-CHAP attributes) to perform it's authentication.
+    #
+    #  As a result, LEAP *requires* access to the plain-text
+    #  User-Password, or the NT-Password attributes.
+    #  'System' authentication is impossible with LEAP.
+    #
+    leap {
+    }
+
+    #  Generic Token Card.
+    #
+    #  Currently, this is only permitted inside of EAP-TTLS,
+    #  or EAP-PEAP.  The module "challenges" the user with
+    #  text, and the response from the user is taken to be
+    #  the User-Password.
+    #
+    #  Proxying the tunneled EAP-GTC session is a bad idea,
+    #  the users password will go over the wire in plain-text,
+    #  for anyone to see.
+    #
+    gtc {
+      #  The default challenge, which many clients
+      #  ignore..
+      #challenge = "Password: "
+
+      #  The plain-text response which comes back
+      #  is put into a User-Password attribute,
+      #  and passed to another module for
+      #  authentication.  This allows the EAP-GTC
+      #  response to be checked against plain-text,
+      #  or crypt'd passwords.
+      #
+      #  If you say "Local" instead of "PAP", then
+      #  the module will look for a User-Password
+      #  configured for the request, and do the
+      #  authentication itself.
+      #
+      auth_type = PAP
+    }
+
+    ## EAP-TLS
+    #
+    #  See raddb/certs/README for additional comments
+    #  on certificates.
+    #
+    #  If OpenSSL was not found at the time the server was
+    #  built, the "tls", "ttls", and "peap" sections will
+    #  be ignored.
+    #
+    #  Otherwise, when the server first starts in debugging
+    #  mode, test certificates will be created.  See the
+    #  "make_cert_command" below for details, and the README
+    #  file in raddb/certs
+    #
+    #  These test certificates SHOULD NOT be used in a normal
+    #  deployment.  They are created only to make it easier
+    #  to install the server, and to perform some simple
+    #  tests with EAP-TLS, TTLS, or PEAP.
+    #
+    #  See also:
+    #
+    #  http://www.dslreports.com/forum/remark,9286052~mode=flat
+    #
+    #  Note that you should NOT use a globally known CA here!
+    #  e.g. using a Verisign cert as a "known CA" means that
+    #  ANYONE who has a certificate signed by them can
+    #  authenticate via EAP-TLS!  This is likely not what you want.
+    tls {
+      #
+      #  These is used to simplify later configurations.
+      #
+      certdir = ${confdir}/certs
+      cadir = ${confdir}/certs
+
+      private_key_password = whatever
+      private_key_file = ${certdir}/server.key
+
+      #  If Private key & Certificate are located in
+      #  the same file, then private_key_file &
+      #  certificate_file must contain the same file
+      #  name.
+      #
+      #  If CA_file (below) is not used, then the
+      #  certificate_file below MUST include not
+      #  only the server certificate, but ALSO all
+      #  of the CA certificates used to sign the
+      #  server certificate.
+      certificate_file = ${certdir}/server.pem
+
+      #  Trusted Root CA list
+      #
+      #  ALL of the CA's in this list will be trusted
+      #  to issue client certificates for authentication.
+      #
+      #  In general, you should use self-signed
+      #  certificates for 802.1x (EAP) authentication.
+      #  In that case, this CA file should contain
+      #  *one* CA certificate.
+      #
+      #  This parameter is used only for EAP-TLS,
+      #  when you issue client certificates.  If you do
+      #  not use client certificates, and you do not want
+      #  to permit EAP-TLS authentication, then delete
+      #  this configuration item.
+      CA_file = ${cadir}/ca.pem
+
+      #
+      #  For DH cipher suites to work, you have to
+      #  run OpenSSL to create the DH file first:
+      #
+      #   openssl dhparam -out certs/dh 1024
+      #
+      dh_file = ${certdir}/dh
+      random_file = /dev/urandom
+
+
+      #
+      #  This can never exceed the size of a RADIUS
+      #  packet (4096 bytes), and is preferably half
+      #  that, to accomodate other attributes in
+      #  RADIUS packet.  On most APs the MAX packet
+      #  length is configured between 1500 - 1600
+      #  In these cases, fragment size should be
+      #  1024 or less.
+      #
+    # fragment_size = 1024
+
+      #  include_length is a flag which is
+      #  by default set to yes If set to
+      #  yes, Total Length of the message is
+      #  included in EVERY packet we send.
+      #  If set to no, Total Length of the
+      #  message is included ONLY in the
+      #  First packet of a fragment series.
+      #
+    # include_length = yes
+
+      #  Check the Certificate Revocation List
+      #
+      #  1) Copy CA certificates and CRLs to same directory.
+      #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+      #    'c_rehash' is OpenSSL's command.
+      #  3) uncomment the line below.
+      #  5) Restart radiusd
+    # check_crl = yes
+      CA_path = ${cadir}
+
+           #
+           #  If check_cert_issuer is set, the value will
+           #  be checked against the DN of the issuer in
+           #  the client certificate.  If the values do not
+           #  match, the cerficate verification will fail,
+           #  rejecting the user.
+           #
+           #  In 2.1.10 and later, this check can be done
+           #  more generally by checking the value of the
+           #  TLS-Client-Cert-Issuer attribute.  This check
+           #  can be done via any mechanism you choose.
+           #
+    #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+           #
+           #  If check_cert_cn is set, the value will
+           #  be xlat'ed and checked against the CN
+           #  in the client certificate.  If the values
+           #  do not match, the certificate verification
+           #  will fail rejecting the user.
+           #
+           #  This check is done only if the previous
+           #  "check_cert_issuer" is not set, or if
+           #  the check succeeds.
+           #
+           #  In 2.1.10 and later, this check can be done
+           #  more generally by checking the value of the
+           #  TLS-Client-Cert-CN attribute.  This check
+           #  can be done via any mechanism you choose.
+           #
+    # check_cert_cn = %{User-Name}
+    #
+      # Set this option to specify the allowed
+      # TLS cipher suites.  The format is listed
+      # in "man 1 ciphers".
+      cipher_list = "DEFAULT"
+
+      #
+      # As part of checking a client certificate, the EAP-TLS
+      # sets some attributes such as TLS-Client-Cert-CN. This
+      # virtual server has access to these attributes, and can
+      # be used to accept or reject the request.
+      #
+    # virtual_server = check-eap-tls
+
+      # This command creates the initial "snake oil"
+      # certificates when the server is run as root,
+      # and via "radiusd -X".
+      #
+      # As of 2.1.11, it *also* checks the server
+      # certificate for validity, including expiration.
+      # This means that radiusd will refuse to start
+      # when the certificate has expired.  The alternative
+      # is to have the 802.1X clients refuse to connect
+      # when they discover the certificate has expired.
+      #
+      # Debugging client issues is hard, so it's better
+      # for the server to print out an error message,
+      # and refuse to start.
+      #
+      make_cert_command = "${certdir}/bootstrap"
+
+      #
+      #  Elliptical cryptography configuration
+      #
+      #  Only for OpenSSL >= 0.9.8.f
+      #
+      ecdh_curve = "prime256v1"
+
+      #
+      #  Session resumption / fast reauthentication
+      #  cache.
+      #
+      #  The cache contains the following information:
+      #
+      #  session Id - unique identifier, managed by SSL
+      #  User-Name  - from the Access-Accept
+      #  Stripped-User-Name - from the Access-Request
+      #  Cached-Session-Policy - from the Access-Accept
+      #
+      #  The "Cached-Session-Policy" is the name of a
+      #  policy which should be applied to the cached
+      #  session.  This policy can be used to assign
+      #  VLANs, IP addresses, etc.  It serves as a useful
+      #  way to re-apply the policy from the original
+      #  Access-Accept to the subsequent Access-Accept
+      #  for the cached session.
+      #
+      #  On session resumption, these attributes are
+      #  copied from the cache, and placed into the
+      #  reply list.
+      #
+      #  You probably also want "use_tunneled_reply = yes"
+      #  when using fast session resumption.
+      #
+      cache {
+            #
+            #  Enable it.  The default is "no".
+            #  Deleting the entire "cache" subsection
+            #  Also disables caching.
+            #
+            #  You can disallow resumption for a
+            #  particular user by adding the following
+            #  attribute to the control item list:
+            #
+            #   Allow-Session-Resumption = No
+            #
+            #  If "enable = no" below, you CANNOT
+            #  enable resumption for just one user
+            #  by setting the above attribute to "yes".
+            #
+            enable = no
+
+            #
+            #  Lifetime of the cached entries, in hours.
+            #  The sessions will be deleted after this
+            #  time.
+            #
+            lifetime = 24 # hours
+
+            #
+            #  The maximum number of entries in the
+            #  cache.  Set to "0" for "infinite".
+            #
+            #  This could be set to the number of users
+            #  who are logged in... which can be a LOT.
+            #
+            max_entries = 255
+      }
+
+      #
+      #  As of version 2.1.10, client certificates can be
+      #  validated via an external command.  This allows
+      #  dynamic CRLs or OCSP to be used.
+      #
+      #  This configuration is commented out in the
+      #  default configuration.  Uncomment it, and configure
+      #  the correct paths below to enable it.
+      #
+      verify {
+        #  A temporary directory where the client
+        #  certificates are stored.  This directory
+        #  MUST be owned by the UID of the server,
+        #  and MUST not be accessible by any other
+        #  users.  When the server starts, it will do
+        #  "chmod go-rwx" on the directory, for
+        #  security reasons.  The directory MUST
+        #  exist when the server starts.
+        #
+        #  You should also delete all of the files
+        #  in the directory when the server starts.
+    #         tmpdir = /tmp/radiusd
+
+        #  The command used to verify the client cert.
+        #  We recommend using the OpenSSL command-line
+        #  tool.
+        #
+        #  The ${..CA_path} text is a reference to
+        #  the CA_path variable defined above.
+        #
+        #  The %{TLS-Client-Cert-Filename} is the name
+        #  of the temporary file containing the cert
+        #  in PEM format.  This file is automatically
+        #  deleted by the server when the command
+        #  returns.
+    #       client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+      }
+
+      #
+      #  OCSP Configuration
+      #  Certificates can be verified against an OCSP
+      #  Responder. This makes it possible to immediately
+      #  revoke certificates without the distribution of
+      #  new Certificate Revokation Lists (CRLs).
+      #
+      ocsp {
+            #
+            #  Enable it.  The default is "no".
+            #  Deleting the entire "ocsp" subsection
+            #  Also disables ocsp checking
+            #
+            enable = no
+
+            #
+            #  The OCSP Responder URL can be automatically
+            #  extracted from the certificate in question.
+            #  To override the OCSP Responder URL set
+            #  "override_cert_url = yes". 
+            #
+            override_cert_url = yes
+
+            #
+            #  If the OCSP Responder address is not
+            #  extracted from the certificate, the
+            #  URL can be defined here.
+
+            #
+            #  Limitation: Currently the HTTP
+            #  Request is not sending the "Host: "
+            #  information to the web-server.  This
+            #  can be a problem if the OCSP
+            #  Responder is running as a vhost.
+            #
+            url = "http://127.0.0.1/ocsp/"
+
+            #
+            # If the OCSP Responder can not cope with nonce
+            # in the request, then it can be disabled here.
+            #
+            # For security reasons, disabling this option
+            # is not recommended as nonce protects against
+            # replay attacks.
+            #
+            # Note that Microsoft AD Certificate Services OCSP
+            # Responder does not enable nonce by default. It is
+            # more secure to enable nonce on the responder than
+            # to disable it in the query here.
+            # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+            #
+            # use_nonce = yes
+
+            #
+            # Number of seconds before giving up waiting
+            # for OCSP response. 0 uses system default.
+            #
+            # timeout = 0
+
+            #
+            # Normally an error in querying the OCSP
+            # responder (no response from server, server did
+            # not understand the request, etc) will result in
+            # a validation failure.
+            #
+            # To treat these errors as 'soft' failures and
+            # still accept the certificate, enable this
+            # option.
+            # 
+            # Warning: this may enable clients with revoked
+            # certificates to connect if the OCSP responder
+            # is not available. Use with caution.
+            #
+            # softfail = no
+      }
+    }
+
+    #  The TTLS module implements the EAP-TTLS protocol,
+    #  which can be described as EAP inside of Diameter,
+    #  inside of TLS, inside of EAP, inside of RADIUS...
+    #
+    #  Surprisingly, it works quite well.
+    #
+    #  The TTLS module needs the TLS module to be installed
+    #  and configured, in order to use the TLS tunnel
+    #  inside of the EAP packet.  You will still need to
+    #  configure the TLS module, even if you do not want
+    #  to deploy EAP-TLS in your network.  Users will not
+    #  be able to request EAP-TLS, as it requires them to
+    #  have a client certificate.  EAP-TTLS does not
+    #  require a client certificate.
+    #
+    #  You can make TTLS require a client cert by setting
+    #
+    # EAP-TLS-Require-Client-Cert = Yes
+    #
+    #  in the control items for a request.
+    #
+    ttls {
+      #  The tunneled EAP session needs a default
+      #  EAP type which is separate from the one for
+      #  the non-tunneled EAP module.  Inside of the
+      #  TTLS tunnel, we recommend using EAP-MD5.
+      #  If the request does not contain an EAP
+      #  conversation, then this configuration entry
+      #  is ignored.
+      default_eap_type = md5
+
+      #  The tunneled authentication request does
+      #  not usually contain useful attributes
+      #  like 'Calling-Station-Id', etc.  These
+      #  attributes are outside of the tunnel,
+      #  and normally unavailable to the tunneled
+      #  authentication request.
+      #
+      #  By setting this configuration entry to
+      #  'yes', any attribute which NOT in the
+      #  tunneled authentication request, but
+      #  which IS available outside of the tunnel,
+      #  is copied to the tunneled request.
+      #
+      # allowed values: {no, yes}
+      copy_request_to_tunnel = no
+
+      #  The reply attributes sent to the NAS are
+      #  usually based on the name of the user
+      #  'outside' of the tunnel (usually
+      #  'anonymous').  If you want to send the
+      #  reply attributes based on the user name
+      #  inside of the tunnel, then set this
+      #  configuration entry to 'yes', and the reply
+      #  to the NAS will be taken from the reply to
+      #  the tunneled request.
+      #
+      # allowed values: {no, yes}
+      use_tunneled_reply = no
+
+      #
+      #  The inner tunneled request can be sent
+      #  through a virtual server constructed
+      #  specifically for this purpose.
+      #
+      #  If this entry is commented out, the inner
+      #  tunneled request will be sent through
+      #  the virtual server that processed the
+      #  outer requests.
+      #
+      virtual_server = "inner-tunnel"
+
+      #  This has the same meaning as the
+      #  same field in the "tls" module, above.
+      #  The default value here is "yes".
+    # include_length = yes
+    }
+
+    ##################################################
+    #
+    #  !!!!! WARNINGS for Windows compatibility  !!!!!
+    #
+    ##################################################
+    #
+    #  If you see the server send an Access-Challenge,
+    #  and the client never sends another Access-Request,
+    #  then
+    #
+    #   STOP!
+    #
+    #  The server certificate has to have special OID's
+    #  in it, or else the Microsoft clients will silently
+    #  fail.  See the "scripts/xpextensions" file for
+    #  details, and the following page:
+    #
+    # http://support.microsoft.com/kb/814394/en-us
+    #
+    #  For additional Windows XP SP2 issues, see:
+    #
+    # http://support.microsoft.com/kb/885453/en-us
+    #
+    #
+    #  If is still doesn't work, and you're using Samba,
+    #  you may be encountering a Samba bug.  See:
+    #
+    # https://bugzilla.samba.org/show_bug.cgi?id=6563
+    #
+    #  Note that we do not necessarily agree with their
+    #  explanation... but the fix does appear to work.
+    #
+    ##################################################
+
+    #
+    #  The tunneled EAP session needs a default EAP type
+    #  which is separate from the one for the non-tunneled
+    #  EAP module.  Inside of the TLS/PEAP tunnel, we
+    #  recommend using EAP-MS-CHAPv2.
+    #
+    #  The PEAP module needs the TLS module to be installed
+    #  and configured, in order to use the TLS tunnel
+    #  inside of the EAP packet.  You will still need to
+    #  configure the TLS module, even if you do not want
+    #  to deploy EAP-TLS in your network.  Users will not
+    #  be able to request EAP-TLS, as it requires them to
+    #  have a client certificate.  EAP-PEAP does not
+    #  require a client certificate.
+    #
+    #
+    #  You can make PEAP require a client cert by setting
+    #
+    # EAP-TLS-Require-Client-Cert = Yes
+    #
+    #  in the control items for a request.
+    #
+    peap {
+      #  The tunneled EAP session needs a default
+      #  EAP type which is separate from the one for
+      #  the non-tunneled EAP module.  Inside of the
+      #  PEAP tunnel, we recommend using MS-CHAPv2,
+      #  as that is the default type supported by
+      #  Windows clients.
+      default_eap_type = mschapv2
+
+      #  the PEAP module also has these configuration
+      #  items, which are the same as for TTLS.
+      copy_request_to_tunnel = no
+      use_tunneled_reply = no
+
+      #  When the tunneled session is proxied, the
+      #  home server may not understand EAP-MSCHAP-V2.
+      #  Set this entry to "no" to proxy the tunneled
+      #  EAP-MSCHAP-V2 as normal MSCHAPv2.
+    # proxy_tunneled_request_as_eap = yes
+
+      #
+      #  The inner tunneled request can be sent
+      #  through a virtual server constructed
+      #  specifically for this purpose.
+      #
+      #  If this entry is commented out, the inner
+      #  tunneled request will be sent through
+      #  the virtual server that processed the
+      #  outer requests.
+      #
+      virtual_server = "inner-tunnel"
+
+      # This option enables support for MS-SoH
+      # see doc/SoH.txt for more info.
+      # It is disabled by default.
+      #
+#     soh = yes
+
+      #
+      # The SoH reply will be turned into a request which
+      # can be sent to a specific virtual server:
+      #
+#     soh_virtual_server = "soh-server"
+    }
+
+    #
+    #  This takes no configuration.
+    #
+    #  Note that it is the EAP MS-CHAPv2 sub-module, not
+    #  the main 'mschap' module.
+    #
+    #  Note also that in order for this sub-module to work,
+    #  the main 'mschap' module MUST ALSO be configured.
+    #
+    #  This module is the *Microsoft* implementation of MS-CHAPv2
+    #  in EAP.  There is another (incompatible) implementation
+    #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+    #  currently support.
+    #
+    mschapv2 {
+      #  Prior to version 2.1.11, the module never
+      #  sent the MS-CHAP-Error message to the
+      #  client.  This worked, but it had issues
+      #  when the cached password was wrong.  The
+      #  server *should* send "E=691 R=0" to the
+      #  client, which tells it to prompt the user
+      #  for a new password.
+      #
+      #  The default is to behave as in 2.1.10 and
+      #  earlier, which is known to work.  If you
+      #  set "send_error = yes", then the error
+      #  message will be sent back to the client.
+      #  This *may* help some clients work better,
+      #  but *may* also cause other clients to stop
+      #  working.
+      #
+#     send_error = no
+    }
+  }

freeradius/config/tmp/freeradius/experimental.conf

@@ -0,0 +1,450 @@
+#
+#  This file contains the configuration for experimental modules.
+#
+#  By default, it is NOT included in the build.
+#
+#  $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
+#
+
+	# Configuration for the Python module.
+	#
+	# Where radiusd is a Python module, radiusd.py, and the
+	# function 'authorize' is called.  Here is a dummy piece
+	# of code:
+	# 
+	#	def authorize(params):
+	#	    print params
+	#	    return (5, ('Reply-Message', 'banned'))
+	#
+	# The RADIUS value-pairs are passed as a tuple of tuple
+	# pairs as the first argument, e.g. (('attribute1',
+	# 'value1'), ('attribute2', 'value2'))
+	#
+	# The function return is a tuple with the first element
+	# being the return value of the function.
+	# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
+	# write the return values as Python symbols to avoid
+	# confusion.
+	#
+	# The remaining tuple members are the string form of
+	# value-pairs which are passed on to pairmake().
+	#
+	python {
+		mod_instantiate = radiusd_test
+		func_instantiate = instantiate
+
+		mod_authorize = radiusd_test
+		func_authorize = authorize
+
+		mod_accounting = radiusd_test
+		func_accounting = accounting
+
+		mod_pre_proxy = radiusd_test
+		func_pre_proxy = pre_proxy
+
+		mod_post_proxy = radiusd_test
+		func_post_proxy = post_proxy
+
+		mod_post_auth = radiusd_test
+		func_post_auth = post_auth
+
+		mod_recv_coa = radiusd_test
+		func_recv_coa = recv_coa
+
+		mod_send_coa = radiusd_test
+		func_send_coa = send_coa
+
+		mod_detach = radiusd_test
+		func_detach = detach
+	}
+
+	
+	# Configuration for the example module.  Uncommenting it will cause it
+	# to get loaded and initialized, but should have no real effect as long
+	# it is not referencened in one of the autz/auth/preacct/acct sections
+	example {
+		#  Boolean variable.
+		# allowed values: {no, yes}
+		boolean = yes
+
+		#  An integer, of any value.
+		integer = 16
+
+		#  A string.
+		string = "This is an example configuration string"
+
+		# An IP address, either in dotted quad (1.2.3.4) or hostname
+		# (example.com)
+		ipaddr = 127.0.0.1
+
+		# A subsection
+		mysubsection {
+			anotherinteger = 1000
+			# They nest
+			deeply nested {
+				string = "This is a different string"
+			}
+		}
+	}
+
+	#
+	#  To create a dbm users file, do:
+	#
+	#   cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
+	#
+	#  Then add 'dbm' in 'authorize' section.
+	#
+	#  Note that even if the file has a ".db" or ".dbm" extension,
+	#  you may have to specify it here without that extension.  This
+	#  is because the DBM libraries "helpfully" add a ".db" to the
+	#  filename, but don't check if it's already there.
+	#
+	dbm {
+		usersfile = ${confdir}/users_db
+	}
+
+	#
+	#  Perform NT-Domain authentication.  This only works
+	#  with PAP authentication.  That is, Authentication-Request
+	#  packets containing a User-Password attribute.
+	#
+	#  To use it, add 'smb' into the 'authenticate' section,
+	#  and then in another module (usually the 'users' file),
+	#  set 'Auth-Type := SMB'
+	#
+	#  WARNING: this module is not only experimental, it's also
+	#  a security threat. It's not recommended to use it until
+	#  it gets fixed.
+	#
+	smb {
+		server = ntdomain.server.example.com
+		backup = backup.server.example.com
+		domain = NTDOMAIN
+	}
+
+	# See doc/rlm_fastusers before using this
+	# module or changing these values.
+	#
+	fastusers {
+		usersfile = ${confdir}/users_fast
+		hashsize = 1000
+		compat = no
+		# Reload the hash every 600 seconds (10mins)
+		hash_reload = 600
+	}
+
+	# Caching module
+	#
+	# Should be added in the post-auth section (after all other modules)
+	# and in the authorize section (before any other modules)
+	#
+	# authorize {
+	#	caching {
+	#		ok = return
+	#	}
+	#	[... other modules ...]
+	# }
+	# post-auth {
+	#	[... other modules ...]
+	#	caching
+	# }
+	#
+	# The caching module will cache the Auth-Type and reply items
+	# and send them back on any subsequent requests for the same key
+	#
+	# Configuration:
+	#
+	# filename: The gdbm file to use for the cache database
+	#		(can be memory mapped for more speed)
+	#
+	# key: A string to xlat and use as a key. For instance,
+	#	"%{Acct-Unique-Session-Id}"
+	#
+	# post-auth: If we find a cached entry, set the post-auth to that value
+	#
+	# cache-ttl: The time to cache the entry. The same time format
+	#		as the counter module apply here.
+	#	  num[hdwm] where:
+	#  	h: hours, d: days, w: weeks, m: months
+	#  	If the letter is ommited days will be assumed.
+	#	e.g. 1d == one day
+	#
+	# cache-size: The gdbm cache size to request (default 1000)
+	#
+	# hit-ratio: If set to non-zero we print out statistical
+	#	information after so many cache requests
+	#
+	# cache-rejects: Do we also cache rejects, or not? (default 'yes')
+	#
+	caching {
+		filename = ${db_dir}/db.cache
+		cache-ttl = 1d
+		hit-ratio = 1000
+		key = "%{Acct-Unique-Session-Id}"
+		#post-auth = ""
+		# cache-size = 2000
+		# cache-rejects = yes
+	}
+
+
+	# Simple module for logging of Account packets to radiusd.log
+	# You need to declare it in the accounting section for it to work
+	acctlog {
+		acctlog_update = ""
+		acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
+		acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
+		acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
+		acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
+	}
+
+	# Another implementation of the EAP module.
+	#
+	#  This module requires the libeap.so file from the hostap
+	#  software (http://hostap.epitest.fi/hostapd/).  It has been
+	#  tested on the development version of hostapd (0.6.1) ONLY.
+	#
+	#  In order to use it, you MUST build a "libeap.so" in hostapd,
+	#  which is not done by default.
+	#
+	#  You MUST also edit the file: src/modules/rlm_eap2/Makefile
+	#  to point to the location of the hostap include files.
+	#
+	#  This module CANNOT be used in the same way as the current
+	#  FreeRADIUS "eap" module.  There is NO way to look inside of
+	#  a tunneled request.  There is NO way to proxy a tunneled
+	#  request.  There is NO way to even look at the user name inside
+	#  of the tunneled request.  There is NO way to control the
+	#  choice of EAP types inside of the tunnel.  You MUST force
+	#  the server to choose "eap2" for authentication, because this
+	#  module has no "authorize" section.
+	#
+	#  If you want to use this module for experimentation, please
+	#  post your comments to the freeradius-devel list:
+	#
+	#    http://lists.freeradius.org/mailman/listinfo/freeradius-devel
+	#
+	#  If you want to use this module in a production (i.e. real-world)
+	#  environment:
+	#
+	#	!!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
+	#
+	#  The module needs additional work to make it ready for
+	#  production use..  Please supply patches, or sponsor the
+	#  work by hiring a developer.  Do NOT ask when the work will
+	#  be done, because there is no plan to finish this module
+	#  unless there is demand for it.
+	#
+	eap2 {
+		#  EAP types are chosen in the order that they are
+		#  listed in this section.  There is no "default_eap_type"
+		#  as with rlm_eap.  Instead, the *first* EAP type is
+		#  used as the default type.
+		#
+		peap {
+		}
+
+		ttls {
+		}
+
+		#  This is the ONLY EAP type that has any configuration.
+		#  All other EAP types have no configuration.
+		#
+		tls {
+			ca_cert = ${confdir}/certs/ca.pem
+			server_cert = ${confdir}/certs/server.pem
+			private_key_file = ${confdir}/certs/server.pem
+			private_key_password = whatever
+		}
+
+		#
+		#  These next two methods do not supply keying material.
+		#
+		md5 {
+		}
+
+		mschapv2 {
+		}
+
+		fast { 
+			pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f 
+			eap_fast_a_id = xxxxxx 
+			eap_fast_a_id_info = my_server 
+			eap_fast_prov = 3
+			pac_key_lifetime = 604800 # 7 days
+			pac_key_refresh_tim = 86400
+		} 
+
+		#  LEAP is NOT supported by this module.
+		#  Use the "eap" module instead.
+
+		#  For other methods that MIGHT work, see the
+		#  configuration of hostap.  The methods are statically
+		#  linked in at compile time, and cannot be controlled
+		#  here.
+	}
+
+	#  Configuration for experimental EAP types.  The sub-sections
+	#  can be copied into eap.conf.
+	eap {
+		ikev2 {
+
+		# Server auth type 
+		# Allowed values are:
+		#  cert   - for certificate based server authentication,
+		#           other required settings for this type are
+		#	    'private_key_file' and 'certificate_file'
+		#  secret - for shared secret based server authentication, 
+		#           other required settings for this type is 'id'
+		# Default value of this option is 'secret'
+	#     server_authtype=cert
+
+		# Allowed default client auth types
+		# Allowed values are:
+		#   secret - for shared secret based client	authentication
+		#   cert   - for certificate based client authentication
+		#   both   - shared secret and certificate is allowed
+		#   none   - authentication will always fail
+		# Default value for this option is 'both'. This option could
+		#  be overwritten within 'usersfile' file by EAP-IKEv2-Auth
+		#  option. 
+	#   default_authtype = both
+
+		# path to trusted CA certificate file
+		CA_file="/path/to/CA/cacert.pem"
+
+		# path to CRL file, if not set, then there will be no
+		#  checks against CRL
+	#   crl_file="/path/to/crl.pem"
+
+		# path to file with user settings 
+		#
+		#  Note that this file is read ONLY on module initialization!
+		#
+		# default ${confdir}/eap_ikev2_users
+	#   usersfile=${confdir}/eap_ikev2_users
+
+#
+#  Sample "eap_ikev2_users" file entry:
+#
+#username  EAP-IKEv2-IDType := KEY_ID,  EAP-IKEv2-Secret := "tajne"
+
+## where:
+## username           - client user name from IKE-AUTH (IDr)  or CommonName
+##                      from x509 certificate
+## EAP-IKEv2-IDType   - ID Type - same as in expected IDType payload
+##	                allowable attributes for EAP-IKEv2-IDType:
+##	                IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
+##			DER_ASN1_GN KEY_ID
+## EAP-IKEv2-Secret   - shared secret
+## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
+##                      type. Allowed values are: secret,cert,both,none.
+##			For the meaning of this values, please see the
+##                      description of 'default_authtype'.
+##                      This attribute can overwrite 'default_authtype' value.
+
+
+
+		# path to  file with server private key
+		private_key_file="/path/to/srv-private-key.pem"
+
+		# password to private key file
+		private_key_password="passwd"
+
+		# path to file with server certificate
+		certificate_file="/path/to/srv-cert.pem"
+
+		# server identity string
+		id="deMaio"
+
+		# Server identity type. Allowed values are:
+		# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
+		#  KEY_ID
+		# Default value is:	KEY_ID
+	#   id_type = KEY_ID
+
+
+		# MTU (default: 1398)
+	#   fragment_size = 1398
+    
+		# maximal allowed number of resends SA_INIT after receiving
+		# 'invalid KEY' notification (default 3)
+	#   DH_counter_max = 3
+
+		# option which is used to control whenever send CERT REQ
+		#  payload or not.
+		# Allowed values for this option are "yes" or "no".
+		#Default value is "no".
+	#   certreq = "yes"
+
+		# option which cotrols fast reconnect capability.
+		# Allowed valuse for this option are "yes" or "no".
+		# Default value is "yes".
+	#   enable_fast_reauth = "no"
+    
+		# option which is used to control performing of DH exchange
+		#  during fast rekeying protocol run.
+		# Allowed values for this option are "yes" or "no".
+		# Default value is "no"
+	#   fast_DH_exchange = "yes"
+
+		# Option which is used to set up expiration time of inactive
+		#  IKEv2 session.
+		# After selected period of time (in seconds), inactive
+		# session data will be deleted.
+		# Default value of this option is set to 900 seconds
+	#   fast_timer_expire = 900
+
+		# list of server proposals of available cryptographic
+		# suites
+		proposals {
+			# proposal number #1 
+			proposal {
+
+				# Supported transforms types: encryption,
+				# prf, integrity, dhgroup. For multiple
+				# transforms just simple repeat key (i.e.
+				# integity).
+
+				# encryption algorithm
+				# supported algorithms:
+				# null,3des,aes_128_cbc,aes_192_cbc,
+				# aes_256_cbc,idea
+	            		# blowfish:n, where n range from 8 to 448 bits,
+				#  step 8 bits
+				# cast:n, where n range from 40 to 128 bits,
+				#  step 8 bits 
+				encryption = 3des
+
+				# pseudo random function. Supported prf's:
+				# hmac_md5, hmac_sha1, hmac_tiger
+				prf = hmac_sha1
+
+				# integrity algorithm. Supported algorithms:
+				# hmac_md5_96, hmac_sha1_96,des_mac
+				integrity = hmac_sha1_96
+				integrity = hmac_md5_96
+
+				# Diffie-Hellman groups:
+				# modp768, modp1024, modp1536, modp2048, 
+				# modp3072, modp4096, modp6144, modp8192
+				dhgroup = modp2048 
+			}
+		
+			# proposal number #2 
+			proposal {
+				encryption = 3des
+				prf = hmac_md5
+				integrity = hmac_md5_96
+				dhgroup = modp1024
+			}	
+
+			# proposal number #3 
+			proposal {
+				encryption=3des
+				prf=hmac_md5
+				integrity=hmac_md5_96
+				dhgroup=modp2048
+			} 
+		}
+		}
+	}

freeradius/config/tmp/freeradius/hints

@@ -0,0 +1,77 @@
+# hints
+#
+#	The hints file.   This file is used to match
+#	a request, and then add attributes to it.  This
+#	process allows a user to login as "bob.ppp" (for example),
+#	and receive a PPP connection, even if the NAS doesn't
+#	ask for PPP.  The "hints" file is used to match the
+#	".ppp" portion of the username, and to add a set of
+#	"user requested PPP" attributes to the request.
+#
+#	Matching can take place with the the Prefix and Suffix
+#	attributes, just like in the "users" file.
+#	These attributes operate ONLY on the username, though.
+#
+#	Note that the attributes that are set for each
+#	entry are _NOT_ passed back to the terminal server.
+#	Instead they are added to the information that has
+#	been _SENT_ by the terminal server.
+#
+#	This extra information can be used in the users file to
+#	match on. Usually this is done in the DEFAULT entries,
+#	of which there can be more than one.
+#
+#	In addition a matching entry can transform a username
+#	for authentication purposes if the "Strip-User-Name"
+#	variable is set to Yes in an entry (default is Yes).
+#
+#	A special non-protocol name-value pair called "Hint"
+#	can be set to match on in the "users" file.
+#
+#	The following is how most ISPs want to set this up.
+#
+# Version:	$Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
+#
+
+
+DEFAULT	Suffix == ".ppp", Strip-User-Name = Yes
+	Hint = "PPP",
+	Service-Type = Framed-User,
+	Framed-Protocol = PPP
+
+DEFAULT	Suffix == ".slip", Strip-User-Name = Yes
+	Hint = "SLIP",
+	Service-Type = Framed-User,
+	Framed-Protocol = SLIP
+
+DEFAULT	Suffix == ".cslip", Strip-User-Name = Yes
+	Hint = "CSLIP",
+	Service-Type = Framed-User,
+	Framed-Protocol = SLIP,
+	Framed-Compression = Van-Jacobson-TCP-IP
+
+######################################################################
+#
+#	These entries are old, and commented out by default.
+#	They confuse too many people when "Peter" logs in, and the
+#	server thinks that the user "eter" is asking for PPP.
+#
+#DEFAULT	Prefix == "U", Strip-User-Name = No
+#	Hint = "UUCP"
+
+#DEFAULT	Prefix == "P", Strip-User-Name = Yes
+#	Hint = "PPP",
+#	Service-Type = Framed-User,
+#	Framed-Protocol = PPP
+
+#DEFAULT	Prefix == "S", Strip-User-Name = Yes
+#	Hint = "SLIP",
+#	Service-Type = Framed-User,
+#	Framed-Protocol = SLIP
+
+#DEFAULT	Prefix == "C", Strip-User-Name = Yes
+#	Hint = "CSLIP",
+#	Service-Type = Framed-User,
+#	Framed-Protocol = SLIP,
+#	Framed-Compression = Van-Jacobson-TCP-IP
+

freeradius/config/tmp/freeradius/huntgroups

@@ -0,0 +1,46 @@
+#
+# huntgroups	This file defines the `huntgroups' that you have. A
+#		huntgroup is defined by specifying the IP address of
+#		the NAS and possibly a port range. Port can be identified
+#		as just one port, or a range (from-to), and multiple ports
+#		or ranges of ports must be seperated by a comma. For
+#		example: 1,2,3-8
+#
+#		Matching is done while RADIUS scans the user file; if it
+#		includes the selection criterium "Huntgroup-Name == XXX"
+#		the huntgroup is looked up in this file to see if it
+#		matches. There can be multiple definitions of the same
+#		huntgroup; the first one that matches will be used.
+#
+#		This file can also be used to define restricted access
+#		to certain huntgroups. The second and following lines
+#		define the access restrictions (based on username and
+#		UNIX usergroup) for the huntgroup.
+#
+
+#
+# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
+# called Alphen that matches on all three terminal servers.
+#
+#alphen		NAS-IP-Address == 192.168.2.5
+#alphen		NAS-IP-Address == 192.168.2.6
+#alphen		NAS-IP-Address == 192.168.2.7
+
+#
+# The POP in Delft consists of only one terminal server.
+#
+#delft		NAS-IP-Address == 192.168.3.5
+
+#
+# Ports 0-7 on the first terminal server in Alphen are connected to
+# a huntgroup that is for business users only. Note that only one
+# of the username or groupname has to match to get access (OR/OR).
+#
+# Note that this huntgroup is a subset of the "alphen" huntgroup.
+#
+#business	NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
+#		User-Name = rogerl,
+#		User-Name = henks,
+#		Group = business,
+#		Group = staff
+

freeradius/config/tmp/freeradius/ldap.attrmap

@@ -0,0 +1,76 @@
+#
+# Mapping of RADIUS dictionary attributes to LDAP directory attributes
+# to be used by LDAP authentication and authorization module (rlm_ldap)
+#
+# Format:
+#   ItemType	RADIUS-Attribute-Name		ldapAttributeName  [operator]
+#
+# Where:
+#   ItemType              = checkItem or replyItem 
+#   RADIUS-Attribute-Name = attribute name in RADIUS dictionary
+#   ldapAttributeName     = attribute name in LDAP schema
+#   operator              = optional, and may not be present.
+#			    If not present, defaults to "==" for checkItems,
+#			    and "=" for replyItems.
+#			    If present, the operator here should be one
+#			    of the same operators as defined in the "users"3
+#			    file ("man users", or "man 5 users").
+#			    If an operator is present in the value of the
+#			    LDAP entry (i.e. ":=foo"), then it over-rides
+#			    both the default, and any operator given here.
+#
+# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
+# a LDAP attribute which can be used to store any RADIUS 
+# attribute/value-pair in LDAP directory.
+#
+# You should edit this file to suit it to your needs.
+#
+
+checkItem	$GENERIC$			radiusCheckItem
+replyItem	$GENERIC$			radiusReplyItem
+
+checkItem	Auth-Type			radiusAuthType
+checkItem	Simultaneous-Use		radiusSimultaneousUse
+checkItem	Called-Station-Id		radiusCalledStationId
+checkItem	Calling-Station-Id		radiusCallingStationId
+checkItem	LM-Password			lmPassword
+checkItem	NT-Password			ntPassword
+checkItem	LM-Password			sambaLmPassword
+checkItem	NT-Password			sambaNtPassword
+checkItem	LM-Password			dBCSPwd
+checkitem	Password-With-Header		userPassword
+checkItem	SMB-Account-CTRL-TEXT		acctFlags
+checkItem	Expiration			radiusExpiration
+checkItem	NAS-IP-Address			radiusNASIpAddress
+
+replyItem	Service-Type			radiusServiceType
+replyItem	Framed-Protocol			radiusFramedProtocol
+replyItem	Framed-IP-Address		radiusFramedIPAddress
+replyItem	Framed-IP-Netmask		radiusFramedIPNetmask
+replyItem	Framed-Route			radiusFramedRoute
+replyItem	Framed-Routing			radiusFramedRouting
+replyItem	Filter-Id			radiusFilterId
+replyItem	Framed-MTU			radiusFramedMTU
+replyItem	Framed-Compression		radiusFramedCompression
+replyItem	Login-IP-Host			radiusLoginIPHost
+replyItem	Login-Service			radiusLoginService
+replyItem	Login-TCP-Port			radiusLoginTCPPort
+replyItem	Callback-Number			radiusCallbackNumber
+replyItem	Callback-Id			radiusCallbackId
+replyItem	Framed-IPX-Network		radiusFramedIPXNetwork
+replyItem	Class				radiusClass
+replyItem	Session-Timeout			radiusSessionTimeout
+replyItem	Idle-Timeout			radiusIdleTimeout
+replyItem	Termination-Action		radiusTerminationAction
+replyItem	Login-LAT-Service		radiusLoginLATService
+replyItem	Login-LAT-Node			radiusLoginLATNode
+replyItem	Login-LAT-Group			radiusLoginLATGroup
+replyItem	Framed-AppleTalk-Link		radiusFramedAppleTalkLink
+replyItem	Framed-AppleTalk-Network	radiusFramedAppleTalkNetwork
+replyItem	Framed-AppleTalk-Zone		radiusFramedAppleTalkZone
+replyItem	Port-Limit			radiusPortLimit
+replyItem	Login-LAT-Port			radiusLoginLATPort
+replyItem	Reply-Message			radiusReplyMessage
+replyItem	Tunnel-Type			radiusTunnelType
+replyItem	Tunnel-Medium-Type		radiusTunnelMediumType
+replyItem	Tunnel-Private-Group-Id		radiusTunnelPrivateGroupId

freeradius/config/tmp/freeradius/modules/acct_unique

@@ -0,0 +1,17 @@
+# -*- text -*-
+#
+#  $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
+
+#
+#  Create a unique accounting session Id.  Many NASes re-use
+#  or repeat values for Acct-Session-Id, causing no end of
+#  confusion.
+#
+#  This module will add a (probably) unique session id 
+#  to an accounting packet based on the attributes listed
+#  below found in the packet.  See doc/rlm_acct_unique for
+#  more information.
+#
+acct_unique {
+	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
+}

freeradius/config/tmp/freeradius/modules/always

@@ -0,0 +1,31 @@
+# -*- text -*-
+#
+#  $Id: c28187f05d4f0416442203b016feb7e2b818716f $
+
+#
+# The "always" module is here for debugging purposes. Each
+# instance simply returns the same result, always, without
+# doing anything.
+always fail {
+	rcode = fail
+}
+always reject {
+	rcode = reject
+}
+always noop {
+	rcode = noop
+}
+always handled {
+	rcode = handled
+}
+always updated {
+	rcode = updated
+}
+always notfound {
+	rcode = notfound
+}
+always ok {
+	rcode = ok
+	simulcount = 0
+	mpp = no
+}

freeradius/config/tmp/freeradius/modules/attr_filter

@@ -0,0 +1,48 @@
+# -*- text -*-
+#
+#  $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
+
+#
+#  This file defines a number of instances of the "attr_filter" module.
+#
+
+# attr_filter - filters the attributes received in replies from
+# proxied servers, to make sure we send back to our RADIUS client
+# only allowed attributes.
+attr_filter attr_filter.post-proxy {
+	attrsfile = ${confdir}/attrs
+}
+
+# attr_filter - filters the attributes in the packets we send to
+# the RADIUS home servers.
+attr_filter attr_filter.pre-proxy {
+	attrsfile = ${confdir}/attrs.pre-proxy
+}
+
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_reject {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.access_reject
+}
+
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_challenge {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.access_challenge
+}
+
+
+#  Enforce RFC requirements on the contents of the
+#  Accounting-Response packets.  See the comments at the
+#  top of the file for more details.
+#
+attr_filter attr_filter.accounting_response {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.accounting_response
+}

freeradius/config/tmp/freeradius/modules/attr_rewrite

@@ -0,0 +1,46 @@
+# -*- text -*-
+#
+#  $Id: 8fb93224288061781980a156d541f5283abee1a0 $
+
+#  rewrite arbitrary packets.  Useful in accounting and authorization.
+#
+#  As of 2.0, much of the functionality of this module is in "unlang".
+#  You should probably investigate using that before trying to use
+#  the "attr_rewrite" module.
+#
+#
+#  The module can also use the Rewrite-Rule attribute. If it
+#  is set and matches the name of the module instance, then
+#  that module instance will be the only one which runs.
+#
+#  Also if new_attribute is set to yes then a new attribute
+#  will be created containing the value replacewith and it
+#  will be added to searchin (packet, reply, proxy,
+#  proxy_reply or config).
+#
+# searchfor,ignore_case and max_matches will be ignored in that case.
+#
+# Backreferences are supported.
+#	%{0} will contain the string the whole match
+#	%{1} to %{8} will contain the contents of the 1st to
+#	the 8th parentheses
+#
+# If max_matches is greater than one, the backreferences will
+# correspond to the first attributed that matched.
+
+#
+attr_rewrite sanecallerid {
+	attribute = Called-Station-Id
+	# may be "packet", "reply", "proxy", "proxy_reply" or "config"
+	searchin = packet
+	searchfor = "[+ ]"
+	replacewith = ""
+	ignore_case = no
+	new_attribute = no
+	max_matches = 10
+
+	## If set to yes then the replace string will be
+	## appended to the original string
+	append = no
+}
+

freeradius/config/tmp/freeradius/modules/cache

@@ -0,0 +1,77 @@
+# -*- text -*-
+#
+#  $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
+
+#
+#	A module to cache attributes.  The idea is that you can look
+#	up information in a database, and then cache it.  Repeated
+#	requests for the same information will then have the cached
+#	values added to the request.
+#
+#	The module can cache a fixed set of attributes per key.
+#	It can be listed in "authorize", "post-auth", "pre-proxy"
+#	and "post-proxy".
+#
+#	If you want different things cached for authorize and post-auth,
+#	you will need to define two instances of the "cache" module.
+#
+#	The module returns "ok" if it found a cache entry.
+#	The module returns "updated" if it added a new cache entry.
+#	The module returns "noop" if it did nothing.
+#
+cache {
+	#  The key used to index the cache.  It is dynamically expanded
+	#  at run time.
+	key = "%{User-Name}"
+
+	#  The TTL of cache entries, in seconds.  Entries older than this
+	#  will be expired.
+	#
+	#  You can set the TTL per cache entry, but adding a control
+	#  variable "Cache-TTL".  The value there will over-ride this one.
+	#  Setting a Cache-TTL of 0 means "delete this entry".
+	#
+	#  This value should be between 10 and 86400.
+	ttl = 10
+
+	#  A timestamp used to flush the cache, via
+	#
+	#	radmin -e "set module config cache epoch 123456789"
+	#
+	#  Where last value is a 32-bit Unix timestamp.  Cache entries
+	#  older than this are expired, and new entries added.
+	#
+	#  You should ALWAYS leave it as "epoch = 0" here.
+	epoch = 0
+	
+	#  The module can also operate in status-only mode where it will
+	#  not add new cache entries, or merge existing ones.
+	#
+	#  To enable set the control variable "Cache-Status-Only" to "yes"
+	#  The module will return "ok" if it found a cache entry.
+	#  The module will return "notfound" if it failed to find a cache entry,
+	#  or the entry had expired.
+	#
+	#  Note: expired entries will still be removed.
+
+	#  If yes the following attributes will be added to the request list:
+	#  	* Cache-Entry-Hits - The number of times this entry has been
+	#			     retrieved.
+	add-stats = no
+
+	#  The list of attributes to cache for a particular key.
+	#  Each key gets the same set of cached attributes.
+	#  The attributes are dynamically expanded at run time.
+	#
+	#  You can specify which list the attribute goes into by
+	#  prefixing the attribute name with the list.  This allows
+	#  you to update multiple lists with one configuration.
+	#
+	#  If no list is specified the request list will be updated.
+	update {
+		# list:Attr-Name
+		reply:Reply-Message += "I'm the cached reply from %t"
+
+		control:Class := 0x010203
+	}
+}

freeradius/config/tmp/freeradius/modules/chap

@@ -0,0 +1,11 @@
+# -*- text -*-
+#
+#  $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
+
+# CHAP module
+#
+#  To authenticate requests containing a CHAP-Password attribute.
+#
+chap {
+	# no configuration
+}

freeradius/config/tmp/freeradius/modules/checkval

@@ -0,0 +1,44 @@
+# -*- text -*-
+#
+#  $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
+
+#  A simple value checking module
+#
+#  As of 2.0, much of the functionality of this module is in "unlang".
+#  You should probably investigate using that before trying to use
+#  the "checkval" module.
+#
+#  It can be used to check if an attribute value in the request
+#  matches a (possibly multi valued) attribute in the check
+#  items This can be used for example for caller-id
+#  authentication.  For the module to run, both the request
+#  attribute and the check items attribute must exist
+#
+#  i.e.
+#  A user has an ldap entry with 2 radiusCallingStationId
+#  attributes with values "12345678" and "12345679".  If we
+#  enable rlm_checkval, then any request which contains a
+#  Calling-Station-Id with one of those two values will be
+#  accepted.  Requests with other values for
+#  Calling-Station-Id will be rejected.
+#
+#  Regular expressions in the check attribute value are allowed
+#  as long as the operator is '=~'
+#
+checkval {
+	# The attribute to look for in the request
+	item-name = Calling-Station-Id
+
+	# The attribute to look for in check items. Can be multi valued
+	check-name = Calling-Station-Id
+
+	# The data type. Can be
+	# string,integer,ipaddr,date,abinary,octets
+	data-type = string
+
+	# If set to yes and we dont find the item-name attribute in the
+	# request then we send back a reject
+	# DEFAULT is no
+	#notfound-reject = no
+}
+	

freeradius/config/tmp/freeradius/modules/counter

@@ -0,0 +1,82 @@
+# -*- text -*-
+#
+#  $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
+
+#  counter module:
+#  This module takes an attribute (count-attribute).
+#  It also takes a key, and creates a counter for each unique
+#  key.  The count is incremented when accounting packets are
+#  received by the server.  The value of the increment depends
+#  on the attribute type.
+#  If the attribute is Acct-Session-Time or of an integer type we add
+#  the value of the attribute. If it is anything else we increase the
+#  counter by one.
+#
+#  The 'reset' parameter defines when the counters are all reset to
+#  zero.  It can be hourly, daily, weekly, monthly or never.
+#
+#  hourly: Reset on 00:00 of every hour
+#  daily: Reset on 00:00:00 every day
+#  weekly: Reset on 00:00:00 on sunday
+#  monthly: Reset on 00:00:00 of the first day of each month
+#
+#  It can also be user defined. It should be of the form:
+#  num[hdwm] where:
+#  h: hours, d: days, w: weeks, m: months
+#  If the letter is ommited days will be assumed. In example:
+#  reset = 10h (reset every 10 hours)
+#  reset = 12  (reset every 12 days)
+#
+#
+#  The check-name attribute defines an attribute which will be
+#  registered by the counter module and can be used to set the
+#  maximum allowed value for the counter after which the user
+#  is rejected.
+#  Something like:
+#
+#  DEFAULT Max-Daily-Session := 36000
+#          Fall-Through = 1
+#
+#  You should add the counter module in the instantiate
+#  section so that it registers check-name before the files
+#  module reads the users file.
+#
+#  If check-name is set and the user is to be rejected then we
+#  send back a Reply-Message and we log a Failure-Message in
+#  the radius.log
+#
+#  If the count attribute is Acct-Session-Time then on each
+#  login we send back the remaining online time as a
+#  Session-Timeout attribute ELSE and if the reply-name is
+#  set, we send back that attribute.  The reply-name attribute
+#  MUST be of an integer type.
+#
+#  The counter-name can also be used instead of using the check-name
+#  like below:
+#
+#  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
+#      Reply-Message = "You've used up more than one hour today"
+#
+#  The allowed-servicetype attribute can be used to only take
+#  into account specific sessions. For example if a user first
+#  logs in through a login menu and then selects ppp there will
+#  be two sessions. One for Login-User and one for Framed-User
+#  service type. We only need to take into account the second one.
+#
+#  The module should be added in the instantiate, authorize and
+#  accounting sections.  Make sure that in the authorize
+#  section it comes after any module which sets the
+#  'check-name' attribute.
+#
+counter daily {
+	filename = ${db_dir}/db.daily
+	key = User-Name
+	count-attribute = Acct-Session-Time
+	reset = daily
+	counter-name = Daily-Session-Time
+	check-name = Max-Daily-Session
+	reply-name = Session-Timeout
+	allowed-servicetype = Framed-User
+	cache-size = 5000
+}
+

freeradius/config/tmp/freeradius/modules/cui

@@ -0,0 +1,25 @@
+# -*- text -*-
+#
+#  $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
+
+#
+#  Write Chargeable-User-Identity to the database.
+#
+#  Schema	raddb/sql/mysql/cui.sql
+#  Queries	raddb/sql/mysql/cui.conf
+#
+sql cui {
+	database = "mysql"
+	driver = "rlm_sql_${database}"
+	server = "localhost"
+	login = "db_login_name"
+	password = "db_password"
+	radius_db = "db_name"
+#	sqltrace = yes
+#	sqltracefile = ${logdir}/cuitrace.sql
+	num_sql_socks = 5
+	connect_failure_retry_delay = 60
+	cui_table = "cui"
+	sql_user_name = "%{User-Name}"
+#$INCLUDE sql/${database}/cui.conf
+}

freeradius/config/tmp/freeradius/modules/detail

@@ -0,0 +1,93 @@
+# -*- text -*-
+#
+#  $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
+
+# Write a detailed log of all accounting records received.
+#
+detail {
+	#  Note that we do NOT use NAS-IP-Address here, as
+	#  that attribute MAY BE from the originating NAS, and
+	#  NOT from the proxy which actually sent us the
+	#  request.
+	#
+	#  The following line creates a new detail file for
+	#  every radius client (by IP address or hostname).
+	#  In addition, a new detail file is created every
+	#  day, so that the detail file doesn't have to go
+	#  through a 'log rotation'
+	#
+	#  If your detail files are large, you may also want
+	#  to add a ':%H' (see doc/variables.txt) to the end
+	#  of it, to create a new detail file every hour, e.g.:
+	#
+	#   ..../detail-%Y%m%d:%H
+	#
+	#  This will create a new detail file for every hour.
+	#
+	#  If you are reading detail files via the "listen" section
+	#  (e.g. as in raddb/sites-available/robust-proxy-accounting),
+	#  you MUST use a unique directory for each combination of a
+	#  detail file writer, and reader.  That is, there can only
+	#  be ONE "listen" section reading detail files from a
+	#  particular directory.
+	#
+	detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
+
+	#
+	#  If you are using radrelay, delete the above line for "detailfile",
+	#  and use this one instead:
+	#
+#	detailfile = ${radacctdir}/detail
+
+	#
+	#  The Unix-style permissions on the 'detail' file.
+	#
+	#  The detail file often contains secret or private
+	#  information about users.  So by keeping the file
+	#  permissions restrictive, we can prevent unwanted
+	#  people from seeing that information.
+	detailperm = 0600
+
+	# The Unix group of the log file.
+	#
+	# The user that the server runs as must be in the specified
+	# system group otherwise this will fail to work.
+	#
+#	group = freerad
+
+	#
+	#  Every entry in the detail file has a header which
+	#  is a timestamp.  By default, we use the ctime
+	#  format (see "man ctime" for details).
+	#
+	#  The header can be customized by editing this
+	#  string.  See "doc/variables.txt" for a description
+	#  of what can be put here.
+	#
+	header = "%t"
+
+	#
+	#  Uncomment this line if the detail file reader will be
+	#  reading this detail file.
+	#
+#	locking = yes
+
+	#
+	#  Log the Packet src/dst IP/port.  This is disabled by
+	#  default, as that information isn't used by many people.
+	#
+#	log_packet_header = yes
+
+	#
+	# Certain attributes such as User-Password may be
+	# "sensitive", so they should not be printed in the
+	# detail file.  This section lists the attributes
+	# that should be suppressed.
+	#
+	# The attributes should be listed one to a line.
+	#
+	#suppress {
+		# User-Password
+	#}
+
+}

freeradius/config/tmp/freeradius/modules/detail.example.com

@@ -0,0 +1,27 @@
+# -*- text -*-
+#
+#  Detail file writer, used in the following examples:
+#
+#	raddb/sites-available/robust-proxy-accounting
+#	raddb/sites-available/decoupled-accounting
+#
+#  Note that this module can write detail files that are read by
+#  only ONE "listen" section.  If you use BOTH of the examples
+#  above, you will need to define TWO "detail" modules.
+#
+#  e.g. detail1.example.com && detail2.example.com
+#
+#
+#  We write *multiple* detail files here.  They will be processed by
+#  the detail "listen" section in the order that they were created.
+#  The directory containing these files should NOT be used for any
+#  other purposes.  i.e. It should have NO other files in it.
+#
+#  Writing multiple detail enables the server to process the pieces
+#  in smaller chunks.  This helps in certain catastrophic corner cases.
+#
+#  $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
+#
+detail detail.example.com {
+	detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
+}

freeradius/config/tmp/freeradius/modules/detail.log

@@ -0,0 +1,75 @@
+# -*- text -*-
+#
+#  $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
+
+#
+#  More examples of doing detail logs.
+
+#
+#  Many people want to log authentication requests.
+#  Rather than modifying the server core to print out more
+#  messages, we can use a different instance of the 'detail'
+#  module, to log the authentication requests to a file.
+#
+#  You will also need to un-comment the 'auth_log' line
+#  in the 'authorize' section, below.
+#
+detail auth_log {
+	detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
+
+	#
+	#  This MUST be 0600, otherwise anyone can read
+	#  the users passwords!
+	detailperm = 0600
+
+	# You may also strip out passwords completely
+	suppress {
+		User-Password
+	}
+}
+
+#
+#  This module logs authentication reply packets sent
+#  to a NAS.  Both Access-Accept and Access-Reject packets
+#  are logged.
+#
+#  You will also need to un-comment the 'reply_log' line
+#  in the 'post-auth' section, below.
+#
+detail reply_log {
+	detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
+
+	detailperm = 0600
+}
+
+#
+#  This module logs packets proxied to a home server.
+#
+#  You will also need to un-comment the 'pre_proxy_log' line
+#  in the 'pre-proxy' section, below.
+#
+detail pre_proxy_log {
+	detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
+
+	#
+	#  This MUST be 0600, otherwise anyone can read
+	#  the users passwords!
+	detailperm = 0600
+
+	# You may also strip out passwords completely
+	#suppress {
+		# User-Password
+	#}
+}
+
+#
+#  This module logs response packets from a home server.
+#
+#  You will also need to un-comment the 'post_proxy_log' line
+#  in the 'post-proxy' section, below.
+#
+detail post_proxy_log {
+	detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
+
+	detailperm = 0600
+}

freeradius/config/tmp/freeradius/modules/dhcp_sqlippool

@@ -0,0 +1,33 @@
+##  Configuration for DHCP to use SQL IP Pools.
+##
+##  See sqlippool.conf for common configuration explanation
+##
+##  $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
+
+sqlippool dhcp_sqlippool {
+	sql-instance-name = "sql"
+
+	ippool_table = "radippool"
+
+	lease-duration = 7200
+
+	# Client's MAC address is mapped to Calling-Station-Id in policy.conf
+	pool-key = "%{Calling-Station-Id}"
+
+	# For now, it only works with MySQL. 
+	# This line is commented by default to enable clean startup when you
+	# don't have freeradius-mysql installed. Uncomment this line if you 
+	# use this module.
+	#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
+ 
+	sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+	sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+	sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
+
+	sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+	sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+}

freeradius/config/tmp/freeradius/modules/digest

@@ -0,0 +1,13 @@
+# -*- text -*-
+#
+#  $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
+
+#
+#  The 'digest' module currently has no configuration.
+#
+#  "Digest" authentication against a Cisco SIP server.
+#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
+#  on performing digest authentication for Cisco SIP servers.
+#
+digest {
+}

freeradius/config/tmp/freeradius/modules/dynamic_clients

@@ -0,0 +1,32 @@
+# -*- text -*-
+#
+#  $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
+
+# This module loads RADIUS clients as needed, rather than when the server
+# starts.
+#
+#  There are no configuration entries for this module.  Instead, it
+#  relies on the "client" configuration.  You must:
+#
+#	1) link raddb/sites-enabled/dyanmic_clients to
+#	   raddb/sites-available/dyanmic_clients
+#
+#	2) Define a client network/mask (see top of the above file)
+#
+#	3) uncomment the "directory" entry in that client definition
+#
+#	4) list "dynamic_clients" in the "authorize" section of the
+#	   "dynamic_clients' virtual server.  The default example already
+#	   does this.
+#
+#	5) put files into the above directory, one per IP.
+#	   e.g. file "192.168.1.1" should contain a normal client definition
+#	   for a client with IP address 192.168.1.1.
+#
+#  For more documentation, see the file:
+#
+#	raddb/sites-available/dynamic-clients 
+#
+dynamic_clients {
+
+}

freeradius/config/tmp/freeradius/modules/echo

@@ -0,0 +1,123 @@
+# -*- text -*-
+#
+#  $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
+
+#
+#  This is a more general example of the execute module.
+#
+#  This one is called "echo".
+#
+#  Attribute-Name = `%{echo:/path/to/program args}`
+#
+#  If you wish to execute an external program in more than
+#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
+#  is probably best to define a different instance of the
+#  'exec' module for every section.	
+#
+#  The return value of the program run determines the result
+#  of the exec instance call as follows:
+#  (See doc/configurable_failover for details)
+#
+#  < 0 : fail      the module failed
+#  = 0 : ok        the module succeeded
+#  = 1 : reject    the module rejected the user
+#  = 2 : fail      the module failed
+#  = 3 : ok        the module succeeded
+#  = 4 : handled   the module has done everything to handle the request
+#  = 5 : invalid   the user's configuration entry was invalid
+#  = 6 : userlock  the user was locked out
+#  = 7 : notfound  the user was not found
+#  = 8 : noop      the module did nothing
+#  = 9 : updated   the module updated information in the request
+#  > 9 : fail      the module failed
+#
+exec echo {
+	#
+	#  Wait for the program to finish.
+	#
+	#  If we do NOT wait, then the program is "fire and
+	#  forget", and any output attributes from it are ignored.
+	#
+	#  If we are looking for the program to output
+	#  attributes, and want to add those attributes to the
+	#  request, then we MUST wait for the program to
+	#  finish, and therefore set 'wait=yes'
+	#
+	# allowed values: {no, yes}
+	wait = yes
+
+	#
+	#  The name of the program to execute, and it's
+	#  arguments.  Dynamic translation is done on this
+	#  field, so things like the following example will
+	#  work.
+	#
+	program = "/bin/echo %{User-Name}"
+
+	#
+	#  The attributes which are placed into the
+	#  environment variables for the program.
+	#
+	#  Allowed values are:
+	#
+	#	request		attributes from the request
+	#	config		attributes from the configuration items list
+	#	reply		attributes from the reply
+	#	proxy-request	attributes from the proxy request
+	#	proxy-reply	attributes from the proxy reply
+	#
+	#  Note that some attributes may not exist at some
+	#  stages.  e.g. There may be no proxy-reply
+	#  attributes if this module is used in the
+	#  'authorize' section.
+	#
+	input_pairs = request
+
+	#
+	#  Where to place the output attributes (if any) from
+	#  the executed program.  The values allowed, and the
+	#  restrictions as to availability, are the same as
+	#  for the input_pairs.
+	#
+	output_pairs = reply
+
+	#
+	#  When to execute the program.  If the packet
+	#  type does NOT match what's listed here, then
+	#  the module does NOT execute the program.
+	#
+	#  For a list of allowed packet types, see
+	#  the 'dictionary' file, and look for VALUEs
+	#  of the Packet-Type attribute.
+	#
+	#  By default, the module executes on ANY packet.
+	#  Un-comment out the following line to tell the
+	#  module to execute only if an Access-Accept is
+	#  being sent to the NAS.
+	#
+	#packet_type = Access-Accept
+
+	#
+	#  Should we escape the environment variables?
+	#  
+	#  If this is set, all the RADIUS attributes
+	#  are capitalised and dashes replaced with
+	#  underscores. Also, RADIUS values are surrounded
+	#  with double-quotes.
+	#
+	#  That is to say: User-Name=BobUser => USER_NAME="BobUser"
+	shell_escape = yes
+
+
+	#
+	#  How long should we wait for the program to finish?
+	#
+	#  Default is 10 seconds, which should be plenty for nearly
+	#  anything. Range is 1 to 30 seconds. You are strongly
+	#  encouraged to NOT increase this value. Decreasing can
+	#  be used to cause authentication to fail sooner when you
+	#  know it's going to fail anyway due to the time taken,
+	#  thereby saving resources.
+	#
+	#timeout = 10
+}

freeradius/config/tmp/freeradius/modules/etc_group

@@ -0,0 +1,28 @@
+# -*- text -*-
+#
+#  $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
+
+#  "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
+#  attribute for every group that the user is member of.
+#
+#  You will have to define the Etc-Group-Name in the 'dictionary' file
+#  as a 'string' type.
+#
+#  The Group and Group-Name attributes are automatically created by
+#  the Unix module, and do checking against /etc/group automatically.
+#  This means that you CANNOT use Group or Group-Name to do any other
+#  kind of grouping in the server.  You MUST define a new group
+#  attribute.
+#
+#  i.e. this module should NOT be used as-is, but should be edited to
+#  point to a different group file.
+#
+passwd etc_group {
+	filename = /etc/group
+	format = "=Etc-Group-Name:::*,User-Name"
+	hashsize = 50
+	ignorenislike = yes
+	allowmultiplekeys = yes
+	delimiter = ":"
+}
+

freeradius/config/tmp/freeradius/modules/exec

@@ -0,0 +1,30 @@
+# -*- text -*-
+#
+#  $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
+
+#
+#  Execute external programs
+#
+#  This module is useful only for 'xlat'.  To use it,
+#  put 'exec' into the 'instantiate' section.  You can then
+#  do dynamic translation of attributes like:
+#
+#  Attribute-Name = `%{exec:/path/to/program args}`
+#
+#  The value of the attribute will be replaced with the output
+#  of the program which is executed.  Due to RADIUS protocol
+#  limitations, any output over 253 bytes will be ignored.
+#
+#  The RADIUS attributes from the user request will be placed
+#  into environment variables of the executed program, as
+#  described in "man unlang" and in doc/variables.txt
+#
+#  See also "echo" for more sample configuration.
+#
+exec {
+	wait = no
+	input_pairs = request
+	shell_escape = yes
+	output = none
+	timeout = 10
+}

freeradius/config/tmp/freeradius/modules/expiration

@@ -0,0 +1,19 @@
+# -*- text -*-
+#
+#  $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
+
+#
+# The expiration module. This handles the Expiration attribute
+# It should be included in the *end* of the authorize section
+# in order to handle user Expiration. It should also be included
+# in the instantiate section in order to register the Expiration
+# compare function
+#
+expiration {
+	#
+	# The Reply-Message which will be sent back in case the
+	# account has expired. Dynamic substitution is supported
+	#
+	reply-message = "Password Has Expired\r\n" 
+	#reply-message = "Your account has expired, %{User-Name}\r\n"
+}

freeradius/config/tmp/freeradius/modules/expr

@@ -0,0 +1,20 @@
+# -*- text -*-
+#
+#  $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
+
+#
+#  The 'expression' module currently has no configuration.
+#
+#  This module is useful only for 'xlat'.  To use it,
+#  put 'expr' into the 'instantiate' section.  You can then
+#  do dynamic translation of attributes like:
+#
+#  Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
+#
+#  The value of the attribute will be replaced with the output
+#  of the program which is executed.  Due to RADIUS protocol
+#  limitations, any output over 253 bytes will be ignored.
+#
+#  The module also registers a few paircompare functions
+expr {
+}

freeradius/config/tmp/freeradius/modules/files

@@ -0,0 +1,46 @@
+# -*- text -*-
+#
+#  $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
+
+# Livingston-style 'users' file
+#
+files {
+	# The default key attribute to use for matches.  The content
+	# of this attribute is used to match the "name" of the
+	# entry.
+	#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
+
+	usersfile = ${confdir}/users
+	acctusersfile = ${confdir}/acct_users
+	preproxy_usersfile = ${confdir}/preproxy_users
+
+	#  If you want to use the old Cistron 'users' file
+	#  with FreeRADIUS, you should change the next line
+	#  to 'compat = cistron'.  You can the copy your 'users'
+	#  file from Cistron.
+	compat = no
+}
+
+#  An example which defines a second instance of the "files" module.
+#  This instance is named "second_files".  In order for it to be used
+#  in a virtual server, it needs to be listed as "second_files"
+#  inside of the "authorize" section (or other section).  If you just
+#  list "files", that will refer to the configuration defined above.
+#
+
+#  The two names here mean:
+#	"files" - this is a configuration for the "rlm_files" module
+#	"second_files" - this is a named configuration, which isn't
+#			the default configuration.
+files second_files {
+	#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
+
+	#  The names here don't matter.  They just need to be different
+	#  from the names for the "files" configuration above.  If they
+	#  are the same, then this configuration will end up being the
+	#  same as the one above.
+	usersfile = ${confdir}/second_users
+	acctusersfile = ${confdir}/second_acct_users
+	preproxy_usersfile = ${confdir}/second_preproxy_users
+}
+

freeradius/config/tmp/freeradius/modules/inner-eap

@@ -0,0 +1,161 @@
+# -*- text -*-
+#
+#  $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
+
+#
+#  Sample configuration for an EAP module that occurs *inside*
+#  of a tunneled method.  It is used to limit the EAP types that
+#  can occur inside of the inner tunnel.
+#
+#  See also raddb/sites-available/inner-tunnel
+#
+#  To use this module, edit raddb/sites-available/inner-tunnel, and
+#  replace the references to "eap" with "inner-eap".
+#
+#  See raddb/eap.conf for full documentation on the meaning of the
+#  configuration entries here.
+#
+eap inner-eap {
+	# This is the best choice for PEAP.
+	default_eap_type = mschapv2
+	timer_expire     = 60
+
+	#  This should be the same as the outer eap "max sessions"
+	max_sessions = 2048
+
+	# Supported EAP-types
+	md5 {
+	}
+
+	gtc {
+		#  The default challenge, which many clients
+		#  ignore..
+		#challenge = "Password: "
+
+		auth_type = PAP
+	}
+
+	mschapv2 {
+	}
+
+	# No TTLS or PEAP configuration should be listed here.
+
+	## EAP-TLS
+	#
+	#  You SHOULD use different certificates than are used
+	#  for the outer EAP configuration!
+	#
+	#  Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
+	#
+	tls {
+		#
+		#  These is used to simplify later configurations.
+		#
+		certdir = ${confdir}/certs
+		cadir = ${confdir}/certs
+
+		private_key_password = whatever
+		private_key_file = ${certdir}/server.pem
+
+		#  If Private key & Certificate are located in
+		#  the same file, then private_key_file &
+		#  certificate_file must contain the same file
+		#  name.
+		#
+		#  If CA_file (below) is not used, then the
+		#  certificate_file below MUST include not
+		#  only the server certificate, but ALSO all
+		#  of the CA certificates used to sign the
+		#  server certificate.
+		certificate_file = ${certdir}/server.pem
+
+		#  Trusted Root CA list
+		#
+		#  ALL of the CA's in this list will be trusted
+		#  to issue client certificates for authentication.
+		#
+		#  In general, you should use self-signed
+		#  certificates for 802.1x (EAP) authentication.
+		#  In that case, this CA file should contain
+		#  *one* CA certificate.
+		#
+		#  This parameter is used only for EAP-TLS,
+		#  when you issue client certificates.  If you do
+		#  not use client certificates, and you do not want
+		#  to permit EAP-TLS authentication, then delete
+		#  this configuration item.
+		CA_file = ${cadir}/ca.pem
+
+		#
+		#  For DH cipher suites to work, you have to
+		#  run OpenSSL to create the DH file first:
+		#
+		#  	openssl dhparam -out certs/dh 1024
+		#
+		dh_file = ${certdir}/dh
+		random_file = ${certdir}/random
+
+		#
+		#  This can never exceed the size of a RADIUS
+		#  packet (4096 bytes), and is preferably half
+		#  that, to accomodate other attributes in
+		#  RADIUS packet.  On most APs the MAX packet
+		#  length is configured between 1500 - 1600
+		#  In these cases, fragment size should be
+		#  1024 or less.
+		#
+	#	fragment_size = 1024
+
+		#  include_length is a flag which is
+		#  by default set to yes If set to
+		#  yes, Total Length of the message is
+		#  included in EVERY packet we send.
+		#  If set to no, Total Length of the
+		#  message is included ONLY in the
+		#  First packet of a fragment series.
+		#
+	#	include_length = yes
+
+		#  Check the Certificate Revocation List
+		#
+		#  1) Copy CA certificates and CRLs to same directory.
+		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+		#    'c_rehash' is OpenSSL's command.
+		#  3) uncomment the line below.
+		#  5) Restart radiusd
+	#	check_crl = yes
+	#	CA_path = /path/to/directory/with/ca_certs/and/crls/
+
+	       #
+	       #  If check_cert_issuer is set, the value will
+	       #  be checked against the DN of the issuer in
+	       #  the client certificate.  If the values do not
+	       #  match, the cerficate verification will fail,
+	       #  rejecting the user.
+	       #
+	#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+	       #
+	       #  If check_cert_cn is set, the value will
+	       #  be xlat'ed and checked against the CN
+	       #  in the client certificate.  If the values
+	       #  do not match, the certificate verification
+	       #  will fail rejecting the user.
+	       #
+	       #  This check is done only if the previous
+	       #  "check_cert_issuer" is not set, or if
+	       #  the check succeeds.
+	       #
+	#	check_cert_cn = %{User-Name}
+	#
+		# Set this option to specify the allowed
+		# TLS cipher suites.  The format is listed
+		# in "man 1 ciphers".
+		cipher_list = "DEFAULT"
+
+		#
+		#  The session resumption / fast reauthentication
+		#  cache CANNOT be used for inner sessions.
+		#
+	}
+}

freeradius/config/tmp/freeradius/modules/ippool

@@ -0,0 +1,75 @@
+# -*- text -*-
+#
+#  $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
+
+#  Do server side ip pool management. Should be added in
+#  post-auth and accounting sections.
+#
+#  The module also requires the existance of the Pool-Name
+#  attribute. That way the administrator can add the Pool-Name
+#  attribute in the user profiles and use different pools for
+#  different users. The Pool-Name attribute is a *check* item
+#  not a reply item.
+#
+#  The Pool-Name should be set to the ippool module instance
+#  name or to DEFAULT to match any module.
+
+#
+# Example:
+# radiusd.conf: ippool students { [...] }
+#		ippool teachers { [...] }
+# users file  : DEFAULT Group == students, Pool-Name := "students"
+#		DEFAULT Group == teachers, Pool-Name := "teachers"
+#		DEFAULT	Group == other, Pool-Name := "DEFAULT"
+#
+# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
+# ********* THEN ERASE THE DB FILES                     *********
+#
+ippool main_pool {
+
+	#  range-start,range-stop:
+	#	The start and end ip addresses for this pool.
+	range-start = 192.168.1.1
+	range-stop = 192.168.3.254
+
+	#  netmask:
+	#	The network mask used for this pool.
+	netmask = 255.255.255.0
+
+	#  cache-size:
+	#	The gdbm cache size for the db files. Should
+	#	be equal to the number of ip's available in
+	#	the ip pool
+	cache-size = 800
+
+	# session-db:
+	#	The main db file used to allocate addresses.
+	session-db = ${db_dir}/db.ippool
+
+	# ip-index:
+	#	Helper db index file used in multilink
+	ip-index = ${db_dir}/db.ipindex
+
+	# override:
+	#	If set, the Framed-IP-Address already in the
+	#	reply (if any) will be discarded, and replaced
+	#	with a Framed-IP-Address assigned here.
+	override = no
+
+	# maximum-timeout:
+	#	Specifies the maximum time in seconds that an
+	#	entry may be active.  If set to zero, means
+	#	"no timeout".  The default value is 0
+	maximum-timeout = 0
+
+	# key:
+	#	The key to use for the session database (which
+	#	holds the allocated ip's) normally it should
+	#	just be the nas ip/port (which is the default).
+	#
+	#	If your NAS sends the same value of NAS-Port
+	#	all requests, the key should be based on some
+	#	other attribute that is in ALL requests, AND
+	#	is unique to each machine needing an IP address.
+	#key = "%{NAS-IP-Address} %{NAS-Port}"
+}

freeradius/config/tmp/freeradius/modules/krb5

@@ -0,0 +1,11 @@
+# -*- text -*-
+#
+#  $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
+
+#
+#  Kerberos.  See doc/rlm_krb5 for minimal docs.
+#
+krb5 {
+	keytab = /path/to/keytab
+	service_principal = name_of_principle
+}

freeradius/config/tmp/freeradius/modules/ldap

@@ -0,0 +1,197 @@
+# -*- text -*-
+#
+#  $Id: d13892634e4a8458c942ce170f59f98521dce500 $
+
+# Lightweight Directory Access Protocol (LDAP)
+#
+#  This module definition allows you to use LDAP for
+#  authorization and authentication.
+#
+#  See raddb/sites-available/default for reference to the
+#  ldap module in the authorize and authenticate sections.
+#
+#  However, LDAP can be used for authentication ONLY when the
+#  Access-Request packet contains a clear-text User-Password
+#  attribute.  LDAP authentication will NOT work for any other
+#  authentication method.
+#
+#  This means that LDAP servers don't understand EAP.  If you
+#  force "Auth-Type = LDAP", and then send the server a
+#  request containing EAP authentication, then authentication
+#  WILL NOT WORK.
+#
+#  The solution is to use the default configuration, which does
+#  work.
+#
+#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
+#  really can't emphasize this enough.
+#	
+ldap {
+	#
+	#  Note that this needs to match the name in the LDAP
+	#  server certificate, if you're using ldaps.
+	server = "ldap.your.domain"
+	#identity = "cn=admin,o=My Org,c=UA"
+	#password = mypass
+	basedn = "o=My Org,c=UA"
+	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
+	#base_filter = "(objectclass=radiusprofile)"
+
+	#  How many connections to keep open to the LDAP server.
+	#  This saves time over opening a new LDAP socket for
+	#  every authentication request.
+	ldap_connections_number = 5
+
+	#  How many times the connection can be used before
+	#  being re-established. This is useful for things
+	#  like load balancers, which may exhibit sticky
+	#  behaviour without it. (0) is unlimited.
+	max_uses = 0
+
+	#  Port to connect on, defaults to 389. Setting this to
+	#  636 will enable LDAPS if start_tls (see below) is not
+	#  able to be used.
+	#port = 389
+
+	# seconds to wait for LDAP query to finish. default: 20
+	timeout = 4
+
+	#  seconds LDAP server has to process the query (server-side
+	#  time limit). default: 20
+	#
+	#  LDAP_OPT_TIMELIMIT is set to this value.
+	timelimit = 3
+
+	#
+	#  seconds to wait for response of the server. (network
+	#   failures) default: 10
+	#
+	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+	net_timeout = 1
+
+	#
+	#  This subsection configures the tls related items
+	#  that control how FreeRADIUS connects to an LDAP
+	#  server.  It contains all of the "tls_*" configuration
+	#  entries used in older versions of FreeRADIUS.  Those
+	#  configuration entries can still be used, but we recommend
+	#  using these.
+	#
+	tls {
+		# Set this to 'yes' to use TLS encrypted connections
+		# to the LDAP database by using the StartTLS extended
+		# operation.
+		#			
+		# The StartTLS operation is supposed to be
+		# used with normal ldap connections instead of
+		# using ldaps (port 636) connections
+		start_tls = no
+
+		# cacertfile	= /path/to/cacert.pem
+		# cacertdir		= /path/to/ca/dir/
+		# certfile		= /path/to/radius.crt
+		# keyfile		= /path/to/radius.key
+		# randfile		= /path/to/rnd
+
+		#  Certificate Verification requirements.  Can be:
+		#    "never" (don't even bother trying)
+		#    "allow" (try, but don't fail if the cerificate
+		#		can't be verified)
+		#    "demand" (fail if the certificate doesn't verify.)
+		#
+		#	The default is "allow"
+		# require_cert	= "demand"
+	}
+
+	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
+	# profile_attribute = "radiusProfileDn"
+	# access_attr = "dialupAccess"
+
+	# Mapping of RADIUS dictionary attributes to LDAP
+	# directory attributes.
+	dictionary_mapping = ${confdir}/ldap.attrmap
+
+	#  Set password_attribute = nspmPassword to get the
+	#  user's password from a Novell eDirectory
+	#  backend. This will work ONLY IF FreeRADIUS has been
+	#  built with the --with-edir configure option.
+	#
+	#  See also the following links:
+	#
+	#  http://www.novell.com/coolsolutions/appnote/16745.html
+	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
+	#
+	#  Novell may require TLS encrypted sessions before returning
+	#  the user's password.
+	#
+	# password_attribute = userPassword
+
+	#  Un-comment the following to disable Novell
+	#  eDirectory account policy check and intruder
+	#  detection. This will work *only if* FreeRADIUS is
+	#  configured to build with --with-edir option.
+	#
+	edir_account_policy_check = no
+
+	#
+	#  Group membership checking.  Disabled by default.
+	#
+	# groupname_attribute = cn
+	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
+	# groupmembership_attribute = radiusGroupName
+
+	# compare_check_items = yes
+	# do_xlat = yes
+	# access_attr_used_for_allow = yes
+
+	#
+	#  The following two configuration items are for Active Directory
+	#  compatibility.  If you see the helpful "operations error"
+	#  being returned to the LDAP module, uncomment the next
+	#  two lines.
+	#
+	# chase_referrals = yes
+	# rebind = yes
+
+	#
+	#  By default, if the packet contains a User-Password,
+	#  and no other module is configured to handle the
+	#  authentication, the LDAP module sets itself to do
+	#  LDAP bind for authentication.
+	#
+	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
+	#
+	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
+	#
+	#  You can disable this behavior by setting the following
+	#  configuration entry to "no".
+	#
+	#  allowed values: {no, yes}
+	# set_auth_type = yes
+
+	#  ldap_debug: debug flag for LDAP SDK
+	#  (see OpenLDAP documentation).  Set this to enable
+	#  huge amounts of LDAP debugging on the screen.
+	#  You should only use this if you are an LDAP expert.
+	#
+	#	default: 0x0000 (no debugging messages)
+	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+	#ldap_debug = 0x0028 
+
+	#
+	#  Keepalive configuration.  This MAY NOT be supported by your
+	#  LDAP library.  If these configuration entries appear in the
+	#  output of "radiusd -X", then they are supported.  Otherwise,
+	#  they are unsupported, and changing them will do nothing.
+	#
+	keepalive {
+		# LDAP_OPT_X_KEEPALIVE_IDLE
+		idle = 60
+
+		# LDAP_OPT_X_KEEPALIVE_PROBES
+		probes = 3
+
+		# LDAP_OPT_X_KEEPALIVE_INTERVAL
+		interval = 3
+	}
+}

freeradius/config/tmp/freeradius/modules/linelog

@@ -0,0 +1,105 @@
+# -*- text -*-
+#
+#  $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
+
+#
+#  The "linelog" module will log one line of text to a file.
+#  Both the filename and the line of text are dynamically expanded.
+#
+#  We STRONGLY suggest that you do not use data from the
+#  packet as part of the filename.
+#
+linelog {
+	#
+	#  The file where the logs will go.
+	#
+	#  If the filename is "syslog", then the log messages will
+	#  go to syslog.
+	filename = ${logdir}/linelog
+
+	#
+	#  The Unix-style permissions on the log file.
+	#
+	#  Depending on format string, the log file may contain secret or
+	#  private information about users.  Keep the file permissions as
+	#  restrictive as possible.
+	permissions = 0600
+
+	#
+	# The Unix group of the log file.
+	#
+	# The user that freeradius runs as must be in the specified
+	# group, otherwise it will not be possible to set the group.
+	#
+	# group = freerad
+
+	#
+	# If logging via syslog, the facility can be set here. Otherwise
+	# the syslog_facility option in radiusd.conf will be used.
+	#
+	# syslog_facility = daemon
+
+	#
+	#  The default format string.
+	format = "This is a log message for %{User-Name}"
+
+	#
+	#  This next line can be omitted.  If it is omitted, then
+	#  the log message is static, and is always given by "format",
+	#  above.
+	#
+	#  If it is defined, then the string is dynamically expanded,
+	#  and the result is used to find another configuration entry
+	#  here, with the given name.  That name is then used as the
+	#  format string.
+	#
+	#  If the configuration entry cannot be found, then no log
+	#  message is printed.
+	#
+	#  i.e. You can have many log messages in one "linelog" module.
+	#  If this two-step expansion did not exist, you would have
+	#  needed to configure one "linelog" module for each log message.
+
+	#
+	#  Reference the Packet-Type (Access-Request, etc.)  If it doesn't
+	#  exist, reference the "format" entry, above.
+	reference = "%{%{Packet-Type}:-format}"
+
+	#
+	#  Followed by a series of log messages.
+	Access-Request = "Requested access: %{User-Name}"
+	Access-Reject = "Rejected access: %{User-Name}"
+	Access-Challenge = "Sent challenge: %{User-Name}"
+
+	#
+	#  The log messages can be grouped into sections and
+        #  sub-sections, too.  The "reference" item needs to have a "."
+	#  for every section.  e.g. reference = foo.bar will reference
+	#  the "foo" section, "bar" configuration item.
+	#
+
+	#
+	#  Used if:	reference = "foo.bar".
+	foo {
+	    bar = "Example log.  Please ignore"
+	}
+
+	#
+	#  Another example:
+	#      reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
+	#
+	Accounting-Request {
+		Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
+		Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
+
+		#  Don't log anything for these packets.
+		Alive = ""
+
+		Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
+		Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
+
+		# don't log anything for other Acct-Status-Types.
+		unknown = ""
+	}
+
+}

freeradius/config/tmp/freeradius/modules/logintime

@@ -0,0 +1,31 @@
+# -*- text -*-
+#
+#  $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
+
+# The logintime module. This handles the Login-Time,
+# Current-Time, and Time-Of-Day attributes.  It should be
+# included in the *end* of the authorize section in order to
+# handle Login-Time checks. It should also be included in the
+# instantiate section in order to register the Current-Time
+# and Time-Of-Day comparison functions.
+#
+# When the Login-Time attribute is set to some value, and the
+# user has bene permitted to log in, a Session-Timeout is
+# calculated based on the remaining time.  See "doc/README".
+#
+logintime {
+	#
+	# The Reply-Message which will be sent back in case
+	# the account is calling outside of the allowed
+	# timespan. Dynamic substitution is supported.
+	#
+	reply-message = "You are calling outside your allowed timespan\r\n"
+	#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
+
+	# The minimum timeout (in seconds) a user is allowed
+	# to have. If the calculated timeout is lower we don't
+	# allow the logon. Some NASes do not handle values
+	# lower than 60 seconds well.
+	minimum-timeout = 60
+}
+

freeradius/config/tmp/freeradius/modules/mac2ip

@@ -0,0 +1,25 @@
+# -*- text -*-
+#
+#  $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
+
+######################################################################
+#
+#  This next section is a sample configuration for the "passwd"
+#  module, that reads flat-text files.
+#
+#  The file is in the format <mac>,<ip>
+#
+#	00:01:02:03:04:05,192.168.1.100
+#	01:01:02:03:04:05,192.168.1.101
+#	02:01:02:03:04:05,192.168.1.102
+#
+#  This lets you perform simple static IP assignments from a flat-text
+#  file.  You will have to define lease times yourself.
+#
+######################################################################
+
+passwd mac2ip {
+	filename = ${confdir}/mac2ip
+	format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
+	delimiter = ","
+}

freeradius/config/tmp/freeradius/modules/mac2vlan

@@ -0,0 +1,18 @@
+# -*- text -*-
+#
+#  $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
+
+#  A simple file to map a MAC address to a VLAN.
+#
+#  The file should be in the format MAC,VLAN
+#  the VLAN name cannot have spaces in it, for example:
+#
+#	00:01:02:03:04:05,VLAN1
+#	03:04:05:06:07:08,VLAN2
+#	...
+#
+passwd mac2vlan {
+	filename = ${confdir}/mac2vlan
+	format = "*VMPS-Mac:=VMPS-VLAN-Name"
+	delimiter = ","
+}

freeradius/config/tmp/freeradius/modules/mschap

@@ -0,0 +1,87 @@
+# -*- text -*-
+#
+#  $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
+
+# Microsoft CHAP authentication
+#
+#  This module supports MS-CHAP and MS-CHAPv2 authentication.
+#  It also enforces the SMB-Account-Ctrl attribute.
+#
+mschap {
+	#
+	#  If you are using /etc/smbpasswd, see the 'passwd'
+	#  module for an example of how to use /etc/smbpasswd
+
+	# if use_mppe is not set to no mschap will
+	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+	#
+	use_mppe = yes
+
+	# if mppe is enabled require_encryption makes
+	# encryption moderate
+	#
+	require_encryption = yes
+
+	# require_strong always requires 128 bit key
+	# encryption
+	#
+	require_strong = yes
+
+	# Windows sends us a username in the form of
+	# DOMAIN\user, but sends the challenge response
+	# based on only the user portion.  This hack
+	# corrects for that incorrect behavior.
+	#
+#	with_ntdomain_hack = no
+
+	# The module can perform authentication itself, OR
+	# use a Windows Domain Controller.  This configuration
+	# directive tells the module to call the ntlm_auth
+	# program, which will do the authentication, and return
+	# the NT-Key.  Note that you MUST have "winbindd" and
+	# "nmbd" running on the local machine for ntlm_auth
+	# to work.  See the ntlm_auth program documentation
+	# for details.
+	#
+	# If ntlm_auth is configured below, then the mschap
+	# module will call ntlm_auth for every MS-CHAP
+	# authentication request.  If there is a cleartext
+	# or NT hashed password available, you can set
+	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+	# and the mschap module will do the authentication itself,
+	# without calling ntlm_auth.
+	#
+	# Be VERY careful when editing the following line!
+	#
+	# You can also try setting the user name as:
+	#
+	#	... --username=%{mschap:User-Name} ...
+	#
+	# In that case, the mschap module will look at the User-Name
+	# attribute, and do prefix/suffix checks in order to obtain
+	# the "best" user name for the request.
+	#
+#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+
+	# The default is to wait 10 seconds for ntlm_auth to
+	# complete.  This is a long time, and if it's taking that
+	# long then you likely have other problems in your domain.
+	# The length of time can be decreased with the following
+	# option, which can save clients waiting if your ntlm_auth
+	# usually finishes quicker. Range 1 to 10 seconds.
+	#
+#	ntlm_auth_timeout = 10
+
+	# For Apple Server, when running on the same machine as
+	# Open Directory.  It has no effect on other systems.
+	#
+#	use_open_directory = yes
+
+	# On failure, set (or not) the MS-CHAP error code saying
+	# "retries allowed".
+#	allow_retry = yes
+
+	# An optional retry message.
+#	retry_msg = "Re-enter (or reset) the password"
+}

freeradius/config/tmp/freeradius/modules/ntlm_auth

@@ -0,0 +1,12 @@
+#
+#  For testing ntlm_auth authentication with PAP.
+#
+#  If you have problems with authentication failing, even when the
+#  password is good, it may be a bug in Samba:
+#
+#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+#
+exec ntlm_auth {
+	wait = yes
+	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
+}

freeradius/config/tmp/freeradius/modules/opendirectory

@@ -0,0 +1,13 @@
+# -*- text -*-
+#
+#  $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
+
+#  This module is only used when the server is running on the same
+#  system as OpenDirectory.  The configuration of the module is hard-coded
+#  by Apple, and cannot be changed here.
+#
+#  There are no configuration entries for this module.
+#
+opendirectory {
+
+}

freeradius/config/tmp/freeradius/modules/otp

@@ -0,0 +1,78 @@
+#
+#  Configuration for the OTP module.
+#
+
+#  This module allows you to use various handheld OTP tokens
+#  for authentication (Auth-Type := otp).  These tokens are
+#  available from various vendors.
+#
+#  It works in conjunction with otpd, which implements token
+#  management and OTP verification functions; and lsmd or gsmd,
+#  which implements synchronous state management functions.
+#  otpd, lsmd and gsmd are available from TRI-D Systems:
+#              <http://www.tri-dsystems.com/>
+
+#  You must list this module in BOTH the authorize and authenticate
+#  sections in order to use it.
+otp {
+	# otpd rendezvous point.
+	# (default: /var/run/otpd/socket)
+	#otpd_rp = /var/run/otpd/socket
+
+	# Text to use for the challenge.  The '%' character is
+	# disallowed, except that you MUST have a single "%s"
+	# sequence in the string; the challenge itself is
+	# inserted there.  (default "Challenge: %s\n Response: ")
+	#challenge_prompt = "Challenge: %s\n Response: "
+
+	# Length of the challenge.  Most tokens probably support a
+	# max of 8 digits.  (range: 5-32 digits, default 6)
+	#challenge_length = 6
+
+	# Maximum time, in seconds, that a challenge is valid.
+	# (The user must respond to a challenge within this time.)
+	# It is also the minimal time between consecutive async mode
+	# authentications, a necessary restriction due to an inherent
+	# weakness of the RADIUS protocol which allows replay attacks.
+	# (default: 30)
+	#challenge_delay = 30
+
+	# Whether or not to allow asynchronous ("pure" challenge/
+	# response) mode authentication.  Since sync mode is much more
+	# usable, and all reasonable tokens support it, the typical
+	# use of async mode is to allow resync of event based tokens.
+	# But because of the vulnerability of async mode with some tokens,
+	# you probably want to disable this and require that out-of-sync
+	# users resync from specifically secured terminals.
+	# See the otpd docs for more info.
+	# (default: no)
+	#allow_async = no
+
+	# Whether or not to allow synchronous mode authentication.
+	# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
+	# that if your OTP users can authenticate to multiple RADIUS
+	# servers, this must be "yes" for the primary/default server,
+	# and "no" for the others.  This is because lsmd does not
+	# share state information across multiple servers.  Using "yes"
+	# on all your RADIUS servers would allow replay attacks!
+	# Also, for event based tokens, the user will be out of sync
+	# on the "other" servers.  In order to use "yes" on all your
+	# servers, you must either use gsmd, which synchronizes state
+	# globally, or implement your own state synchronization method.
+	# (default: yes)
+	#allow_sync = yes
+
+	# If both allow_async and allow_sync are "yes", a challenge is
+	# always presented to the user.  This is incompatible with NAS's
+	# that can't present or don't handle Access-Challenge's, e.g.
+	# PPTP servers.  Even though a challenge is presented, the user
+	# can still enter their synchronous passcode.
+
+	# The following are MPPE settings.  Note that MS-CHAP (v1) is
+	# strongly discouraged.  All possible values are listed as
+	# {value = meaning}.  Default values are first.
+	#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
+	#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
+	#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
+	#mschap_mppe_bits = {2 = 128}
+}

freeradius/config/tmp/freeradius/modules/pam

@@ -0,0 +1,26 @@
+# -*- text -*-
+#
+#  $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
+
+
+# Pluggable Authentication Modules
+#
+#  For Linux, see:
+#	http://www.kernel.org/pub/linux/libs/pam/index.html
+#
+#  WARNING: On many systems, the system PAM libraries have
+#           memory leaks!  We STRONGLY SUGGEST that you do not
+#	    use PAM for authentication, due to those memory leaks.
+#
+pam {
+	#
+	#  The name to use for PAM authentication.
+	#  PAM looks in /etc/pam.d/${pam_auth_name}
+	#  for it's configuration.  See 'redhat/radiusd-pam'
+	#  for a sample PAM configuration file.
+	#
+	#  Note that any Pam-Auth attribute set in the 'authorize'
+	#  section will over-ride this one.
+	#
+	pam_auth = radiusd
+}

freeradius/config/tmp/freeradius/modules/pap

@@ -0,0 +1,22 @@
+# -*- text -*-
+#
+#  $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
+
+# PAP module to authenticate users based on their stored password
+#
+#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
+#  for details.
+#
+#  The "auto_header" configuration item can be set to "yes".
+#  In this case, the module will look inside of the User-Password
+#  attribute for the headers {crypt}, {clear}, etc., and will
+#  automatically create the attribute on the right-hand side,
+#  with the correct value.  It will also automatically handle
+#  Base-64 encoded data, hex strings, and binary data.
+#
+#  For instructions on creating the various types of passwords, see:
+#
+#  http://www.openldap.org/faq/data/cache/347.html
+pap {
+	auto_header = no
+}

freeradius/config/tmp/freeradius/modules/passwd

@@ -0,0 +1,55 @@
+# -*- text -*-
+#
+#  $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
+
+# passwd module allows to do authorization via any passwd-like
+# file and to extract any attributes from these files.
+#
+#  See the "smbpasswd" and "etc_group" files for more examples.
+#
+# parameters are:
+#   filename - path to filename
+#
+#   format - format for filename record. This parameters
+#            correlates record in the passwd file and RADIUS
+#            attributes.
+#
+#            Field marked as '*' is a key field. That is, the parameter
+#            with this name from the request is used to search for
+#            the record from passwd file
+#
+#            Attributes marked as '=' are added to reply_items instead
+#            of default configure_itmes
+#
+#	     Attributes marked as '~' are added to request_items
+#
+#            Field marked as ',' may contain a comma separated list
+#            of attributes.
+#
+#   hashsize - hashtable size.  Setting it to 0 is no longer permitted
+#		A future version of the server will have the module
+#		automatically determine the hash size.  Having it set
+#		manually should not be necessary.
+#
+#   allowmultiplekeys - if many records for a key are allowed
+#
+#   ignorenislike - ignore NIS-related records
+#
+#   delimiter - symbol to use as a field separator in passwd file,
+#            for format ':' symbol is always used. '\0', '\n' are
+#	     not allowed 
+#
+
+#  An example configuration for using /etc/passwd.
+#
+#  This is an example which will NOT WORK if you have shadow passwords,
+#  NIS, etc.  The "unix" module is normally responsible for reading
+#  system passwords.  You should use it instead of this example.
+#
+passwd etc_passwd {
+	filename = /etc/passwd
+	format = "*User-Name:Crypt-Password:"
+	hashsize = 100
+	ignorenislike = no
+	allowmultiplekeys = no
+}

freeradius/config/tmp/freeradius/modules/perl

@@ -0,0 +1,58 @@
+# -*- text -*-
+#
+#  $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
+
+#  Persistent, embedded Perl interpreter.
+#
+perl {
+	#
+	#  The Perl script to execute on authorize, authenticate,
+	#  accounting, xlat, etc.  This is very similar to using
+	#  'rlm_exec' module, but it is persistent, and therefore
+	#  faster.
+	#
+	module = ${confdir}/example.pl
+
+	#
+	#  The following hashes are given to the module and
+        #  filled with value-pairs (Attribute names and values)
+	#
+	#  %RAD_CHECK		Check items
+	#  %RAD_REQUEST		Attributes from the request
+	#  %RAD_REPLY		Attributes for the reply
+	# 
+	#  The return codes from functions in the perl_script
+	#  are passed directly back to the server.  These
+	#  codes are defined in doc/configurable_failover,
+	#  src/include/modules.h (RLM_MODULE_REJECT, etc),
+	#  and are pre-defined in the 'example.pl' program
+	#  which is included.
+	#		
+
+	#
+	#  List of functions in the module to call.
+	#  Uncomment and change if you want to use function
+	#  names other than the defaults.
+	#
+	#func_authenticate = authenticate
+	#func_authorize = authorize
+	#func_preacct = preacct
+	#func_accounting = accounting
+	#func_checksimul = checksimul
+	#func_pre_proxy = pre_proxy
+	#func_post_proxy = post_proxy
+	#func_post_auth = post_auth
+	#func_recv_coa = recv_coa
+	#func_send_coa = send_coa
+	#func_xlat = xlat
+	#func_detach = detach
+
+	#
+	#  Uncomment the following lines if you wish
+	#  to use separate functions for Start and Stop
+	#  accounting packets. In that case, the 
+	#  func_accounting function is not called.
+	#
+	#func_start_accounting = accounting_start
+	#func_stop_accounting = accounting_stop
+}

freeradius/config/tmp/freeradius/modules/policy

@@ -0,0 +1,21 @@
+# -*- text -*-
+#
+#  $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
+
+#
+#  Module implementing a DIFFERENT policy language.
+#  The syntax here is NOT "unlang", but something else.
+#
+#  See the "raddb/policy.txt" file for documentation and examples.
+#  There isn't much else in the way of documentation, sorry.
+#
+policy {
+       #  The only configuration item is a filename containing
+       #  the policies to execute.
+       #
+       #  When "policy" is listed in a section (e.g. "authorize"),
+       #  it will run a policy named for that section.
+       # 
+       filename = ${confdir}/policy.txt
+}
+

freeradius/config/tmp/freeradius/modules/preprocess

@@ -0,0 +1,58 @@
+# -*- text -*-
+#
+#  $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
+
+# Preprocess the incoming RADIUS request, before handing it off
+# to other modules.
+#
+#  This module processes the 'huntgroups' and 'hints' files.
+#  In addition, it re-writes some weird attributes created
+#  by some NASes, and converts the attributes into a form which
+#  is a little more standard.
+#
+preprocess {
+	huntgroups = ${confdir}/huntgroups
+	hints = ${confdir}/hints
+
+	# This hack changes Ascend's wierd port numberings
+	# to standard 0-??? port numbers so that the "+" works
+	# for IP address assignments.
+	with_ascend_hack = no
+	ascend_channels_per_line = 23
+
+	# Windows NT machines often authenticate themselves as
+	# NT_DOMAIN\username
+	#
+	# If this is set to 'yes', then the NT_DOMAIN portion
+	# of the user-name is silently discarded.
+	#
+	# This configuration entry SHOULD NOT be used.
+	# See the "realms" module for a better way to handle
+	# NT domains.
+	with_ntdomain_hack = no
+
+	# Specialix Jetstream 8500 24 port access server.
+	#
+	# If the user name is 10 characters or longer, a "/"
+	# and the excess characters after the 10th are
+	# appended to the user name.
+	#
+	# If you're not running that NAS, you don't need
+	# this hack.
+	with_specialix_jetstream_hack = no
+
+	# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
+	# with the attribute name *again* in the string, like:
+	#
+	#   H323-Attribute = "h323-attribute=value".
+	#
+	# If this configuration item is set to 'yes', then
+	# the redundant data in the the attribute text is stripped
+	# out.  The result is:
+	#
+	#  H323-Attribute = "value"
+	#
+	# If you're not running a Cisco or Quintum NAS, you don't
+	# need this hack.
+	with_cisco_vsa_hack = no
+}

freeradius/config/tmp/freeradius/modules/radrelay

@@ -0,0 +1,26 @@
+# -*- text -*-
+#
+#  $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
+
+#  Write "detail" files which can be read by radrelay.
+#  This module should be used only by a server which receives
+#  Accounting-Request packets from the network.
+#
+#  It should NOT be used in the radrelay.conf file.
+#
+#  Use it by adding "radrelay" to the "accounting" section:
+#
+#	accounting {
+#		...
+#		radrelay
+#		...
+#	}
+#
+detail radrelay {
+	detailfile = ${radacctdir}/detail
+
+	locking = yes
+
+	#  The other directives from the main detail module
+	#  can be used here, but they're not required.
+}

freeradius/config/tmp/freeradius/modules/radutmp

@@ -0,0 +1,53 @@
+# -*- text -*-
+#
+#  $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $
+
+#  Write a 'utmp' style file, of which users are currently
+#  logged in, and where they've logged in from.
+#
+#  This file is used mainly for Simultaneous-Use checking,
+#  and also 'radwho', to see who's currently logged in.
+#
+radutmp {
+	#  Where the file is stored.  It's not a log file,
+	#  so it doesn't need rotating.
+	#
+	filename = ${logdir}/radutmp
+
+	#  The field in the packet to key on for the
+	#  'user' name,  If you have other fields which you want
+	#  to use to key on to control Simultaneous-Use,
+	#  then you can use them here.
+	#
+	#  Note, however, that the size of the field in the
+	#  'utmp' data structure is small, around 32
+	#  characters, so that will limit the possible choices
+	#  of keys.
+	#
+	#  You may want instead: %{Stripped-User-Name:-%{User-Name}}
+	username = %{User-Name}
+
+
+	#  Whether or not we want to treat "user" the same
+	#  as "USER", or "User".  Some systems have problems
+	#  with case sensitivity, so this should be set to
+	#  'no' to enable the comparisons of the key attribute
+	#  to be case insensitive.
+	#
+	case_sensitive = yes
+
+	#  Accounting information may be lost, so the user MAY
+	#  have logged off of the NAS, but we haven't noticed.
+	#  If so, we can verify this information with the NAS,
+	#
+	#  If we want to believe the 'utmp' file, then this
+	#  configuration entry can be set to 'no'.
+	#
+	check_with_nas = yes		
+
+	# Set the file permissions, as the contents of this file
+	# are usually private.
+	perm = 0600
+
+	callerid = "yes"
+}

freeradius/config/tmp/freeradius/modules/realm

@@ -0,0 +1,46 @@
+# -*- text -*-
+#
+#  $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $
+
+# Realm module, for proxying.
+#
+#  You can have multiple instances of the realm module to
+#  support multiple realm syntaxs at the same time.  The
+#  search order is defined by the order that the modules are listed
+#  in the authorize and preacct sections.
+#
+#  Four config options:
+#	format         -  must be "prefix" or "suffix"
+#			  The special cases of "DEFAULT"
+#			  and "NULL" are allowed, too.
+#	delimiter      -  must be a single character
+
+#  'realm/username'
+#
+#  Using this entry, IPASS users have their realm set to "IPASS".
+realm IPASS {
+	format = prefix
+	delimiter = "/"
+}
+
+#  'username@realm'
+#
+realm suffix {
+	format = suffix
+	delimiter = "@"
+}
+
+#  'username%realm'
+#
+realm realmpercent {
+	format = suffix
+	delimiter = "%"
+}
+
+#
+#  'domain\user'
+#
+realm ntdomain {
+	format = prefix
+	delimiter = "\\"
+}	

freeradius/config/tmp/freeradius/modules/redis

@@ -0,0 +1,35 @@
+# -*- text -*-
+#
+#  $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $
+
+#
+#  Configuration file for the "redis" module.  This module does nothing
+#  Other than provide connections to a redis database, and a %{redis: ...}
+#  expansion.
+#
+redis {
+	#  Host where the redis server is located.
+	#  We recommend using ONLY 127.0.0.1 !
+	hostname = 127.0.0.1
+
+	#  The default port.
+	port = 6379
+	
+	#  The password used to authenticate to the server.
+	#  We recommend using a strong password.
+#	password = thisisreallysecretandhardtoguess
+
+	# The number of connections to open to the database.
+	num_connections = 20
+
+	# If a connection fails, retry after this time.
+	connect_failure_retry_delay = 60
+
+	#  Set the maximum lifetime for one connection.
+	#  Use 0 for "lives forever"
+	lifetime = 86400
+
+	#  Set the maximum queries used for one connection.
+	#  Use 0 for "no limit"
+	max_queries = 0
+}

freeradius/config/tmp/freeradius/modules/rediswho

@@ -0,0 +1,28 @@
+# -*- text -*-
+#
+#  $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $
+
+#
+#  Configuration file for the "rediswho" module.
+#
+rediswho {
+	#  How many sessions to keep track of per user.
+	#  If there are more than this number, older sessions are deleted.
+	trim-count = 15
+
+	#  Expiry time in seconds.  Any sessions which have not received
+	#  an update in this time will be automatically expired.
+	expire-time = 86400
+
+	start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
+	start-trim =   "LTRIM %{User-Name} 0 ${trim-count}"
+	start-expire = "EXPIRE %{User-Name} ${expire-time}"
+
+	alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
+	alive-trim =   "LTRIM %{User-Name} 0 ${trim-count}"
+	alive-expire = "EXPIRE %{User-Name} ${expire-time}"
+
+	stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
+	stop-trim =   "LTRIM %{User-Name} 0 ${trim-count}"
+	stop-expire = "EXPIRE %{User-Name} ${expire-time}"
+}

freeradius/config/tmp/freeradius/modules/replicate

@@ -0,0 +1,40 @@
+#  Replicate packet(s) to a home server.
+#
+#  This module will open a new socket for each packet, and "clone"
+#  the incoming packet to the destination realm (i.e. home server).
+#
+#  Use it by setting "Replicate-To-Realm = name" in the control list,
+#  just like Proxy-To-Realm.  The configurations for the two attributes
+#  are identical.  The realm must exist, the home_server_pool must exist,
+#  and the home_server must exist.
+#
+#  The only difference is that the "replicate" module sends requests
+#  and does not expect a reply.  Any reply is ignored.
+#
+#  Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
+#
+#  To use this module, list "replicate" in the "authorize" or
+#  "accounting" section.  Then, ensure that Replicate-To-Realm is set.
+#  The contents of the "packet" attribute list will be sent to the
+#  home server.  The usual load-balancing, etc. features of the home
+#  server will be used.
+#
+#  "radmin" can be used to mark home servers alive/dead, in order to
+#  enable/disable replication to specific servers.
+#
+#  Packets can be replicated to multiple destinations.  Just set
+#  Replicate-To-Realm multiple times.  One packet will be sent for
+#  each of the Replicate-To-Realm attribute in the "control" list.
+#
+#  If no packets are sent, the module returns "noop".  If at least one
+#  packet is sent, the module returns "ok".  If an error occurs, the
+#  module returns "fail"
+#
+#  Note that replication does NOT change any of the packet statistics.
+#  If you use "radmin" to look at the statistics for a home server,
+#  the replicated packets will cause NO counters to increment.  This
+#  is not a bug, this is how replication works.
+#
+replicate {
+
+}

freeradius/config/tmp/freeradius/modules/smbpasswd

@@ -0,0 +1,16 @@
+# -*- text -*-
+#
+#  $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $
+
+#  An example configuration for using /etc/smbpasswd.
+#
+#  See the "passwd" file for documentation on the configuration items
+#  for this module.
+#
+passwd smbpasswd {
+	filename = /etc/smbpasswd
+	format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
+	hashsize = 100
+	ignorenislike = no
+	allowmultiplekeys = no
+}

freeradius/config/tmp/freeradius/modules/smsotp

@@ -0,0 +1,50 @@
+# -*- text -*-
+#
+#  $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $
+
+#  SMS One-time Password system.
+#
+#  This module will extend FreeRadius with a socks interface to create and
+#  validate One-Time-Passwords. The program for that creates the socket
+#  and interacts with this module is not included here.
+# 
+#  The module does not check the User-Password, this should be done with
+#  the "pap" module.  See the example below.
+#
+#  The module must be used in the "authorize" section to set 
+#  Auth-Type properly.  The first time through, the module is called
+#  in the "authenticate" section to authenticate the user password, and
+#  to send the challenge.  The second time through, it authenticates
+#  the response to the challenge. e.g.:
+#
+#  authorize {
+#	...
+#	smsotp
+#	...
+#  }
+#
+#  authenticate {
+#	...
+#	Auth-Type smsotp {
+#		pap
+#		smsotp
+#	}
+#
+#	Auth-Type smsotp-reply {
+#		smsotp
+#	}
+#	...
+#  }
+#
+smsotp {
+	#  The location of the socket.
+	socket = "/var/run/smsotp_socket"
+
+	#  Defines the challenge message that will be send to the
+	#  NAS. Default is "Enter Mobile PIN" }
+	challenge_message = "Enter Mobile PIN:"
+
+	#  Defines the Auth-Type section that is run for the response to
+	#  the challenge. Default is "smsotp-reply".
+	challenge_type = "smsotp-reply"
+}

freeradius/config/tmp/freeradius/modules/soh

@@ -0,0 +1,4 @@
+# SoH module
+soh {
+	dhcp = yes
+}

freeradius/config/tmp/freeradius/modules/sql_log

@@ -0,0 +1,92 @@
+# -*- text -*-
+#
+#  $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $
+
+#
+#  The rlm_sql_log module appends the SQL queries in a log
+#  file which is read later by the radsqlrelay program.
+#
+#  This module only performs the dynamic expansion of the
+#  variables found in the SQL statements. No operation is
+#  executed on the database server. (this could be done
+#  later by an external program) That means the module is
+#  useful only with non-"SELECT" statements.
+#
+#  See rlm_sql_log(5) manpage.
+#
+#  This same functionality could also be implemented by logging
+#  to a "detail" file, reading that, and then writing to SQL.
+#  See raddb/sites-available/buffered-sql for an example.
+#
+sql_log {
+	path = "${radacctdir}/sql-relay"
+	acct_table = "radacct"
+	postauth_table = "radpostauth"
+	sql_user_name = "%{%{User-Name}:-DEFAULT}"
+
+	#
+	#  Setting this to "yes" will allow UTF-8 characters to be
+	#  written to the log file.  Otherwise, they are escaped
+	#  as being potentially invalid.
+	#
+	utf8 = no
+
+	#
+	#  The names here are taken from the Acct-Status-Type names.
+	#  Just add another entry here for Accounting-On,
+	#  Accounting-Off, etc.
+	#
+	Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
+	 NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
+	 AcctSessionTime, AcctTerminateCause) VALUES                 \
+	 ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
+	 '%{Framed-IP-Address}', '%S', '0', '0', '');"
+
+	Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName,  \
+	 NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
+	 AcctSessionTime, AcctTerminateCause) VALUES                 \
+	 ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
+	 '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}',  \
+	 '%{Acct-Terminate-Cause}');"
+
+	Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
+	 NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
+	 AcctSessionTime, AcctTerminateCause) VALUES                 \
+	 ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
+	 '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
+
+	# The same as "Alive"
+	Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
+	 NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
+	 AcctSessionTime, AcctTerminateCause) VALUES                 \
+	 ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
+	 '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
+
+	Post-Auth = "INSERT INTO ${postauth_table}                   \
+	 (username, pass, reply, authdate) VALUES                    \
+	 ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
+	 '%{reply:Packet-Type}', '%S');"
+
+	Accounting-On = "UPDATE ${acct_table} \
+	  SET \
+	     acctstoptime       =  '%S', \
+	     acctsessiontime    =  unix_timestamp('%S') - \
+	                           unix_timestamp(acctstarttime), \
+	     acctterminatecause =  '%{Acct-Terminate-Cause}', \
+	     acctstopdelay      =  %{%{Acct-Delay-Time}:-0} \
+	  WHERE acctstoptime IS NULL \
+	  AND nasipaddress      =  '%{NAS-IP-Address}' \
+	  AND acctstarttime     <= '%S'""
+
+	Accounting-Off = "UPDATE ${acct_table} \
+	  SET \
+	     acctstoptime       =  '%S', \
+	     acctsessiontime    =  unix_timestamp('%S') - \
+	                           unix_timestamp(acctstarttime), \
+	     acctterminatecause =  '%{Acct-Terminate-Cause}', \
+	     acctstopdelay      =  %{%{Acct-Delay-Time}:-0} \
+	  WHERE acctstoptime IS NULL \
+	  AND nasipaddress      =  '%{NAS-IP-Address}' \
+	  AND acctstarttime     <= '%S'""
+}
+

freeradius/config/tmp/freeradius/modules/sqlcounter_expire_on_login

@@ -0,0 +1,37 @@
+# -*- text -*-
+#
+#  $Id: c950169307009b088b2c31274f496ffe38e8a793 $
+
+#
+#  Set an account to expire T seconds after first login.
+#  Requires the Expire-After attribute to be set, in seconds.
+#  You may need to edit raddb/dictionary to add the Expire-After
+#  attribute.
+#
+#  This example is for MySQL.  Other SQL variants should be similar.
+#
+#  For versions prior to 2.1.11, this module defined the following
+#  expansion strings:
+#
+#	%k	key_name
+#	%S	sqlmod_inst
+#
+#  These SHOULD NOT be used.  If these are used in your configuration,
+#  they should be replaced by the following strings, which will work
+#  identically to the previous ones:
+#
+#	%k	${key}
+#	%S	${sqlmod-inst}
+#
+sqlcounter expire_on_login {
+	counter-name = Expire-After-Initial-Login
+	check-name = Expire-After
+	sqlmod-inst = sql
+	key = User-Name
+	reset = never
+	query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
+		 FROM radacct \
+		 WHERE UserName='%{${key}}' \
+		 ORDER BY acctstarttime \
+		 LIMIT 1;"
+}

freeradius/config/tmp/freeradius/modules/sradutmp

@@ -0,0 +1,16 @@
+# -*- text -*-
+#
+#  $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $
+
+# "Safe" radutmp - does not contain caller ID, so it can be
+# world-readable, and radwho can work for normal users, without
+# exposing any information that isn't already exposed by who(1).
+#
+# This is another 'instance' of the radutmp module, but it is given
+# then name "sradutmp" to identify it later in the "accounting"
+# section.
+radutmp sradutmp {
+	filename = ${logdir}/sradutmp
+	perm = 0644
+	callerid = "no"
+}

freeradius/config/tmp/freeradius/modules/unix

@@ -0,0 +1,25 @@
+# -*- text -*-
+#
+#  $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
+
+# Unix /etc/passwd style authentication
+#
+#  This module calls the system functions to get the "known good"
+#  password.  This password is usually in the "crypt" form, and is
+#  incompatible with CHAP, MS-CHAP, PEAP, etc.
+#
+#  If passwords are in /etc/shadow, you will need to set the "group"
+#  configuration in radiusd.conf.  Look for "shadow", and follow the
+#  instructions there.
+#
+unix {
+	#
+	#  The location of the "wtmp" file.
+	#  The only use for 'radlast'.  If you don't use
+	#  'radlast', then you can comment out this item.
+	#
+	#  Note that the radwtmp file may get large!  You should
+	#  rotate it (cp /dev/null radwtmp), or just not use it.
+	#
+	radwtmp = ${logdir}/radwtmp
+}

freeradius/config/tmp/freeradius/modules/wimax

@@ -0,0 +1,112 @@
+#
+#	The WiMAX module currently takes no configuration.
+#
+#	It should be listed in the "authorize" and "preacct" sections.
+#	This enables the module to fix the horrible binary version
+#	of Calling-Station-Id to the normal format, as specified in
+#	RFC 3580, Section 3.21.
+#
+#	In order to calculate the various WiMAX keys, the module should
+#	be listed in the "post-auth" section.  If EAP authentication
+#	has been used, AND the EAP method derives MSK and EMSK, then
+#	the various WiMAX keys can be calculated.
+#
+#	Some useful things to remember:
+#
+#	WiMAX-MSK = EAP MSK, but is 64 octets.
+#
+#	MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
+#	MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
+#	MIP-RK = MIP-RK-1 | MIP-RK-2
+#
+#	MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
+#		plus some magic... you've got to track *all* MIP-SPI's
+#		on your system!
+#
+#	SPI-CMIP4 = MIP-SPI
+#	SPI-PMIP4 = MIP-SPI + 1
+#	SPI-CMIP6 = MIP-SPI + 2
+#
+#	MN-NAI is the Mobile node NAI.  You have to create it, and put
+#	it into the request or reply as something like:
+#
+#		WiMAX-MN-NAI = "%{User-Name}"
+#
+#	You will also have to have the appropriate IP address (v4 or v6)
+#	in order to calculate the keys below.
+#
+#	Lifetimes are derived from Session-Timeout.  It needs to be set
+#	to some useful number.
+#
+#	The hash function below H() is HMAC-SHA1.
+#
+#
+#	MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
+#
+#		Where HA-IPv4 is	WiMAX-hHA-IP-MIP4
+#		or maybe		WiMAX-vHA-IP-MIP4
+#
+#		Which goes into		WiMAX-MN-hHA-MIP4-Key
+#		or maybe		WiMAX-RRQ-MN-HA-Key
+#		or maybe even		WiMAX-vHA-MIP4-Key
+#
+#	The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
+#
+#		which goes into		WiMAX-MN-hHA-MIP4-SPI
+#		or maybe		WiMAX-RRQ-MN-HA-SPI
+#		or even			WiMAX-MN-vHA-MIP4-SPI
+#
+#	MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
+#	MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
+#
+#		both with similar comments to above for MN-HA-CMIP4.
+#
+#	In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
+#	you have to set WiMAX-IP-Technology in the reply to one of
+#	the appropriate values.
+#
+#
+#	FA-RK = H(MIP-RK, "FA-RK")
+#
+#	MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
+#
+#		Where does the FA-IP come from?  No idea...
+#
+#
+#	The next two keys (HA-RK and FA-HA) are not generated
+#	for every authentication request, but only on demand.
+#
+#	HA-RK = 160-bit random number assigned by the AAA server
+#		to a specific HA.
+#
+#	FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
+#
+#		where HA-IPv4 is as above.
+#		and FA-CoAv4 address of the FA as seen by the HA
+#		and SPI is the relevant SPI for the HA-RK.
+#
+#	DHCP-RK = 160-bit random number assigned by the AAA server
+#		  to a specific DHCP server.  vDHCP-RK is the same
+#		  thing.
+#
+wimax {
+	#
+	#  Some WiMAX equipement requires that the MS-MPPE-*-Key
+	#  attributes are sent in the Access-Accept, in addition to
+	#  the WiMAX-MSK attribute.
+	#
+	#  Other WiMAX equipment request that the MS-MPPE-*-Key
+	#  attributes are NOT sent in the Access-Accept.
+	#
+	#  By default, the EAP modules sends MS-MPPE-*-Key attributes.
+	#  The default virtual server (raddb/sites-available/default)
+	#  contains examples of adding the WiMAX-MSK.
+	#
+	#  This configuration option makes the WiMAX module delete
+	#  the MS-MPPE-*-Key attributes.  The default is to leave
+	#  them in place.
+	#
+	#  If the keys are deleted (by setting this to "yes"), then
+	#  the WiMAX-MSK attribute is automatically added to the reply.
+	delete_mppe_keys = no
+}

freeradius/config/tmp/freeradius/policy.conf

@@ -0,0 +1,283 @@
+# -*- text -*-
+##
+## policy.conf	-- FreeRADIUS server configuration file.
+##
+##	http://www.freeradius.org/
+##	$Id: 2668b29e3eee8eb9bfb9fbe33a6752314ac49632 $
+##
+
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantate" section of radiusd.conf.
+#
+#  Defining a policy here means that it can be referenced in multiple
+#  places as a *name*, rather than as a series of conditions to match,
+#  and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively.  They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+policy {
+	#
+	#	Forbid all EAP types.
+	#
+	forbid_eap {
+		if (EAP-Message) {
+			reject
+		}
+	}
+
+	#
+	#	Forbid all non-EAP types outside of an EAP tunnel.
+	#
+	permit_only_eap {
+		if (!EAP-Message) {
+			#  We MAY be inside of a TTLS tunnel.
+			#  PEAP and EAP-FAST require EAP inside of
+			#  the tunnel, so this check is OK.
+			#  If so, then there MUST be an outer EAP message.
+			if (!"%{outer.request:EAP-Message}") {
+				reject
+			}
+		}
+	}
+
+	#
+	#	Forbid all attempts to login via realms.
+	#
+	deny_realms {
+		if (User-Name =~ /@|\\/) {
+			reject
+		}
+	}
+
+	#
+	#	If you want the server to pretend that it is dead,
+	#	then use the "do_not_respond" policy.
+	#
+	do_not_respond {
+		update control {
+			Response-Packet-Type := Do-Not-Respond
+		}
+
+		handled
+	}
+
+	#
+	#  Force some sanity on User-Name.  This helps to avoid issues
+	#  issues where the back-end database is "forgiving" about
+	#  what constitutes a user name.
+	#
+	filter_username {
+		#
+		#  reject mixed case
+		#  e.g. "UseRNaMe"
+		#
+		if (User-Name != "%{tolower:%{User-Name}}") {
+			reject
+		}
+
+		#
+		#  reject all whitespace
+		#  e.g. "user@ site.com", or "us er", or " user", or "user "
+		#
+		if (User-Name =~ / /) {
+			update reply {
+				Reply-Message += "Rejected: Username contains whitespace"
+			}
+			reject
+		}
+
+		#
+		#  reject Multiple @'s
+		#  e.g. "user@site.com@site.com"
+		#
+		if(User-Name =~ /@.*@/ ) {
+			update reply {
+				Reply-Message += "Rejected: Multiple @ in username"
+			}
+			reject
+		}
+
+		#
+		#  reject double dots
+		#  e.g. "user@site..com"
+		#
+		if (User-Name =~ /\\.\\./ ) {
+			update reply {
+				Reply-Message += "Rejected: Username comtains ..s"
+			}
+			reject
+		}
+
+		#
+		#  must have at least 1 string-dot-string after @
+		#  e.g. "user@site.com"
+		#
+		if (User-Name !~ /@(.+)\\.(.+)$/)  {
+			update reply {
+				Reply-Message += "Rejected: Realm does not have at least one dot seperator"
+			}
+			reject
+		}
+
+		#
+		#  Realm ends with a dot
+		#  e.g. "user@site.com."
+		#
+                if (User-Name =~ /\\.$/)  {
+                        update reply {
+                                Reply-Message += "Rejected: Realm ends with a dot"
+                        }
+                        reject
+                }
+
+		#
+                #  Realm begins with a dot
+		#  e.g. "user@.site.com"
+                #
+                if (User-Name =~ /@\\./)  {
+                        update reply {
+                                Reply-Message += "Rejected: Realm begins with a dot"
+                        }
+                        reject
+                }
+	}
+
+	#	
+	#  The following policies are for the Chargeable-User-Identity
+	#  (CUI) configuration.
+	#
+
+	#
+	#  The client indicates it can do CUI by sending a CUI attribute	
+	#  containing one zero byte
+	#
+	cui_authorize {
+		update request {
+			Chargeable-User-Identity:='\\000'
+		}
+	}
+
+	#
+	#  Add a CUI attribute based on the User-Name, and a secret key
+	#  known only to this server.
+	#
+	cui_postauth {
+		if (FreeRadius-Proxied-To == 127.0.0.1) {
+			if (outer.request:Chargeable-User-Identity) {
+				update outer.reply {
+					Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
+				}
+			}
+		}
+		else {
+			if (Chargeable-User-Identity) {
+				update reply {
+					Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
+				}
+			}
+		}
+	}
+
+	#
+	#  If there is a CUI attribute in the reply, add it to the DB.
+	#
+	cui_updatedb {
+		if (reply:Chargeable-User-Identity) {
+			cui
+		}
+	}
+
+	#
+	#  If we had stored a CUI for the User, add it to the request.
+	#
+	cui_accounting {
+		#
+		#  If the CUI isn't in the packet, see if we can find it
+		#  in the DB.
+		#
+		if (!Chargeable-User-Identity) {
+			update request {
+				Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
+			}
+		}
+
+		#
+		#  If it exists now, then write out when we last saw
+		#  this CUI.
+		#
+		if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
+			cui
+		}
+	}
+
+	#
+	#  Normalize the MAC Addresses in the Calling/Called-Station-Id
+	#
+	mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
+
+	#  Add "rewrite.called_station_id" in the "authorize" and "preacct"
+	#  sections.
+	rewrite.called_station_id {
+		if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
+			update request {
+				Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+			}
+
+			# SSID component?
+			if ("%{8}") {
+				update request {
+					Called-Station-Id := "%{Called-Station-Id}:%{8}"
+				}
+			}
+			updated
+		}
+		else {
+			noop
+		}
+	}
+
+	#  Add "rewrite.calling_station_id" in the "authorize" and "preacct"
+	#  sections.
+	rewrite.calling_station_id {
+		if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
+			update request {
+				Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+			}
+			updated
+		}
+		else {
+			noop
+		}
+	}
+
+	#  Assign compatibility data to request for sqlippool
+	dhcp_sqlippool.post-auth {
+
+
+		#  Do some minor hacks to the request so that it looks
+		#  like a RADIUS request to the SQL IP Pool module.
+		update request {
+			User-Name = "DHCP-%{DHCP-Client-Hardware-Address}"
+			Calling-Station-Id = "%{DHCP-Client-Hardware-Address}"
+			NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}"
+			Acct-Status-Type = Start
+		}
+
+		#  Call the actual module
+		#
+		#  Uncomment this in order to really call it!
+#		dhcp_sqlippool
+		fail
+
+		#  Convert Framed-IP-Address to DHCP, but only if we
+		#  actually allocated an address.
+		if (ok) {
+			update reply {
+				DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}"
+			}
+		}
+	}
+}

freeradius/config/tmp/freeradius/policy.txt

@@ -0,0 +1,185 @@
+#
+#	Sample of a policy language for rlm_policy.
+#
+#	This is NOT the "unlang" policy, and has NO RELATION to "unlang"!
+#	The syntax is different, and the functionality is different.
+#
+
+#	As of 2.0.0, the new configuration "un-language" is better
+#	tested, has more features, and is better integrated into the
+#	server than the rlm_policy module.  rlm_policy is deprecated,
+#	and will likely be removed in a future release.
+#
+#	There is no documentation other than this file.
+#
+#	The syntax is odd, but it sort of works.
+#
+#	A number of sites are using it in production servers,
+#	so it appears to be stable.  However, we cannot answer
+#	questions about it, because we use "unlang", instead of
+#	this file.	
+#
+#	$Id: 1f62c55ae236dc9359764f4729f7ea4a8d36e2df $
+#
+#  Debugging statements
+#
+#debug print_tokens	# as we're parsing this file
+debug print_policy	# once the file has been parsed
+
+# Using this requires code edits to rlm_policy/evaluate.c
+#debug evaluate		# print limited information during evaluation
+
+#
+#  A named policy.
+#
+policy 3pm {
+if (Time-Of-Day < "15:00") {
+   #
+   #  The general form of edits to the attribute lists:
+   #
+   #   name s-operator {
+   #	    Attribute-Name = Value
+   #   }
+   #
+   #  name is: request, reply, control, proxy-request, proxy-reply
+   #
+   #  s-operator is operator for section, not attributes:
+   #
+   #		=	append, using operators from attributes
+   #		.=	append attributes, ignoring operators from attributes
+   #		^=	add to head of list
+   #		^==	add BEFORE matching attribute
+   #		^.	append
+   #		^.=	append BEFORE matching attribute
+   #		$=	add AFTER  (same as =)
+   #		$==	add AFTER matching attribute
+   #		$.	add after  (same as .=)
+   #		$.=	add after matching
+   #
+   #  If the above explanation confuses you, don't ask.  Try various
+   #  configurations to see what happens.  The results are difficult
+   #  to explain, but easy to understand once you see them in action.
+   #
+   #  The "matching attribute" text above refers to the syntax:
+   #
+   #   name s-operator (match) {
+   #	    Attribute-Name = Value
+   #   }
+   #
+   #  Where "match" is something like:	User-Name == "bob"
+   #
+   #  This lets you insert/edit/update attributes by selected
+   #  position, which can be useful.
+   #
+   reply .= {
+      # Use ARAP-Password for testing because it's an attribute
+      # no one cares about.
+      ARAP-Password = "< 15:00"
+   }
+}
+
+}
+
+#
+#  A named policy, executed during the "authorize" phase,
+#  because it's named "authorize". 
+#
+policy authorize {
+  if (CHAP-Password) {
+     if (!CHAP-Challenge) {
+        print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n"
+
+        #
+        #  Append all attributes to the specified list.
+        #  The per-attribute operators MUST be '='
+        #
+        request .= {
+           CHAP-Challenge = "%{request:Packet-Authentication-Vector}"
+        }
+     }
+
+     #
+     #  Use per-attribute operators to do override, replace, etc.
+     #  It's "control", not "check items", because "check items"
+     #  is a hold-over from the "users" file, and we no longer like that.
+     #
+     control = {
+     	  Auth-Type := CHAP
+     }
+  }
+
+#
+#  This could just as well be "%{ldap: query...}" =~ ...
+#
+#  if ("%{User-Name}" =~ "^(b)") {
+#     reply .= {
+#	   Arap-Password = "Hello, %{1}"
+#     }
+#  }
+
+  #
+  #  Execute "3pm", as if it was in-line here.
+  #
+#  call 3pm
+}
+
+######################################################################
+#
+#  The following entries are for example purposes only.
+#
+
+#  Insert the attribute at the top of the list.
+#
+#reply ^= {
+#  Attribute1 += "Value1"
+#}
+
+
+#  Insert attribute1 before Attribute2 if found, otherwise it behaves 
+#  like ^=
+#reply ^== ( Attribute2 == "Value2" ) {
+#	Attribute1 += "Value1"
+#}
+
+# ^. and ^.= have the same difference as .= and =
+# namely they append the attribute list instead of looking at the
+# attribute operators.
+#
+# Otherwise they are the same.
+
+#  Motivation:
+#
+#  Cisco NAS's will kick users who assign a VRF after assigning an IP 
+#  address. The VRF must come first.
+#
+#  A sample policy to fix this is:
+#
+policy add_inter_vrf {
+	#
+	#	If there's a matching lcp:...,
+	#	then add the vrf entry before it.
+	#
+	reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") {
+		Cisco-Avpair    += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE"
+	}
+
+	#
+	#	If there's no ip address thingy,
+	#	add ip unnumbered after the vrf stuff.
+	#
+	if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") {
+	        reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") {
+        		Cisco-Avpair    += "lcp:interface-config=ip unnumbered l10"
+	        }
+	}
+
+	#
+	#	No IP address assigned through RADIUS, tell the Cisco
+	#	NAS to assign it from it's own private IP pool.
+	#
+	if (!reply:Framed-IP-Address =* "") {
+		reply = {
+                	Cisco-Avpair    += "ip:addr-pool=privatepool"
+		}
+	}
+}

freeradius/config/tmp/freeradius/preproxy_users

@@ -0,0 +1,31 @@
+#
+#  Configuration file for the rlm_files module.
+#  Please see rlm_files(5) manpage for more information.
+#
+#  $Id: 0f5d15ad8b2e96a4d65808ac949793aab5c1c639 $
+#
+#  This file is similar to the "users" file.  The check items
+#  are compared against the request, but the "reply" items are
+#  used to update the proxied packet, not the reply to the NAS.
+#
+#  You can use this file to re-write requests which are about to
+#  be sent to a home server.
+#
+
+#
+#  Requests destinated to realm "extisp" are sent to a RADIUS
+#  home server hosted by an other company which doesn't know about
+#  the IP addresses of our NASes. Therefore we replace the value of
+#  the NAS-IP-Address attribute by a unique value we communicated
+#  to them.
+#
+#DEFAULT Realm == "extisp"
+#	NAS-IP-Address := 10.1.2.3
+
+#
+#  For all proxied packets, set the User-Name in the proxied packet
+#  to the Stripped-User-Name, if it exists.  If not, set it to the
+#  User-Name from the original request.
+#
+#DEFAULT
+#	User-Name := `%{Stripped-User-Name:-%{User-Name}}`

freeradius/config/tmp/freeradius/proxy.conf

@@ -0,0 +1,759 @@
+# -*- text -*-
+##
+## proxy.conf -- proxy radius and realm configuration directives
+##
+##	$Id: 413fc1438f266669a8e8913307f465da190c1ce8 $
+
+#######################################################################
+#
+#  Proxy server configuration
+#
+#  This entry controls the servers behaviour towards ALL other servers
+#  to which it sends proxy requests.
+#
+proxy server {
+	#
+	#  Note that as of 2.0, the "synchronous", "retry_delay",
+	#  "retry_count", and "dead_time" have all been deprecated.
+	#  For backwards compatibility, they are are still accepted
+	#  by the server, but they ONLY apply to the old-style realm
+	#  configuration.  i.e. realms with "authhost" and/or "accthost"
+	#  entries.
+	#
+	#  i.e. "retry_delay" and "retry_count" have been replaced
+	#  with per-home-server configuration.  See the "home_server"
+	#  example below for details.
+	#
+	#  i.e. "dead_time" has been replaced with a per-home-server
+	#  "revive_interval".  We strongly recommend that this not
+	#  be used, however.  The new method is much better.
+
+	#
+	#  In 2.0, the server is always "synchronous", and setting
+	#  "synchronous = no" is impossible.  This simplifies the
+	#  server and increases the stability of the network.
+	#  However, it means that the server (i.e. proxy) NEVER
+	#  originates packets.  It proxies packets ONLY when it receives
+	#  a packet or a re-transmission from the NAS.  If the NAS never
+	#  re-transmits, the proxy never re-transmits, either.  This can
+	#  affect fail-over, where a packet does *not* fail over to a
+	#  second home server.. because the NAS never retransmits the
+	#  packet.
+	#
+	#  If you need to set "synchronous = no", please send a
+	#  message to the list <freeradius-users@lists.freeradius.org>
+	#  explaining why this feature is vital for your network.
+
+	#
+	#  If a realm exists, but there are no live home servers for
+	#  it, we can fall back to using the "DEFAULT" realm.  This is
+	#  most useful for accounting, where the server can proxy
+	#  accounting requests to home servers, but if they're down,
+	#  use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
+	#  and then store the packets in the "detail" file.  That data
+	#  can be later proxied to the home servers by radrelay, when
+	#  those home servers come back up again.	
+
+	#  Setting this to "yes" may have issues for authentication.
+	#  i.e. If you are proxying for two different ISP's, and then
+	#  act as a general dial-up for Gric.  If one of the first two
+	#  ISP's has their RADIUS server go down, you do NOT want to
+	#  proxy those requests to GRIC.  Instead, you probably want
+	#  to just drop the requests on the floor.  In that case, set
+	#  this value to 'no'.
+	#
+	#  allowed values: {yes, no}
+	#
+	default_fallback = no
+
+}
+
+#######################################################################
+#
+#  Configuration for the proxy realms.
+#
+#  As of 2.0. the old-style "realms" file is deprecated, and is not
+#  used by FreeRADIUS.
+#
+#  As of 2.0, the "realm" configuration has changed.  Instead of
+#  specifying "authhost" and "accthost" in a realm section, the home
+#  servers are specified seperately in a "home_server" section.  For
+#  backwards compatibility, you can still use the "authhost" and
+#  "accthost" directives.  If you only have one home server for a
+#  realm, it is easier to use the old-style configuration.
+#
+#  However, if you have multiple servers for a realm, we STRONGLY
+#  suggest moving to the new-style configuration.
+#
+#
+#  Load-balancing and failover between home servers is handled via
+#  a "home_server_pool" section.
+#
+#  Finally, The "realm" section defines the realm, some options, and
+#  indicates which server pool should be used for the realm.
+#
+#  This change means that simple configurations now require multiple
+#  sections to define a realm.  However, complex configurations
+#  are much simpler than before, as multiple realms can share the same
+#  server pool.
+#
+#  That is, realms point to server pools, and server pools point to
+#  home servers.  Multiple realms can point to one server pool.  One
+#  server pool can point to multiple home servers.  Each home server
+#  can appear in one or more pools.
+#
+
+######################################################################
+#
+#  This section defines a "Home Server" which is another RADIUS
+#  server that gets sent proxied requests.  In earlier versions
+#  of FreeRADIUS, home servers were defined in "realm" sections,
+#  which was awkward.  In 2.0, they have been made independent
+#  from realms, which is better for a number of reasons.
+#
+home_server localhost {
+	#
+	#  Home servers can be sent Access-Request packets
+	#  or Accounting-Request packets.
+	#
+	#  Allowed values are:
+	#	auth	  - Handles Access-Request packets
+	#	acct	  - Handles Accounting-Request packets
+	#	auth+acct - Handles Access-Request packets at "port",
+	#		    and Accounting-Request packets at "port + 1"
+	#	coa	  - Handles CoA-Request and Disconnect-Request packets.
+	#		    See also raddb/sites-available/originate-coa
+	type = auth
+
+	#
+	#  Configure ONE OF the following entries:
+	#
+	#	IPv4 address
+	#
+	ipaddr = 127.0.0.1
+
+	#	OR IPv6 address
+	# ipv6addr = ::1
+
+	#	OR virtual server	
+	# virtual_server = foo
+
+	#	Note that while both ipaddr and ipv6addr will accept
+	#	both addresses and host names, we do NOT recommend
+	#	using host names.  When you specify a host name, the
+	#	server has to do a DNS lookup to find the IP address
+	#	of the home server.  If the DNS server is slow or
+	#	unresponsive, it means that FreeRADIUS will NOT be
+	#	able to determine the address, and will therefore NOT
+	#	start.
+	#
+	#	Also, the mapping of host name to address is done ONCE
+	#	when the server starts.  If DNS is later updated to
+	#	change the address, FreeRADIUS will NOT discover that
+	#	until after a re-start, or a HUP.
+	#
+	#	If you specify a virtual_server here, then requests
+	#	will be proxied internally to that virtual server.
+	#	These requests CANNOT be proxied again, however.  The
+	#	intent is to have the local server handle packets
+	#	when all home servers are dead.
+	#
+	#	Requests proxied to a virtual server will be passed
+	#	through the pre-proxy and post-proxy sections, just
+	#	like any other request.  See also the sample "realm"
+	#	configuration, below.
+	#
+	#	None of the rest of the home_server configuration is used
+	#	for the "virtual_server" configuration.
+
+	#
+	#  The port to which packets are sent.
+	#
+	#  Usually 1812 for type "auth", and  1813 for type "acct".
+	#  Older servers may use 1645 and 1646.
+	#  Use 3799 for type "coa"
+	#
+	port = 1812
+
+	#
+	#  The shared secret use to "encrypt" and "sign" packets between
+	#  FreeRADIUS and the home server.
+	#
+	#  The secret can be any string, up to 8k characters in length.
+	#
+	#  Control codes can be entered vi octal encoding,
+	#	e.g. "\101\102" == "AB"
+	#  Quotation marks can be entered by escaping them,
+	#	e.g. "foo\"bar"
+	#  Spaces or other "special" characters can be entered
+	#  by putting quotes around the string.
+	#	e.g. "foo bar"
+	#	     "foo;bar"
+	#
+	secret = testing123
+
+	############################################################
+	#
+	#  The rest of the configuration items listed here are optional,
+	#  and do not have to appear in every home server definition.
+	#
+	############################################################
+
+	#
+	#  You can optionally specify the source IP address used when
+	#  proxying requests to this home server.  When the src_ipaddr
+	#  it set, the server will automatically create a proxy
+	#  listener for that IP address.
+	#
+	#  If you specify this field for one home server, you will
+	#  likely need to specify it for ALL home servers.
+	#
+	#  If you don't care about the source IP address, leave this
+	#  entry commented.
+	#
+#	src_ipaddr = 127.0.0.1
+
+	#  RFC 5080 suggests that all clients SHOULD include it in an
+	#  Access-Request.  The configuration item below tells the
+	#  proxying server (i.e. this one) whether or not the home
+	#  server requires a Message-Authenticator attribute.  If it
+	#  is required (value set to "yes"), then all Access-Request
+	#  packets sent to that home server will have a
+	#  Message-Authenticator attribute.
+	#
+	#  We STRONGLY recommend that this flag be set to "yes"
+	#  for ALL home servers.  Doing so will have no performance
+	#  impact on the proxy or on the home servers.  It will,
+	#  however, allow administrators to detect problems earlier.
+	#
+	#  allowed values: yes, no
+	require_message_authenticator = yes
+
+	#
+	#  If the home server does not respond to a request within
+	#  this time, this server will initiate "zombie_period".
+	#
+	#  The response window is large because responses MAY be slow,
+	#  especially when proxying across the Internet.
+	#
+	#  Useful range of values: 5 to 60
+	response_window = 20
+
+	#
+	#  If you want the old behavior of the server rejecting
+	#  proxied requests after "response_window" timeout, set
+	#  the following configuration item to "yes".
+	#
+	#  This configuration WILL be removed in a future release
+	#  If you believe you need it, email the freeradius-users
+	#  list, and explain why it should stay in the server.
+	#
+#	no_response_fail = no
+
+	#
+	#  If the home server does not respond to ANY packets during
+	#  the "zombie period", it will be considered to be dead.
+	#
+	#  A home server that is marked "zombie" will be used for
+	#  proxying as a low priority.  If there are live servers,
+	#  they will always be preferred to a zombie.  Requests will
+	#  be proxied to a zombie server ONLY when there are no
+	#  live servers.
+	#
+	#  Any request that is proxied to a home server will continue
+	#  to be sent to that home server until the home server is
+	#  marked dead.  At that point, it will fail over to another
+	#  server, if a live server is available.  If none is available,
+	#  then the "post-proxy-type fail" handler will be called.
+	#
+	#  If "status_check" below is something other than "none", then
+	#  the server will start sending status checks at the start of
+	#  the zombie period.  It will continue sending status checks
+	#  until the home server is marked "alive".
+	#
+	#  Useful range of values: 20 to 120
+	zombie_period = 40
+
+	############################################################
+	#
+	#  As of 2.0, FreeRADIUS supports RADIUS layer "status
+	#  checks".  These are used by a proxy server to see if a home
+	#  server is alive.
+	#
+	#  These status packets are sent ONLY if the proxying server
+	#  believes that the home server is dead.  They are NOT sent
+	#  if the proxying server believes that the home server is
+	#  alive.  They are NOT sent if the proxying server is not
+	#  proxying packets.
+	#
+	#  If the home server responds to the status check packet,
+	#  then it is marked alive again, and is returned to use.
+	#
+	############################################################
+
+	#
+	#  Some home servers do not support status checks via the
+	#  Status-Server packet.  Others may not have a "test" user
+	#  configured that can be used to query the server, to see if
+	#  it is alive.  For those servers, we have NO WAY of knowing
+	#  when it becomes alive again.  Therefore, after the server
+	#  has been marked dead, we wait a period of time, and mark
+	#  it alive again, in the hope that it has come back to
+	#  life.
+	#
+	#  If it has NOT come back to life, then FreeRADIUS will wait
+	#  for "zombie_period" before marking it dead again.  During
+	#  the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
+	#  the home server is still dead.  There is NOTHING that can
+	#  be done about this, other than to enable the status checks,
+	#  as documented below.
+	#
+	#  e.g. if "zombie_period" is 40 seconds, and "revive_interval"
+	#  is 300 seconds, the for 40 seconds out of every 340, or about
+	#  10% of the time, all authentications will fail.
+	#
+	#  If the "zombie_period" and "revive_interval" configurations
+	#  are set smaller, than it is possible for up to 50% of
+	#  authentications to fail.
+	#
+	#  As a result, we recommend enabling status checks, and
+	#  we do NOT recommend using "revive_interval".
+	#
+	#  The "revive_interval" is used ONLY if the "status_check"
+	#  entry below is "none".  Otherwise, it will not be used,
+	#  and should be deleted.
+	#
+	#  Useful range of values: 60 to 3600
+	revive_interval = 120
+
+	#
+	#  The proxying server (i.e. this one) can do periodic status
+	#  checks to see if a dead home server has come back alive.
+	#
+	#  If set to "none", then the other configuration items listed
+	#  below are not used, and the "revive_interval" time is used
+	#  instead.
+	#
+	#  If set to "status-server", the Status-Server packets are
+	#  sent.  Many RADIUS servers support Status-Server.  If a
+	#  server does not support it, please contact the server
+	#  vendor and request that they add it.
+	#
+	#  If set to "request", then Access-Request, or Accounting-Request
+	#  packets are sent, depending on the "type" entry above (auth/acct).
+	#  
+	#  Allowed values: none, status-server, request
+	status_check = status-server
+
+	#
+	#  If the home server does not support Status-Server packets,
+	#  then the server can still send Access-Request or
+	#  Accounting-Request packets, with a pre-defined user name.
+	#
+	#  This practice is NOT recommended, as it may potentially let
+	#  users gain network access by using these "test" accounts!
+	#
+	#  If it is used, we recommend that the home server ALWAYS
+	#  respond to these Access-Request status checks with
+	#  Access-Reject.  The status check just needs an answer, it
+	#  does not need an Access-Accept.
+	#
+	#  For Accounting-Request status checks, only the username
+	#  needs to be set.  The rest of the accounting attribute are
+	#  set to default values.  The home server that receives these
+	#  accounting packets SHOULD NOT treat them like normal user
+	#  accounting packets.  i.e It should probably NOT log them to
+	#  a database.
+	#
+	# username = "test_user_please_reject_me"
+	# password = "this is really secret"
+
+	#
+	#  Configure the interval between sending status check packets.
+	#
+	#  Setting it too low increases the probability of spurious
+	#  fail-over and fallback attempts.
+	#
+	#  Useful range of values: 6 to 120
+	check_interval = 30
+
+	#
+	#  Configure the number of status checks in a row that the
+	#  home server needs to respond to before it is marked alive.
+	#
+	#  If you want to mark a home server as alive after a short
+	#  time period of being responsive, it is best to use a small
+	#  "check_interval", and a large value for
+	#  "num_answers_to_alive".  Using a long "check_interval" and
+	#  a small number for "num_answers_to_alive" increases the
+	#  probability of spurious fail-over and fallback attempts.
+	#
+	#  Useful range of values: 3 to 10
+	num_answers_to_alive = 3
+
+	#
+	#  Limit the total number of outstanding packets to the home
+	#  server.
+	#
+	#  if ((#request sent) - (#requests received)) > max_outstanding
+	#	then stop sending more packets to the home server
+	#
+	#  This lets us gracefully fall over when the home server
+	#  is overloaded.
+	max_outstanding = 65536
+
+	#
+	#  The configuration items in the next sub-section are used ONLY
+	#  when "type = coa".  It is ignored for all other type of home
+	#  servers.
+	#
+	#  See RFC 5080 for the definitions of the following terms.
+	#  RAND is a function (internal to FreeRADIUS) returning
+	#  random numbers between -0.1 and +0.1
+	#
+	#  First Re-transmit occurs after:
+	#
+	#	 RT = IRT + RAND*IRT
+	#
+	#  Subsequent Re-transmits occur after:
+	#
+	#	RT = 2 * RTprev + RAND * RTprev
+	#
+	#  Re-trasnmits are capped at:
+	#
+	#	if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
+	#
+	#  For a maximum number of attempts: MRC
+	#
+	#  For a maximum (total) period of time: MRD.
+	#
+	coa {
+		# Initial retransmit interval: 1..5
+		irt = 2
+
+		# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
+		mrt = 16
+
+		# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
+		mrc = 5
+
+		# Maximum Retransmit Duration: 5..60
+		mrd = 30
+	}
+}
+
+# Sample virtual home server.
+# 
+#
+#home_server virtual.example.com {
+#	    virtual_server = virtual.example.com
+#}
+
+######################################################################
+#
+#  This section defines a pool of home servers that is used
+#  for fail-over and load-balancing.  In earlier versions of
+#  FreeRADIUS, fail-over and load-balancing were defined per-realm.
+#  As a result, if a server had 5 home servers, each of which served
+#  the same 10 realms, you would need 50 "realm" entries.
+#
+#  In version 2.0, you would need 5 "home_server" sections,
+#  10 'realm" sections, and one "home_server_pool" section to tie the
+#  two together.
+#
+home_server_pool my_auth_failover {
+	#
+	#  The type of this pool controls how home servers are chosen.
+	#
+	#  fail-over - the request is sent to the first live
+	#  	home server in the list.  i.e. If the first home server
+	#	is marked "dead", the second one is chosen, etc.
+	#
+	#  load-balance - the least busy home server is chosen,
+	#	where "least busy" is counted by taking the number of
+	#	requests sent to that home server, and subtracting the
+	#	number of responses received from that home server.
+	#
+	#	If there are two or more servers with the same low
+	#	load, then one of those servers is chosen at random.
+	#	This configuration is most similar to the old
+	#	"round-robin" method, though it is not exactly the same.
+	#
+	#	Note that load balancing does not work well with EAP,
+	#	as EAP requires packets for an EAP conversation to be
+	#	sent to the same home server.  The load balancing method
+	#	does not keep state in between packets, meaning that
+	#	EAP packets for the same conversation may be sent to
+	#	different home servers.  This will prevent EAP from
+	#	working.
+	#
+	#	For non-EAP authentication methods, and for accounting
+	#	packets, we recommend using "load-balance".  It will
+	#	ensure the highest availability for your network.
+	#
+	#  client-balance - the home server is chosen by hashing the
+	#	source IP address of the packet.  If that home server
+	#	is down, the next one in the list is used, just as
+	#	with "fail-over".
+	#
+	#	There is no way of predicting which source IP will map
+	#	to which home server.
+	#
+	#	This configuration is most useful to do simple load
+	#	balancing for EAP sessions, as the EAP session will
+	#	always be sent to the same home server.
+	#
+	#  client-port-balance - the home server is chosen by hashing
+	#	the source IP address and source port of the packet.
+	#	If that home server is down, the next one in the list
+	#	is used, just as with "fail-over".
+	#
+	#	This method provides slightly better load balancing
+	#	for EAP sessions than "client-balance".  However, it
+	#	also means that authentication and accounting packets
+	#	for the same session MAY go to different home servers.
+	#
+	#  keyed-balance - the home server is chosen by hashing (FNV)
+	#	the contents of the Load-Balance-Key attribute from the
+	#	control items.  The  request is then sent to home server
+	#	chosen by taking:
+	#
+	#		server = (hash % num_servers_in_pool).
+	#
+	#	If there is no Load-Balance-Key in the control items,
+	#	the load balancing method is identical to "load-balance".
+	#
+	#	For most non-EAP authentication methods, The User-Name
+	#	attribute provides a good key.  An "unlang" policy can
+	#	be used to copy the User-Name to the Load-Balance-Key
+	#	attribute.  This method may not work for EAP sessions,
+	#	as the User-Name outside of the TLS tunnel is often
+	#	static, e.g. "anonymous@realm".
+	#
+	#
+	#  The default type is fail-over.
+	type = fail-over
+
+	#
+	#  A virtual_server may be specified here.  If so, the
+	#  "pre-proxy" and "post-proxy" sections are called when
+	#  the request is proxied, and when a response is received.
+	#
+	#  This lets you have one policy for all requests that are proxied
+	#  to a home server.  This policy is completely independent of
+	#  any policies used to receive, or process the request.
+	#
+	#virtual_server = pre_post_proxy_for_pool
+
+	#
+	#  Next, a list of one or more home servers.  The names
+	#  of the home servers are NOT the hostnames, but the names
+	#  of the sections.  (e.g. home_server foo {...} has name "foo".
+	#
+	#  Note that ALL home servers listed here have to be of the same
+	#  type.  i.e. they all have to be "auth", or they all have to
+	#  be "acct", or the all have to be "auth+acct".
+	#
+	home_server = localhost
+
+	#  Additional home servers can be listed.
+	#  There is NO LIMIT to the number of home servers that can
+	#  be listed, though using more than 10 or so will become
+	#  difficult to manage.
+	#
+	# home_server = foo.example.com
+	# home_server = bar.example.com
+	# home_server = baz.example.com
+	# home_server = ...
+
+
+	#
+	#  If ALL home servers are dead, then this "fallback" home server
+	#  is used.  If set, it takes precedence over any realm-based
+	#  fallback, such as the DEFAULT realm.
+	#
+	#  For reasons of stability, this home server SHOULD be a virtual
+	#  server.  Otherwise, the fallback may itself be dead!
+	#
+	#fallback = virtual.example.com
+}
+
+######################################################################
+#
+#
+#  This section defines a new-style "realm".  Note the in version 2.0,
+#  there are many fewer configuration items than in 1.x for a realm.
+#
+#  Automatic proxying is done via the "realms" module (see "man
+#  rlm_realm").  To manually proxy the request put this entry in the
+#  "users" file:
+
+#
+#
+#DEFAULT	Proxy-To-Realm := "realm_name"
+#
+#
+realm example.com {
+	#
+	#  Realms point to pools of home servers.
+#
+	#  For authentication, the "auth_pool" configuration item
+	#  should point to a "home_server_pool" that was previously
+	#  defined.  All of the home servers in the "auth_pool" must
+	#  be of type "auth".
+	#
+	#  For accounting, the "acct_pool" configuration item
+	#  should point to a "home_server_pool" that was previously
+	#  defined.  All of the home servers in the "acct_pool" must
+	#  be of type "acct".
+	#
+	#  If you have a "home_server_pool" where all of the home servers
+	#  are of type "auth+acct", you can just use the "pool"
+	#  configuration item, instead of specifying both "auth_pool"
+	#  and "acct_pool".
+
+	auth_pool = my_auth_failover
+#	acct_pool = acct
+
+	#
+	#  Normally, when an incoming User-Name is matched against the
+	#  realm, the realm name is "stripped" off, and the "stripped"
+	#  user name is used to perform matches.
+	#
+	#  e.g. User-Name = "bob@example.com" will result in two new
+	#  attributes being created by the "realms" module:
+	#
+	#	Stripped-User-Name = "bob"
+	#	Realm = "example.com"
+	#
+	#  The Stripped-User-Name is then used as a key in the "users"
+	#  file, for example.
+	#
+	#  If you do not want this to happen, uncomment "nostrip" below.
+	#
+	# nostrip
+
+	#  There are no more configuration entries for a realm.
+}
+
+
+#
+#  This is a sample entry for iPass.
+#  Note that you have to define "ipass_auth_pool" and
+#  "ipass_acct_pool", along with home_servers for them, too.
+#
+#realm IPASS {
+#	nostrip
+#
+#	auth_pool = ipass_auth_pool
+#	acct_pool = ipass_acct_pool
+#}
+
+#
+#  This realm is used mainly to cancel proxying.  You can have
+#  the "realm suffix" module configured to proxy all requests for
+#  a realm, and then later cancel the proxying, based on other
+#  configuration.
+#
+#  For example, you want to terminate PEAP or EAP-TTLS locally,
+#  you can add the following to the "users" file:
+#
+#  DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
+#
+realm LOCAL {
+	#  If we do not specify a server pool, the realm is LOCAL, and
+	#  requests are not proxied to it.
+}
+
+#
+#  This realm is for requests which don't have an explicit realm
+#  prefix or suffix.  User names like "bob" will match this one.
+#
+#realm NULL {
+#	authhost	= radius.company.com:1600
+#	accthost	= radius.company.com:1601
+#	secret		= testing123
+#}
+
+#
+#  This realm is for ALL OTHER requests.
+#
+#realm DEFAULT {
+#	authhost	= radius.company.com:1600
+#	accthost	= radius.company.com:1601
+#	secret		= testing123
+#}
+
+
+#  This realm "proxies" requests internally to a virtual server.
+#  The pre-proxy and post-proxy sections are run just as with any
+#  other kind of home server.  The virtual server then receives
+#  the request, and replies, just as with any other packet.
+#
+#  Once proxied internally like this, the request CANNOT be proxied
+#  internally or externally.
+#
+#realm virtual.example.com {
+#	virtual_server = virtual.example.com
+#}
+#
+
+#
+#  Regular expressions may also be used as realm names.  If these are used,
+#  then the "find matching realm" process is as follows:
+#
+#    1) Look for a non-regex realm with an *exact* match for the name.
+#       If found, it is used in preference to any regex matching realm.
+#
+#    2) Look for a regex realm, in the order that they are listed
+#       in the configuration files.  Any regex match is performed in
+#	a case-insensitive fashion.
+#
+#    3) If no realm is found, return the DEFAULT realm, if any.
+#
+#  The order of the realms matters in step (2).  For example, defining
+#  two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in
+#  the second realm NEVER matching.  This is because all of the realms
+#  which match the second regex also match the first one.  Since the
+#  first regex matches, it is returned.
+#
+#  The solution is to list the realms in the opposite order,. e.g.
+#  ".*\.test\.example.net$", followed by ".*\.example\.net$".
+#
+#
+#  Some helpful rules:
+#
+#   - always place a '~' character at the start of the realm name.
+#     This signifies that it is a regex match, and not an exact match
+#     for the realm.
+#
+#   - place the regex in double quotes.  This helps the configuration
+#     file parser ignore any "special" characters in the regex.
+#     Yes, this rule is different than the normal "unlang" rules for
+#     regular expressions.  That may be fixed in a future release.
+#
+#   - use two back-slashes '\\' whenever you need one backslash in the
+#     regex.  e.g. "~.*\\.example\\.net$", and not "~\.example\.net$".
+#     This is because the regex is in a double-quoted string, and normal
+#     rules apply for double-quoted strings.
+#
+#   - If you are matching domain names, use two backslashes in front of
+#     every '.' (dot or period).  This is because '.' has special meaning
+#     in a regular expression: match any character.  If you do not do this,
+#     then "~.*.example.net$" will match "fooXexampleYnet", which is likely
+#     not what you want
+#
+#   - If you are matching domain names, put a '$' at the end of the regex
+#     that matches the domain name.  This tells the regex matching code
+#     that the realm ENDS with the domain name, so it does not match
+#     realms with the domain name in the middle.  e.g. "~.*\\.example\\.net"
+#     will match "test.example.netFOO", which is likely not what you want.
+#     Using "~(.*\\.)example\\.net$" is better.
+#
+#  The more regex realms that are defined, the more time it takes to
+#  process them.  You should define as few regex realms as possible
+#  in order to maximize server performance.
+#
+#realm "~(.*\\.)*example\\.net$" {
+#      auth_pool = my_auth_failover
+#}

freeradius/config/tmp/freeradius/radiusd.conf

@@ -0,0 +1,865 @@
+# -*- text -*-
+##
+## radiusd.conf	-- FreeRADIUS server configuration file.
+##
+##	http://www.freeradius.org/
+##	$Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $
+##
+
+######################################################################
+#
+#	Read "man radiusd" before editing this file.  See the section
+#	titled DEBUGGING.  It outlines a method where you can quickly
+#	obtain the configuration you want, without running into
+#	trouble.
+#
+#	Run the server in debugging mode, and READ the output.
+#
+#		$ radiusd -X
+#
+#	We cannot emphasize this point strongly enough.  The vast
+#	majority of problems can be solved by carefully reading the
+#	debugging output, which includes warnings about common issues,
+#	and suggestions for how they may be fixed.
+#
+#	There may be a lot of output, but look carefully for words like:
+#	"warning", "error", "reject", or "failure".  The messages there
+#	will usually be enough to guide you to a solution.
+#
+#	If you are going to ask a question on the mailing list, then
+#	explain what you are trying to do, and include the output from
+#	debugging mode (radiusd -X).  Failure to do so means that all
+#	of the responses to your question will be people telling you
+#	to "post the output of radiusd -X".
+
+######################################################################
+#
+#  	The location of other config files and logfiles are declared
+#  	in this file.
+#
+#  	Also general configuration for modules can be done in this
+#  	file, it is exported through the API to modules that ask for
+#  	it.
+#
+#	See "man radiusd.conf" for documentation on the format of this
+#	file.  Note that the individual configuration items are NOT
+#	documented in that "man" page.  They are only documented here,
+#	in the comments.
+#
+#	As of 2.0.0, FreeRADIUS supports a simple processing language
+#	in the "authorize", "authenticate", "accounting", etc. sections.
+#	See "man unlang" for details.
+#
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius
+radacctdir = ${logdir}/radacct
+
+#
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+#   This should be automatically set at configuration time.
+#
+#   If the server builds and installs, but fails at execution time
+#   with an 'undefined symbol' error, then you can use the libdir
+#   directive to work around the problem.
+#
+#   The cause is usually that a library has been installed on your
+#   system in a place where the dynamic linker CANNOT find it.  When
+#   executing as root (or another user), your personal environment MAY
+#   be set up to allow the dynamic linker to find the library.  When
+#   executing as a daemon, FreeRADIUS MAY NOT have the same
+#   personalized configuration.
+#
+#   To work around the problem, find out which library contains that symbol,
+#   and add the directory containing that library to the end of 'libdir',
+#   with a colon separating the directory names.  NO spaces are allowed.
+#
+#   e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+#   You can also try setting the LD_LIBRARY_PATH environment variable
+#   in a script which starts the server.
+#
+#   If that does not work, then you can re-configure and re-build the
+#   server to NOT use shared libraries, via:
+#
+#	./configure --disable-shared
+#	make
+#	make install
+#
+libdir = /usr/lib/freeradius
+
+#  pidfile: Where to place the PID of the RADIUS server.
+#
+#  The server may be signalled while it's running by using this
+#  file.
+#
+#  This file is written when ONLY running in daemon mode.
+#
+#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+#  chroot: directory where the server does "chroot".
+#
+#  The chroot is done very early in the process of starting the server.
+#  After the chroot has been performed it switches to the "user" listed
+#  below (which MUST be specified).  If "group" is specified, it switchs
+#  to that group, too.  Any other groups listed for the specified "user"
+#  in "/etc/group" are also added as part of this process.
+#
+#  The current working directory (chdir / cd) is left *outside* of the
+#  chroot until all of the modules have been initialized.  This allows
+#  the "raddb" directory to be left outside of the chroot.  Once the
+#  modules have been initialized, it does a "chdir" to ${logdir}.  This
+#  means that it should be impossible to break out of the chroot.
+#
+#  If you are worried about security issues related to this use of chdir,
+#  then simply ensure that the "raddb" directory is inside of the chroot,
+#  end be sure to do "cd raddb" BEFORE starting the server.
+#
+#  If the server is statically linked, then the only files that have
+#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the
+#  "cd raddb" as discussed above, then the "raddb" directory has to be
+#  inside of the chroot directory, too.
+#
+#chroot = /path/to/chroot/directory
+
+# user/group: The name (or #number) of the user/group to run radiusd as.
+#
+#   If these are commented out, the server will run as the user/group
+#   that started it.  In order to change to a different user/group, you
+#   MUST be root ( or have root privleges ) to start the server.
+#
+#   We STRONGLY recommend that you run the server with as few permissions
+#   as possible.  That is, if you're not using shadow passwords, the
+#   user and group items below should be set to radius'.
+#
+#  NOTE that some kernels refuse to setgid(group) when the value of
+#  (unsigned)group is above 60000; don't use group nobody on these systems!
+#
+#  On systems with shadow passwords, you might have to set 'group = shadow'
+#  for the server to be able to read the shadow password file.  If you can
+#  authenticate users while in debug mode, but not in daemon mode, it may be
+#  that the debugging mode server is running as a user that can read the
+#  shadow info, and the user listed below can not.
+#
+#  The server will also try to use "initgroups" to read /etc/groups.
+#  It will join all groups where "user" is a member.  This can allow
+#  for some finer-grained access controls.
+#
+user = freerad
+group = freerad
+
+#  panic_action: Command to execute if the server dies unexpectedly.
+#
+#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+#  The panic action is a command which will be executed if the server
+#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+#  SIGABRT or SIGFPE.
+#
+#  This can be used to start an interactive debugging session so
+#  that information regarding the current state of the server can
+#  be acquired.
+#
+#  The following string substitutions are available:
+#  - %e   The currently executing program e.g. /sbin/radiusd
+#  - %p   The PID of the currently executing program e.g. 12345
+#
+#  Standard ${} substitutions are also allowed.
+#
+#  An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+#  Again, don't use that on a production system.
+#
+#  An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
+#
+#  That command can be used on a production system.
+#
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+#
+#  Requests which take more time than this to process may be killed, and
+#  a REJECT message is returned.
+#
+#  WARNING: If you notice that requests take a long time to be handled,
+#  then this MAY INDICATE a bug in the server, in one of the modules
+#  used to handle a request, OR in your local configuration.
+#
+#  This problem is most often seen when using an SQL database.  If it takes
+#  more than a second or two to receive an answer from the SQL database,
+#  then it probably means that you haven't indexed the database.  See your
+#  SQL server documentation for more information.
+#
+#  Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+#  a reply which was sent to the NAS.
+#
+#  The RADIUS request is normally cached internally for a short period
+#  of time, after the reply is sent to the NAS.  The reply packet may be
+#  lost in the network, and the NAS will not see it.  The NAS will then
+#  re-send the request, and the server will respond quickly with the
+#  cached reply.
+#
+#  If this value is set too low, then duplicate requests from the NAS
+#  MAY NOT be detected, and will instead be handled as seperate requests.
+#
+#  If this value is set too high, then the server will cache too many
+#  requests, and some new requests may get blocked.  (See 'max_requests'.)
+#
+#  Useful range of values: 2 to 10
+#
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+#  track of.  This should be 256 multiplied by the number of clients.
+#  e.g. With 4 clients, this number should be 1024.
+#
+#  If this number is too low, then when the server becomes busy,
+#  it will not respond to any new requests, until the 'cleanup_delay'
+#  time has passed, and it has removed the old requests.
+#
+#  If this number is set too high, then the server will use a bit more
+#  memory for no real benefit.
+#
+#  If you aren't sure what it should be set to, it's better to set it
+#  too high than too low.  Setting it to 1000 per client is probably
+#  the highest it should be.
+#
+#  Useful range of values: 256 to infinity
+#
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+#  replies out from that address. This directive is most useful for
+#  hosts with multiple IP addresses on one interface.
+#
+#  If you want the server to listen on additional addresses, or on
+#  additionnal ports, you can use multiple "listen" sections.
+#
+#  Each section make the server listen for only one type of packet,
+#  therefore authentication and accounting have to be configured in
+#  different sections.
+#
+#  The server ignore all "listen" section if you are using '-i' and '-p'
+#  on the command line.
+#
+listen {
+	#  Type of packets to listen for.
+	#  Allowed values are:
+	#	auth	listen for authentication packets
+	#	acct	listen for accounting packets
+	#	proxy   IP to use for sending proxied packets
+	#	detail  Read from the detail file.  For examples, see
+	#               raddb/sites-available/copy-acct-to-home-server
+	#	status  listen for Status-Server packets.  For examples,
+	#		see raddb/sites-available/status
+	#	coa     listen for CoA-Request and Disconnect-Request
+	#		packets.  For examples, see the file
+	#		raddb/sites-available/coa
+	#
+	type = auth
+
+	#  Note: "type = proxy" lets you control the source IP used for
+	#        proxying packets, with some limitations:
+	#
+	#    * A proxy listener CANNOT be used in a virtual server section.
+	#    * You should probably set "port = 0".
+	#    * Any "clients" configuration will be ignored.
+	#
+	#  See also proxy.conf, and the "src_ipaddr" configuration entry
+	#  in the sample "home_server" section.  When you specify the
+	#  source IP address for packets sent to a home server, the
+	#  proxy listeners are automatically created.
+
+	#  IP address on which to listen.
+	#  Allowed values are:
+	#	dotted quad (1.2.3.4)
+	#       hostname    (radius.example.com)
+	#       wildcard    (*)
+	ipaddr = *
+
+	#  OR, you can use an IPv6 address, but not both
+	#  at the same time.
+#	ipv6addr = ::	# any.  ::1 == localhost
+
+	#  Port on which to listen.
+	#  Allowed values are:
+	#	integer port number (1812)
+	#	0 means "use /etc/services for the proper port"
+	port = 0
+
+	#  Some systems support binding to an interface, in addition
+	#  to the IP address.  This feature isn't strictly necessary,
+	#  but for sites with many IP addresses on one interface,
+	#  it's useful to say "listen on all addresses for eth0".
+	#
+	#  If your system does not support this feature, you will
+	#  get an error if you try to use it.
+	#
+#	interface = eth0
+
+	#  Per-socket lists of clients.  This is a very useful feature.
+	#
+	#  The name here is a reference to a section elsewhere in
+	#  radiusd.conf, or clients.conf.  Having the name as
+	#  a reference allows multiple sockets to use the same
+	#  set of clients.
+	#
+	#  If this configuration is used, then the global list of clients
+	#  is IGNORED for this "listen" section.  Take care configuring
+	#  this feature, to ensure you don't accidentally disable a
+	#  client you need.
+	#
+	#  See clients.conf for the configuration of "per_socket_clients".
+	#
+#	clients = per_socket_clients
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+	ipaddr = *
+#	ipv6addr = ::
+	port = 0
+	type = acct
+#	interface = eth0
+#	clients = per_socket_clients
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+#  The default is 'off' because it would be overall better for the net
+#  if people had to knowingly turn this feature on, since enabling it
+#  means that each client request will result in AT LEAST one lookup
+#  request to the nameserver.   Enabling hostname_lookups will also
+#  mean that your server may stop randomly for 30 seconds from time
+#  to time, if the DNS requests take too long.
+#
+#  Turning hostname lookups off also means that the server won't block
+#  for 30 seconds, if it sees an IP address which has no name associated
+#  with it.
+#
+#  allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+#  if you're debugging a problem with the server.
+#
+#  allowed values: {no, yes}
+#
+allow_core_dumps = no
+
+#  Regular expressions
+#
+#  These items are set at configure time.  If they're set to "yes",
+#  then setting them to "no" turns off regular expression support.
+#
+#  If they're set to "no" at configure time, then setting them to "yes"
+#  WILL NOT WORK.  It will give you an error.
+#
+regular_expressions	= yes
+extended_expressions	= yes
+
+#
+#  Logging section.  The various "log_*" configuration items
+#  will eventually be moved here.
+#
+log {
+	#
+	#  Destination for log messages.  This can be one of:
+	#
+	#	files - log to "file", as defined below.
+	#	syslog - to syslog (see also the "syslog_facility", below.
+	#	stdout - standard output
+	#	stderr - standard error.
+	#
+	#  The command-line option "-X" over-rides this option, and forces
+	#  logging to go to stdout.
+	#
+	destination = files
+
+	#
+	#  The logging messages for the server are appended to the
+	#  tail of this file if destination == "files"
+	#
+	#  If the server is running in debugging mode, this file is
+	#  NOT used.
+	#
+	file = ${logdir}/radius.log
+
+	#
+	#  If this configuration parameter is set, then log messages for
+	#  a *request* go to this file, rather than to radius.log.
+	#
+	#  i.e. This is a log file per request, once the server has accepted
+	#  the request as being from a valid client.  Messages that are
+	#  not associated with a request still go to radius.log.
+	#
+	#  Not all log messages in the server core have been updated to use
+	#  this new internal API.  As a result, some messages will still
+	#  go to radius.log.  Please submit patches to fix this behavior.
+	#
+	#  The file name is expanded dynamically.  You should ONLY user
+	#  server-side attributes for the filename (e.g. things you control).
+	#  Using this feature MAY also slow down the server substantially,
+	#  especially if you do thinks like SQL calls as part of the
+	#  expansion of the filename.
+	#
+	#  The name of the log file should use attributes that don't change
+	#  over the lifetime of a request, such as User-Name,
+	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
+	#  messages will be distributed over multiple files.
+	#
+	#  Logging can be enabled for an individual request by a special
+	#  dynamic expansion macro:  %{debug: 1}, where the debug level
+	#  for this request is set to '1' (or 2, 3, etc.).  e.g.
+	#
+	#	...
+	#	update control {
+	#	       Tmp-String-0 = "%{debug:1}"
+	#	}
+	#	...
+	#
+	#  The attribute that the value is assigned to is unimportant,
+	#  and should be a "throw-away" attribute with no side effects.
+	#
+	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
+
+	#
+	#  Which syslog facility to use, if ${destination} == "syslog"
+	#
+	#  The exact values permitted here are OS-dependent.  You probably
+	#  don't want to change this.
+	#
+	syslog_facility = daemon
+
+	#  Log the full User-Name attribute, as it was found in the request.
+	#
+	# allowed values: {no, yes}
+	#
+	stripped_names = no
+
+	#  Log authentication requests to the log file.
+	#
+	#  allowed values: {no, yes}
+	#
+	auth = no
+
+	#  Log passwords with the authentication requests.
+	#  auth_badpass  - logs password if it's rejected
+	#  auth_goodpass - logs password if it's correct
+	#
+	#  allowed values: {no, yes}
+	#
+	auth_badpass = no
+	auth_goodpass = no
+
+	#  Log additional text at the end of the "Login OK" messages.
+	#  for these to work, the "auth" and "auth_goopass" or "auth_badpass"
+	#  configurations above have to be set to "yes".
+	#
+	#  The strings below are dynamically expanded, which means that
+	#  you can put anything you want in them.  However, note that
+	#  this expansion can be slow, and can negatively impact server
+	#  performance.
+	#
+#	msg_goodpass = ""
+#	msg_badpass = ""
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+#
+#  There may be multiple methods of attacking on the server.  This
+#  section holds the configuration items which minimize the impact
+#  of those attacks
+#
+security {
+	#
+	#  max_attributes: The maximum number of attributes
+	#  permitted in a RADIUS packet.  Packets which have MORE
+	#  than this number of attributes in them will be dropped.
+	#
+	#  If this number is set too low, then no RADIUS packets
+	#  will be accepted.
+	#
+	#  If this number is set too high, then an attacker may be
+	#  able to send a small number of packets which will cause
+	#  the server to use all available memory on the machine.
+	#
+	#  Setting this number to 0 means "allow any number of attributes"
+	max_attributes = 200
+
+	#
+	#  reject_delay: When sending an Access-Reject, it can be
+	#  delayed for a few seconds.  This may help slow down a DoS
+	#  attack.  It also helps to slow down people trying to brute-force
+	#  crack a users password.
+	#
+	#  Setting this number to 0 means "send rejects immediately"
+	#
+	#  If this number is set higher than 'cleanup_delay', then the
+	#  rejects will be sent at 'cleanup_delay' time, when the request
+	#  is deleted from the internal cache of requests.
+	#
+	#  Useful ranges: 1 to 5
+	reject_delay = 1
+
+	#
+	#  status_server: Whether or not the server will respond
+	#  to Status-Server requests.
+	#
+	#  When sent a Status-Server message, the server responds with
+	#  an Access-Accept or Accounting-Response packet.
+	#
+	#  This is mainly useful for administrators who want to "ping"
+	#  the server, without adding test users, or creating fake
+	#  accounting packets.
+	#
+	#  It's also useful when a NAS marks a RADIUS server "dead".
+	#  The NAS can periodically "ping" the server with a Status-Server
+	#  packet.  If the server responds, it must be alive, and the
+	#  NAS can start using it for real requests.
+	#
+	#  See also raddb/sites-available/status
+	#
+	status_server = yes
+
+	#
+	#  allow_vulnerable_openssl: Allow the server to start with
+	#  versions of OpenSSL known to have critical vulnerabilities.
+	#
+	#  This check is based on the version number reported by libssl
+	#  and may not reflect patches applied to libssl by
+	#  distribution maintainers.
+	#
+	allow_vulnerable_openssl = no
+}
+
+# PROXY CONFIGURATION
+#
+#  proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+#  The server has proxying turned on by default.  If your system is NOT
+#  set up to proxy requests to another server, then you can turn proxying
+#  off here.  This will save a small amount of resources on the server.
+#
+#  If you have proxying turned off, and your configuration files say
+#  to proxy a request, then an error message will be logged.
+#
+#  To disable proxying, change the "yes" to "no", and comment the
+#  $INCLUDE line.
+#
+#  allowed values: {no, yes}
+#
+proxy_requests  = yes
+$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+#  Client configuration is defined in "clients.conf".
+#
+
+#  The 'clients.conf' file contains all of the information from the old
+#  'clients' and 'naslist' configuration files.  We recommend that you
+#  do NOT use 'client's or 'naslist', although they are still
+#  supported.
+#
+#  Anything listed in 'clients.conf' will take precedence over the
+#  information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+#  The thread pool is a long-lived group of threads which
+#  take turns (round-robin) handling any incoming requests.
+#
+#  You probably want to have a few spare threads around,
+#  so that high-load situations can be handled immediately.  If you
+#  don't have any spare threads, then the request handling will
+#  be delayed while a new thread is created, and added to the pool.
+#
+#  You probably don't want too many spare threads around,
+#  otherwise they'll be sitting there taking up resources, and
+#  not doing anything productive.
+#
+#  The numbers given below should be adequate for most situations.
+#
+thread pool {
+	#  Number of servers to start initially --- should be a reasonable
+	#  ballpark figure.
+	start_servers = 5
+
+	#  Limit on the total number of servers running.
+	#
+	#  If this limit is ever reached, clients will be LOCKED OUT, so it
+	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
+	#  keep a runaway server from taking the system with it as it spirals
+	#  down...
+	#
+	#  You may find that the server is regularly reaching the
+	#  'max_servers' number of threads, and that increasing
+	#  'max_servers' doesn't seem to make much difference.
+	#
+	#  If this is the case, then the problem is MOST LIKELY that
+	#  your back-end databases are taking too long to respond, and
+	#  are preventing the server from responding in a timely manner.
+	#
+	#  The solution is NOT do keep increasing the 'max_servers'
+	#  value, but instead to fix the underlying cause of the
+	#  problem: slow database, or 'hostname_lookups=yes'.
+	#
+	#  For more information, see 'max_request_time', above.
+	#
+	max_servers = 32
+
+	#  Server-pool size regulation.  Rather than making you guess
+	#  how many servers you need, FreeRADIUS dynamically adapts to
+	#  the load it sees, that is, it tries to maintain enough
+	#  servers to handle the current load, plus a few spare
+	#  servers to handle transient load spikes.
+	#
+	#  It does this by periodically checking how many servers are
+	#  waiting for a request.  If there are fewer than
+	#  min_spare_servers, it creates a new spare.  If there are
+	#  more than max_spare_servers, some of the spares die off.
+	#  The default values are probably OK for most sites.
+	#
+	min_spare_servers = 3
+	max_spare_servers = 10
+
+	#  When the server receives a packet, it places it onto an
+	#  internal queue, where the worker threads (configured above)
+	#  pick it up for processing.  The maximum size of that queue
+	#  is given here.
+	#
+	#  When the queue is full, any new packets will be silently
+	#  discarded.
+	#
+	#  The most common cause of the queue being full is that the
+	#  server is dependent on a slow database, and it has received
+	#  a large "spike" of traffic.  When that happens, there is
+	#  very little you can do other than make sure the server
+	#  receives less traffic, or make sure that the database can
+	#  handle the load.
+	#
+#	max_queue_size = 65536
+
+	#  There may be memory leaks or resource allocation problems with
+	#  the server.  If so, set this value to 300 or so, so that the
+	#  resources will be cleaned up periodically.
+	#
+	#  This should only be necessary if there are serious bugs in the
+	#  server which have not yet been fixed.
+	#
+	#  '0' is a special value meaning 'infinity', or 'the servers never
+	#  exit'
+	max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+#
+#  The names and configuration of each module is located in this section.
+#
+#  After the modules are defined here, they may be referred to by name,
+#  in other sections of this configuration file.
+#
+modules {
+	#
+	#  Each module has a configuration as follows:
+	#
+	#	name [ instance ] {
+	#		config_item = value
+	#		...
+	#	}
+	#
+	#  The 'name' is used to load the 'rlm_name' library
+	#  which implements the functionality of the module.
+	#
+	#  The 'instance' is optional.  To have two different instances
+	#  of a module, it first must be referred to by 'name'.
+	#  The different copies of the module are then created by
+	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+	#
+	#  The instance names can then be used in later configuration
+	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
+	#  for an example.
+	#
+
+	#
+	#  As of 2.0.5, most of the module configurations are in a
+	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
+	#  are loaded.  The modules are initialized ONLY if they are
+	#  referenced in a processing section, such as authorize,
+	#  authenticate, accounting, pre/post-proxy, etc.
+	#
+	$INCLUDE ${confdir}/modules/
+
+	#  Extensible Authentication Protocol
+	#
+	#  For all EAP related authentications.
+	#  Now in another file, because it is very large.
+	#
+	$INCLUDE eap.conf
+
+	#  Include another file that has the SQL-related configuration.
+	#  This is another file only because it tends to be big.
+	#
+#	$INCLUDE sql.conf
+
+	#
+	#  This module is an SQL enabled version of the counter module.
+	#
+	#  Rather than maintaining seperate (GDBM) databases of
+	#  accounting info for each counter, this module uses the data
+	#  stored in the raddacct table by the sql modules. This
+	#  module NEVER does any database INSERTs or UPDATEs.  It is
+	#  totally dependent on the SQL module to process Accounting
+	#  packets.
+	#
+#	$INCLUDE sql/mysql/counter.conf
+
+	#
+	#  IP addresses managed in an SQL table.
+	#
+#	$INCLUDE sqlippool.conf
+}
+
+# Instantiation
+#
+#  This section orders the loading of the modules.  Modules
+#  listed here will get loaded BEFORE the later sections like
+#  authorize, authenticate, etc. get examined.
+#
+#  This section is not strictly needed.  When a section like
+#  authorize refers to a module, it's automatically loaded and
+#  initialized.  However, some modules may not be listed in any
+#  of the following sections, so they can be listed here.
+#
+#  Also, listing modules here ensures that you have control over
+#  the order in which they are initalized.  If one module needs
+#  something defined by another module, you can list them in order
+#  here, and ensure that the configuration will be OK.
+#
+instantiate {
+	#
+	#  Allows the execution of external scripts.
+	#  The entire command line (and output) must fit into 253 bytes.
+	#
+	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
+	exec
+
+	#
+	#  The expression module doesn't do authorization,
+	#  authentication, or accounting.  It only does dynamic
+	#  translation, of the form:
+	#
+	#	Session-Timeout = `%{expr:2 + 3}`
+	#
+	#  This module needs to be instantiated, but CANNOT be
+	#  listed in any other section.  See 'doc/rlm_expr' for
+	#  more information.
+	#
+	#  rlm_expr is also responsible for registering many
+	#  other xlat functions such as md5, sha1 and lc.
+	#
+	#  We do not recommend removing it's listing here.
+	expr
+
+	#
+	# We add the counter module here so that it registers
+	# the check-name attribute before any module which sets
+	# it
+#	daily
+	expiration
+	logintime
+
+	# subsections here can be thought of as "virtual" modules.
+	#
+	# e.g. If you have two redundant SQL servers, and you want to
+	# use them in the authorize and accounting sections, you could
+	# place a "redundant" block in each section, containing the
+	# exact same text.  Or, you could uncomment the following
+	# lines, and list "redundant_sql" in the authorize and
+	# accounting sections.
+	#
+	#redundant redundant_sql {
+	#	sql1
+	#	sql2
+	#}
+}
+
+######################################################################
+#
+#	Policies that can be applied in multiple places are listed
+#	globally.  That way, they can be defined once, and referred
+#	to multiple times.
+#
+######################################################################
+$INCLUDE policy.conf
+
+######################################################################
+#
+#	Load virtual servers.
+#
+#	This next $INCLUDE line loads files in the directory that
+#	match the regular expression: /[a-zA-Z0-9_.]+/
+#
+#	It allows you to define new virtual servers simply by placing
+#	a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+#	All of the other configuration sections like "authorize {}",
+#	"authenticate {}", "accounting {}", have been moved to the
+#	the file:
+#
+#		raddb/sites-available/default
+#
+#	This is the "default" virtual server that has the same
+#	configuration as in version 1.0.x and 1.1.x.  The default
+#	installation enables this virtual server.  You should
+#	edit it to create policies for your local site.
+#
+#	For more documentation on virtual servers, see:
+#
+#		raddb/sites-available/README
+#
+######################################################################

freeradius/config/tmp/freeradius/sites-available/README

@@ -0,0 +1,335 @@
+1.  Virtual Servers.
+
+  FreeRADIUS 2.0 supports virtual servers.  This is probably the
+single largest change that is NOT backwards compatible with 1.x.
+
+  The virtual servers do NOT have to be set up with the
+"sites-available" and "sites-enabled" directories.  You can still have
+one "radiusd.conf" file, and put the server configuration there:
+
+	...
+	server {
+		authorize {
+			...
+		}
+		authenticate {
+			...
+		}
+		...
+	}
+	...
+
+  The power of virtual servers lies in their ability to separate
+policies.  A policy can be placed into a virtual server, where it is
+guaranteed to affect only the requests that are passed through that
+virtual server.  In 1.x, the policies were global, and it sometimes
+took much effort to write a policy so that it only applied in certain
+limited situations.
+
+
+2.  What do we mean by "virtual server"?
+
+
+  A virtual server is a (nearly complete) RADIUS server, just like a
+configuration for FreeRADIUS 1.x.  However, FreeRADIUS can now run
+multiple virtual servers at the same time.  The virtual servers can
+even proxy requests to each other!
+
+  The simplest way to create a virtual server is to take the all of
+the request processing sections from radius.conf, ("authorize" ,
+"authenticate", etc.) and wrap them in a "server {}" block, as above.
+
+  You can create another virtual server by:
+
+    1) defining a new "server foo {...}" section in radiusd.conf
+    2) Putting the normal "authorize", etc. sections inside of it
+    3) Adding a "listen" section *inside* of the "server" section.
+
+  e.g.
+
+	...
+	server foo {
+		listen {
+			ipaddr = 127.0.0.1
+			port = 2000
+			type = auth
+		}
+
+		authorize {
+			update control {
+				Cleartext-Password := "bob"
+			}
+			pap
+		}
+
+		authenticate {
+			pap
+		}
+	}
+	...
+
+  With that text added to "radiusd.conf", run the server in debugging
+mode (radiusd -X), and in another terminal window, type:
+
+$ radtest bob bob localhost:2000 0 testing123
+
+  You should see the server return an Access-Accept.
+
+
+3. Capabilities and limitations
+
+
+  The only sub-sections that can appear in a virtual server section
+are:
+
+	listen
+	client
+	authorize
+	authenticate
+	post-auth
+	pre-proxy
+	post-proxy
+	preacct
+	accounting
+	session
+
+  All other configuration parameters (modules, etc.) are global.
+
+  Inside of a virtual server, the authorize, etc. sections have their
+normal meaning, and can contain anything that an authorize section
+could contain in 1.x.
+
+  When a "listen" section is inside of a virtual server definition, it
+means that all requests sent to that IP/port will be processed through
+the virtual server.  There cannot be two "listen" sections with the
+same IP address and port number.
+
+  When a "client" section is inside of a virtual server definition, it
+means that that client is known only to the "listen" sections that are
+also inside of that virtual server.  Not only is this client
+definition available only to this virtual server, but the details of
+the client configuration is also available only to this virtual
+server.
+
+  i.e. Two virtual servers can listen on different IP address and
+ports, but both can have a client with IP address 127.0.0.1.  The
+shared secret for that client can be different for each virtual
+server.
+
+
+4. More complex "listen" capabilities
+
+  The "listen" sections have a few additional configuration items that
+were not in 1.x, and were not mentioned above.  These configuration
+items enable almost any mapping of IP / port to clients to virtual
+servers.
+
+  The configuration items are:
+
+	virtual_server = <name>
+
+		If set, all requests sent to this IP / port are processed
+		through the named virtual server.
+
+		This directive can be used only for "listen" sections
+		that are global.  i.e. It CANNOT be used if the
+		"listen" section is inside of a virtual server.
+
+	clients = <name>
+
+		If set, the "listen" section looks for a "clients" section:
+
+			clients <name> {
+				...
+			}
+
+		It looks inside of that named "clients" section for
+		"client" subsections, at least one of which must
+		exist.  Each client in that section is added to the
+		list of known clients for this IP / port.  No other
+		clients are known.
+
+		If it is set, it over-rides the list of clients (if
+		any) in the same virtual server.  Note that the
+		clients are NOT additive!
+
+		If it is not set, then the clients from the current
+		virtual server (if any) are used.  If there are no
+		clients in this virtual server, then the global
+		clients are used.
+
+		i.e. The most specific directive is used:
+			* configuration in this "listen" section
+			* clients in the same virtual server
+			* global clients
+
+		The directives are also *exclusive*, not *additive*.
+		If you have one client in a virtual server, and
+		another client referenced from a "listen" section,
+		then that "listen" section will ONLY use the second
+		client.  It will NOT use both clients.
+
+
+5. More complex "client" capabilities
+
+  The "client" sections have a few additional configuration items that
+were not in 1.x, and were not mentioned above.  These configuration
+items enable almost any mapping of IP / port to clients to virtual
+servers.
+
+  The configuration items are:
+
+	virtual_server = <name>
+
+		If set, all requests from this client are processed
+		through the named virtual server.
+
+		This directive can be used only for "client" sections
+		that are global.  i.e. It CANNOT be used if the
+		"client" section is inside of a virtual server.
+
+  If the "listen" section has a "server" entry, and a matching
+client is found ALSO with a "server" entry, then the clients server is
+used for that request.
+
+
+6. Worked examples
+
+
+  Listening on one socket, and mapping requests from two clients to
+two different servers.
+
+	listen {
+		...
+	}
+	client one {
+		...
+		virtual_server = server_one
+	}
+	client two {
+		...
+		virtual_server = server_two
+	}
+	server server_one {
+		authorize {
+			...
+		}
+		...
+	}
+	server server_two {
+		authorize {
+			...
+		}
+		...
+	}
+
+  This could also be done as:
+
+
+	listen {
+		...
+		virtual_server = server_one
+	}
+	client one {
+		...
+	}
+	client two {
+		...
+		virtual_server = server_two
+	}
+	server server_one {
+		authorize {
+			...
+		}
+		...
+	}
+	server server_two {
+		authorize {
+			...
+		}
+		...
+	}
+
+  In this case, the default server for the socket is "server_one", so
+there is no need to set that in the client "one" configuration.  The
+"server_two" configuration for client "two" over-rides the default
+setting for the socket.
+
+  Note that the following configuration will NOT work:
+
+	listen {
+		...
+		virtual_server = server_one
+	}
+	client one {
+		...
+	}
+	server server_one {
+		authorize {
+			...
+		}
+		...
+	}
+	server server_two {
+		client two {
+			...
+		}
+		authorize {
+			...
+		}
+		...
+	}
+
+  In this example, client "two" is hidden inside of the virtual
+server, where the "listen" section cannot find it.
+
+
+7. Outlined examples
+
+  This section outlines a number of examples, with alternatives.
+
+  One server, multiple sockets
+	- multiple "listen" sections in a "server" section
+
+  one server per client
+	- define multiple servers
+	- have a global "listen" section
+	- have multiple global "clients", each with "virtual_server = X"
+
+  two servers, each with their own sockets
+	- define multiple servers
+	- put "client" sections into each "server"
+	- put a "listen" section into each "server"
+
+	Each server can list the same client IP, and the secret
+	can be different
+
+  two sockets, sharing a list of clients, but pointing to different servers
+	- define global "listen" sections
+	- in each, set "virtual_server = X"
+	- in each, set "clients = Y"
+	- define "clients Y" section, containing multiple clients.
+
+	This also means that you can have a third socket, which
+	doesn't share any of these clients.
+
+
+8.  How to decide what to do
+
+
+  If you want *completely* separate policies for a socket or a client,
+then create a separate virtual server.  Then, map the request to that
+server by setting configuration entries in a "listen" section or in a
+"client" section.
+
+  Start off with the common cases first.  If most of the clients
+and/or sockets get a particular policy, make that policy the default.
+Configure it without paying attention to the sockets or clients you
+want to add later, and without adding a second virtual server.  Once
+it works, then add the second virtual server.
+
+  If you want to re-use the previously defined sockets with the second
+virtual server, then you will need one or more global "client"
+sections.  Those clients will contain a "virtual_server = ..." entry
+that will direct requests from those clients to the appropriate
+virtual server.

freeradius/config/tmp/freeradius/sites-available/buffered-sql

@@ -0,0 +1,129 @@
+# -*- text -*-
+######################################################################
+#
+#	In 2.0.0, radrelay functionality is integrated into the
+#	server core.  This virtual server gives an example of
+#	using radrelay functionality inside of the server.
+#
+#	In this example, the detail file is read, and the data
+#	is put into SQL.  This configuration is used when a RADIUS
+#	server on this machine is receiving accounting packets,
+#	and writing them to the detail file.
+#
+#	The purpose of this virtual server is to de-couple the storage
+#	of long-term accounting data in SQL from "live" information
+#	needed by the RADIUS server as it is running. 
+#
+#	The benefit of this approach is that for a busy server, the
+#	overhead of performing SQL qeuries may be significant.  Also,
+#	if the SQL databases are large (as is typical for ones storing
+#	months of data), the INSERTs and UPDATEs may take a relatively
+#	long time.  Rather than slowing down the RADIUS server by
+#	having it interact with a database, you can just log the
+#	packets to a detail file, and then read that file later at a
+#	time when the RADIUS server is typically lightly loaded.
+#
+#	If you use on virtual server to log to the detail file,
+#	and another virtual server (i.e. this one) to read from
+#	the detail file, then this process will happen automatically.
+#	A sudden spike of RADIUS traffic means that the detail file
+#	will grow in size, and the server will be able to handle
+#	large volumes of traffic quickly.  When the traffic dies down,
+#	the server will have time to read the detail file, and insert
+#	the data into a long-term SQL database.
+#
+#	$Id: 3f64cbb500cdda5014157e4776e871419f0b64df $
+#
+######################################################################
+
+server buffered-sql {
+	listen {
+		type = detail
+
+		#  The location where the detail file is located.
+		#  This should be on local disk, and NOT on an NFS
+		#  mounted location!
+		filename = "${radacctdir}/detail-*"
+
+		#
+		#  The server can read accounting packets from the
+		#  detail file much more quickly than those packets
+		#  can be written to a database.  If the database is
+		#  overloaded, then bad things can happen.
+		#
+		#  The server will keep track of how long it takes to
+		#  process an entry from the detail file.  It will
+		#  then pause between handling entries.  This pause
+		#  allows databases to "catch up", and gives the
+		#  server time to notice that other packets may have
+		#  arrived.
+		#		
+		#  The pause is calculated dynamically, to ensure that
+		#  the load due to reading the detail files is limited
+		#  to a small percentage of CPU time.  The
+		#  "load_factor" configuration item is a number
+		#  between 1 and 100.  The server will try to keep the
+		#  percentage of time taken by "detail" file entries
+		#  to "load_factor" percentage of the CPU time.
+		#
+		#  If the "load_factor" is set to 100, then the server
+		#  will read packets as fast as it can, usually
+		#  causing databases to go into overload.
+		#  
+		load_factor = 10
+
+		#
+		#  Set the interval for polling the detail file.
+		#  If the detail file doesn't exist, the server will
+		#  wake up, and poll for it every N seconds.
+		#
+		#  Useful range of values: 1 to 60
+		poll_interval = 1
+
+		#
+		#  Set the retry interval for when the home server
+		#  does not respond.  The current packet will be
+		#  sent repeatedly, at this interval, until the
+		#  home server responds.
+		#
+		#  Useful range of values: 5 to 30
+		retry_interval = 30
+
+	}
+
+	#
+	#  Pre-accounting.  Decide which accounting type to use.
+	#
+	preacct {
+		preprocess
+	
+		#
+		#  Ensure that we have a semi-unique identifier for every
+		#  request, and many NAS boxes are broken.
+		acct_unique
+	
+		#
+		#  Read the 'acct_users' file.  This isn't always
+		#  necessary, and can be deleted if you do not use it.
+		files
+	}
+	
+	#
+	#  Accounting.  Log the accounting data.
+	#
+	accounting {
+		#
+		#  Log traffic to an SQL database.
+		#
+		#  See "Accounting queries" in sql.conf
+	#	sql
+
+
+		#  Cisco VoIP specific bulk accounting
+	#	pgsql-voip
+	
+	}
+
+	# The requests are not being proxied, so no pre/post-proxy
+	# sections are necessary.
+}

freeradius/config/tmp/freeradius/sites-available/coa

@@ -0,0 +1,43 @@
+# -*- text -*-
+######################################################################
+#
+#  Sample virtual server for receiving a CoA or Disconnect-Request packet.
+#
+
+#  Listen on the CoA port.
+#
+#  This uses the normal set of clients, with the same secret as for
+#  authentication and accounting.
+#
+listen {
+	type = coa
+	ipaddr = *
+	port = 3799
+	server = coa
+}
+
+server coa {
+	#  When a packet is received, it is processed through the
+	#  recv-coa section.  This applies to *both* CoA-Request and
+	#  Disconnect-Request packets.
+	recv-coa {
+		#  CoA && Disconnect packets can be proxied in the same
+		#  way as authentication or accounting packets.
+		#  Just set Proxy-To-Realm, or Home-Server-Pool, and the
+		#  packets will be proxied.
+
+		#  Insert your own policies here.
+		ok
+	}
+
+	#  When a packet is sent, it is processed through the
+	#  recv-coa section.  This applies to *both* CoA-Request and
+	#  Disconnect-Request packets.
+	send-coa {
+		#  Sample module.
+		ok
+	}
+
+	#  You can use pre-proxy and post-proxy sections here, too.
+	#  They will be processed for sending && receiving proxy packets.
+}

freeradius/config/tmp/freeradius/sites-available/control-socket

@@ -0,0 +1,73 @@
+# -*- text -*-
+######################################################################
+#
+#	Control socket interface.
+#
+#	In the future, we will add username/password checking for
+#	connections to the control socket.  We will also add
+#	command authorization, where the commands entered by the
+#	administrator are run through a virtual server before
+#	they are executed.
+#
+#	For now, anyone who has permission to connect to the socket
+#	has nearly complete control over the server.  Be warned!
+#
+#	This functionality is NOT enabled by default.
+#
+#	See also the "radmin" program, which is used to communicate
+#	with the server over the control socket.
+#
+#	$Id: 6a6f2b9428713083720b145d12c90b9747510ec1 $
+#
+######################################################################
+listen {
+	#
+	#  Listen on the control socket.
+	#
+	type = control
+
+	#
+	#  Socket location.
+	#
+	#  This file is created with the server's uid and gid.
+	#  It's permissions are r/w for that user and group, and
+	#  no permissions for "other" users.  These permissions form
+	#  minimal security, and should not be relied on.
+	#
+	socket = ${run_dir}/${name}.sock
+
+	#
+	#  The following two parameters perform authentication and
+	#  authorization of connections to the control socket.
+	#
+	#  If not set, then ANYONE can connect to the control socket,	
+	#  and have complete control over the server.  This is likely
+	#  not what you want.
+	#
+	#  One, or both, of "uid" and "gid" should be set.  If set, the
+	#  corresponding value is checked.  Unauthorized users result
+	#  in an error message in the log file, and the connection is
+	#  closed.
+	#
+
+	#
+	#  Name of user that is allowed to connect to the control socket.
+	#
+#	uid = radius
+
+	#
+	#  Name of group that is allowed to connect to the control socket.
+	#
+#	gid = radius
+
+	#
+	#  Access mode.
+	#
+	#  This can be used to give *some* administrators access to
+	#  monitor the system, but not to change it.
+	#
+	#	ro = read only access (default)
+	#	rw = read/write access.
+	#
+#	mode = rw
+}

freeradius/config/tmp/freeradius/sites-available/copy-acct-to-home-server

@@ -0,0 +1,171 @@
+# -*- text -*-
+######################################################################
+#
+#	In 2.0.0, radrelay functionality is integrated into the
+#	server core.  This virtual server gives an example of
+#	using radrelay functionality inside of the server.
+#
+#	In this example, the detail file is read, and the packets
+#	are proxied to a home server.  You will have to configure
+#	realms, home_server_pool, and home_server in proxy.conf
+#	for this to work.
+#
+#	The purpose of this virtual server is to enable duplication
+#	of information across a load-balanced, or fail-over set of
+#	servers.  For example, if a group of clients lists two
+#	home servers (primary, secondary), then RADIUS accounting
+#	messages will go only to one server at a time.  This file
+#	configures a server (primary, secondary) to send copies of
+#	the accounting information to each other.
+#
+#	That way, each server has the same set of information, and
+#	can make the same decision about the user.
+#
+#	$Id: 5f9a522f0b02178a956f63145b6b43c427260ce0 $
+#
+######################################################################
+
+server copy-acct-to-home-server {
+	listen {
+		type = detail
+
+		######################################################
+		#
+		#  !!!! WARNING !!!!
+		#
+		#  The detail file reader acts just like a NAS.
+		#
+		#  This means that if accounting fails, the packet
+		#  is re-tried FOREVER.  It is YOUR responsibility
+		#  to write an accounting policy that returns "ok"
+		#  if the packet was processed properly, "fail" on
+		#  a database error, AND "ok" if you want to ignore
+		#  the packet (e.g. no Acct-Status-Type).
+		#
+		#  Neither the detail file write OR the detail file
+		#  reader look at the contents of the packets.  They
+		#  just either dump the packet verbatim to the file,
+		#  or read it verbatim from the file and pass it to
+		#  the server.
+		#
+		######################################################
+
+
+		#  The location where the detail file is located.
+		#  This should be on local disk, and NOT on an NFS
+		#  mounted location!
+		#
+		#  On most systems, this should support file globbing
+		#  e.g. "${radacctdir}/detail-*:*"
+		#  This lets you write many smaller detail files as in
+		#  the example in radiusd.conf: ".../detail-%Y%m%d:%H"
+		#  Writing many small files is often better than writing
+		#  one large file.  File globbing also means that with
+		#  a common naming scheme for detail files, then you can
+		#  have many detail file writers, and only one reader.
+		filename = ${radacctdir}/detail
+
+		#
+		#  The server can read accounting packets from the
+		#  detail file much more quickly than those packets
+		#  can be written to a database.  If the database is
+		#  overloaded, then bad things can happen.
+		#
+		#  The server will keep track of how long it takes to
+		#  process an entry from the detail file.  It will
+		#  then pause between handling entries.  This pause
+		#  allows databases to "catch up", and gives the
+		#  server time to notice that other packets may have
+		#  arrived.
+		#		
+		#  The pause is calculated dynamically, to ensure that
+		#  the load due to reading the detail files is limited
+		#  to a small percentage of CPU time.  The
+		#  "load_factor" configuration item is a number
+		#  between 1 and 100.  The server will try to keep the
+		#  percentage of time taken by "detail" file entries
+		#  to "load_factor" percentage of the CPU time.
+		#
+		#  If the "load_factor" is set to 100, then the server
+		#  will read packets as fast as it can, usually
+		#  causing databases to go into overload.
+		#  
+		load_factor = 10
+	}
+
+	#
+	#  Pre-accounting.  Decide which accounting type to use.
+	#
+	preacct {
+		preprocess
+	
+		# Since we're just proxying, we don't need acct_unique.
+
+		#
+		#  Look for IPASS-style 'realm/', and if not found, look for
+		#  '@realm', and decide whether or not to proxy, based on
+		#  that.
+		#
+		#  Accounting requests are generally proxied to the same
+		#  home server as authentication requests.
+	#	IPASS
+		suffix
+	#	ntdomain
+	
+		#
+		#  Read the 'acct_users' file.  This isn't always
+		#  necessary, and can be deleted if you do not use it.
+		files
+	}
+	
+	#
+	#  Accounting.  Log the accounting data.
+	#
+	accounting {
+		   #
+		   # Since we're proxying, we don't log anything
+		   # locally.  Ensure that the accounting section
+		   # "succeeds" by forcing an "ok" return.
+		   ok	
+	}
+	
+	
+	#
+	#  When the server decides to proxy a request to a home server,
+	#  the proxied request is first passed through the pre-proxy
+	#  stage.  This stage can re-write the request, or decide to
+	#  cancel the proxy.
+	#
+	#  Only a few modules currently have this method.
+	#
+	pre-proxy {
+	#	attr_rewrite
+	
+		#  If you want to have a log of packets proxied to a home
+		#  server, un-comment the following line, and the
+		#  'detail pre_proxy_log' section in radiusd.conf.
+	#	pre_proxy_log
+	}
+	
+	#
+	#  When the server receives a reply to a request it proxied
+	#  to a home server, the request may be massaged here, in the
+	#  post-proxy stage.
+	#
+	post-proxy {
+		#
+	
+		#  If you want to have a log of replies from a home
+		#  server, un-comment the following line, and the
+		#  'detail post_proxy_log' section in radiusd.conf.
+	#	post_proxy_log
+	
+	#	attr_rewrite
+	
+		#  Uncomment the following line if you want to filter
+		#  replies from remote proxies based on the rules
+		#  defined in the 'attrs' file.
+	
+	#	attr_filter
+	}
+}

freeradius/config/tmp/freeradius/sites-available/decoupled-accounting

@@ -0,0 +1,140 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a sample configuration for "decoupled" accounting.
+#	"Decoupled" accounting is where the accounting packets are
+#	NOT written "live" to the back-end database.  This method
+#	can only be used if you are not interested in "live"
+#	accounting.  i.e. Where you can tolerate delays that may be
+#	a few seconds, before accounting packets get written to
+#	the DB.
+#
+#	Oddly enough, this method can speed up the processing of
+#	accounting packets, as all database activity is serialized.
+#
+#	This file is NOT meant to be used as-is.  It needs to be
+#	edited to match your local configuration.
+#
+#	$Id: 199258dd7f3b3a5f3ce23d0a82798b256c85af66 $
+#
+######################################################################
+
+#  Define a virtual server to write the accounting packets.
+#  Any "listen" section that listens on an accounting port should
+#  set "virtual_server = write-detail.example.com
+server write_detail.example.com {
+	accounting {
+		#
+		#  Write the "detail" files.
+		#
+		#  See raddb/modules/detail.example.com for more info.
+		detail.example.com
+	}
+
+	# That's it!
+}
+
+#  Define a virtual server to process the accounting packets.
+server read-detail.example.com {
+	#  Read accounting packets from the detail file(s) for
+	#  the home server.
+	listen {
+		type = detail
+		filename = "${radacctdir}/detail.example.com/detail-*:*"
+		load_factor = 10
+	}
+
+	#  All packets read from the detail file are processed through
+	#  the preacct && accounting sections.
+	#
+	#  The following text is copied verbatim from sites-available/default.
+	#  You should edit it for your own local configuration.
+
+#
+#  Pre-accounting.  Decide which accounting type to use.
+#
+preacct {
+	preprocess
+
+	#
+	#  Ensure that we have a semi-unique identifier for every
+	#  request, and many NAS boxes are broken.
+	acct_unique
+
+	#
+	#  Look for IPASS-style 'realm/', and if not found, look for
+	#  '@realm', and decide whether or not to proxy, based on
+	#  that.
+	#
+	#  Accounting requests are generally proxied to the same
+	#  home server as authentication requests.
+#	IPASS
+	suffix
+#	ntdomain
+
+	#
+	#  Read the 'acct_users' file
+	files
+}
+
+#
+#  Accounting.  Log the accounting data.
+#
+accounting {
+	#
+	#  Create a 'detail'ed log of the packets.
+	#  Note that accounting requests which are proxied
+	#  are also logged in the detail file.
+	detail
+#	daily
+
+	#  Update the wtmp file
+	#
+	#  If you don't use "radlast", you can delete this line.
+	unix
+
+	#
+	#  For Simultaneous-Use tracking.
+	#
+	#  Due to packet losses in the network, the data here
+	#  may be incorrect.  There is little we can do about it.
+	radutmp
+#	sradutmp
+
+	#  Return an address to the IP Pool when we see a stop record.
+#	main_pool
+
+	#
+	#  Log traffic to an SQL database.
+	#
+	#  NOTE! You will have to ensure that any accounting packets
+	#  NOT handled by the SQL module (e.g. "stop with zero session length"
+	#  result in the accounting section still returning "ok".
+	#
+	#  Otherwise, the server will think that the accounting packet
+	#  was NOT handled properly, and will keep trying to process it
+	#  through this virtual server!
+	#
+	#  See "Accounting queries" in sql.conf
+#	sql
+
+	#
+	#  Instead of sending the query to the SQL server,
+	#  write it into a log file.
+	#
+#	sql_log
+
+	#  Cisco VoIP specific bulk accounting
+#	pgsql-voip
+
+	#  Filter attributes from the accounting response.
+	attr_filter.accounting_response
+
+	#
+	#  See "Autz-Type Status-Server" for how this works.
+	#
+#	Acct-Type Status-Server {
+#
+#	}
+}
+}

freeradius/config/tmp/freeradius/sites-available/default

@@ -0,0 +1,660 @@
+######################################################################
+#
+#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
+#	"server" section, and configuration directives.
+#
+#	Virtual hosts should be put into the "sites-available"
+#	directory.  Soft links should be created in the "sites-enabled"
+#	directory to these files.  This is done in a normal installation.
+#
+#	If you are using 802.1X (EAP) authentication, please see also
+#	the "inner-tunnel" virtual server.  You wll likely have to edit
+#	that, too, for authentication to work.
+#
+#	$Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $
+#
+######################################################################
+#
+#	Read "man radiusd" before editing this file.  See the section
+#	titled DEBUGGING.  It outlines a method where you can quickly
+#	obtain the configuration you want, without running into
+#	trouble.  See also "man unlang", which documents the format
+#	of this file.
+#
+#	This configuration is designed to work in the widest possible
+#	set of circumstances, with the widest possible number of
+#	authentication methods.  This means that in general, you should
+#	need to make very few changes to this file.
+#
+#	The best way to configure the server for your local system
+#	is to CAREFULLY edit this file.  Most attempts to make large
+#	edits to this file will BREAK THE SERVER.  Any edits should
+#	be small, and tested by running the server with "radiusd -X".
+#	Once the edits have been verified to work, save a copy of these
+#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
+#	make more edits, and test, as above.
+#
+#	There are many "commented out" references to modules such
+#	as ldap, sql, etc.  These references serve as place-holders.
+#	If you need the functionality of that module, then configure
+#	it in radiusd.conf, and un-comment the references to it in
+#	this file.  In most cases, those small changes will result
+#	in the server being able to connect to the DB, and to
+#	authenticate users.
+#
+######################################################################
+
+#
+#	In 1.x, the "authorize", etc. sections were global in
+#	radiusd.conf.  As of 2.0, they SHOULD be in a server section.
+#
+#	The server section with no virtual server name is the "default"
+#	section.  It is used when no server name is specified.
+#
+#	We don't indent the rest of this file, because doing so
+#	would make it harder to read.
+#
+
+#  Authorization. First preprocess (hints and huntgroups files),
+#  then realms, and finally look in the "users" file.
+#
+#  Any changes made here should also be made to the "inner-tunnel"
+#  virtual server.
+#
+#  The order of the realm modules will determine the order that
+#  we try to find a matching realm.
+#
+#  Make *sure* that 'preprocess' comes before any realm if you 
+#  need to setup hints for the remote radius server
+authorize {
+	#
+	#  Security settings.  Take a User-Name, and do some simple
+	#  checks on it, for spaces and other invalid characters.  If
+	#  it looks like the user is trying to play games, reject it.
+	#
+	#  This should probably be enabled by default.
+	#
+	#  See policy.conf for the definition of the filter_username policy.
+	#
+#	filter_username
+
+	#
+	#  The preprocess module takes care of sanitizing some bizarre
+	#  attributes in the request, and turning them into attributes
+	#  which are more standard.
+	#
+	#  It takes care of processing the 'raddb/hints' and the
+	#  'raddb/huntgroups' files.
+	preprocess
+
+	#
+	#  If you want to have a log of authentication requests,
+	#  un-comment the following line, and the 'detail auth_log'
+	#  section, above.
+#	auth_log
+
+	#
+	#  The chap module will set 'Auth-Type := CHAP' if we are
+	#  handling a CHAP request and Auth-Type has not already been set
+	chap
+
+	#
+	#  If the users are logging in with an MS-CHAP-Challenge
+	#  attribute for authentication, the mschap module will find
+	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+	#  to the request, which will cause the server to then use
+	#  the mschap module for authentication.
+	mschap
+
+	#
+	#  If you have a Cisco SIP server authenticating against
+	#  FreeRADIUS, uncomment the following line, and the 'digest'
+	#  line in the 'authenticate' section.
+	digest
+
+	#
+	#  The WiMAX specification says that the Calling-Station-Id
+	#  is 6 octets of the MAC.  This definition conflicts with
+	#  RFC 3580, and all common RADIUS practices.  Un-commenting
+	#  the "wimax" module here means that it will fix the
+	#  Calling-Station-Id attribute to the normal format as
+	#  specified in RFC 3580 Section 3.21
+#	wimax
+
+	#
+	#  Look for IPASS style 'realm/', and if not found, look for
+	#  '@realm', and decide whether or not to proxy, based on
+	#  that.
+#	IPASS
+
+	#
+	#  If you are using multiple kinds of realms, you probably
+	#  want to set "ignore_null = yes" for all of them.
+	#  Otherwise, when the first style of realm doesn't match,
+	#  the other styles won't be checked.
+	#
+	suffix
+#	ntdomain
+
+	#
+	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+	#  authentication.
+	#
+	#  It also sets the EAP-Type attribute in the request
+	#  attribute list to the EAP type from the packet.
+	#
+	#  As of 2.0, the EAP module returns "ok" in the authorize stage
+	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
+	#  this change is compatible with older configurations.
+	#
+	#  The example below uses module failover to avoid querying all
+	#  of the following modules if the EAP module returns "ok".
+	#  Therefore, your LDAP and/or SQL servers will not be queried
+	#  for the many packets that go back and forth to set up TTLS
+	#  or PEAP.  The load on those servers will therefore be reduced.
+	#
+	eap {
+		ok = return
+	}
+
+	#
+	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+	#  using the system API's to get the password.  If you want
+	#  to read /etc/passwd or /etc/shadow directly, see the
+	#  passwd module in radiusd.conf.
+	#
+#	unix
+
+	#
+	#  Read the 'users' file
+	files
+
+	#
+	#  Look in an SQL database.  The schema of the database
+	#  is meant to mirror the "users" file.
+	#
+	#  See "Authorization Queries" in sql.conf
+#	sql
+
+	#
+	#  If you are using /etc/smbpasswd, and are also doing
+	#  mschap authentication, the un-comment this line, and
+	#  configure the 'smbpasswd' module.
+#	smbpasswd
+
+	#
+	#  The ldap module will set Auth-Type to LDAP if it has not
+	#  already been set
+#	ldap
+
+	#
+	#  Enforce daily limits on time spent logged in.
+#	daily
+
+	#
+	# Use the checkval module
+#	checkval
+
+	expiration
+	logintime
+
+	#
+	#  If no other module has claimed responsibility for
+	#  authentication, then try to use PAP.  This allows the
+	#  other modules listed above to add a "known good" password
+	#  to the request, and to do nothing else.  The PAP module
+	#  will then see that password, and use it to do PAP
+	#  authentication.
+	#
+	#  This module should be listed last, so that the other modules
+	#  get a chance to set Auth-Type for themselves.
+	#
+	pap
+
+	#
+	#  If "status_server = yes", then Status-Server messages are passed
+	#  through the following section, and ONLY the following section.
+	#  This permits you to do DB queries, for example.  If the modules
+	#  listed here return "fail", then NO response is sent.
+	#
+#	Autz-Type Status-Server {
+#
+#	}
+}
+
+
+#  Authentication.
+#
+#
+#  This section lists which modules are available for authentication.
+#  Note that it does NOT mean 'try each module in order'.  It means
+#  that a module from the 'authorize' section adds a configuration
+#  attribute 'Auth-Type := FOO'.  That authentication type is then
+#  used to pick the apropriate module from the list below.
+#
+
+#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
+#  will figure it out on its own, and will do the right thing.  The
+#  most common side effect of erroneously setting the Auth-Type
+#  attribute is that one authentication method will work, but the
+#  others will not.
+#
+#  The common reasons to set the Auth-Type attribute by hand
+#  is to either forcibly reject the user (Auth-Type := Reject),
+#  or to or forcibly accept the user (Auth-Type := Accept).
+#
+#  Note that Auth-Type := Accept will NOT work with EAP.
+#
+#  Please do not put "unlang" configurations into the "authenticate"
+#  section.  Put them in the "post-auth" section instead.  That's what
+#  the post-auth section is for.
+#
+authenticate {
+	#
+	#  PAP authentication, when a back-end database listed
+	#  in the 'authorize' section supplies a password.  The
+	#  password can be clear-text, or encrypted.
+	Auth-Type PAP {
+		pap
+	}
+
+	#
+	#  Most people want CHAP authentication
+	#  A back-end database listed in the 'authorize' section
+	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
+	#  won't work.
+	Auth-Type CHAP {
+		chap
+	}
+
+	#
+	#  MSCHAP authentication.
+	Auth-Type MS-CHAP {
+		mschap
+	}
+
+	#
+	#  If you have a Cisco SIP server authenticating against
+	#  FreeRADIUS, uncomment the following line, and the 'digest'
+	#  line in the 'authorize' section.
+	digest
+
+	#
+	#  Pluggable Authentication Modules.
+#	pam
+
+	#
+	#  See 'man getpwent' for information on how the 'unix'
+	#  module checks the users password.  Note that packets
+	#  containing CHAP-Password attributes CANNOT be authenticated
+	#  against /etc/passwd!  See the FAQ for details.
+	#
+	#  For normal "crypt" authentication, the "pap" module should
+	#  be used instead of the "unix" module.  The "unix" module should
+	#  be used for authentication ONLY for compatibility with legacy
+	#  FreeRADIUS configurations.
+	#
+	unix
+
+	# Uncomment it if you want to use ldap for authentication
+	#
+	# Note that this means "check plain-text password against
+	# the ldap database", which means that EAP won't work,
+	# as it does not supply a plain-text password.
+#	Auth-Type LDAP {
+#		ldap
+#	}
+
+	#
+	#  Allow EAP authentication.
+	eap
+
+	#
+	#  The older configurations sent a number of attributes in
+	#  Access-Challenge packets, which wasn't strictly correct.
+	#  If you want to filter out these attributes, uncomment
+	#  the following lines.
+	#
+#	Auth-Type eap {
+#		eap {
+#			handled = 1  
+#		}
+#		if (handled && (Response-Packet-Type == Access-Challenge)) {
+#			attr_filter.access_challenge.post-auth
+#			handled  # override the "updated" code from attr_filter
+#		}
+#	}
+}
+
+
+#
+#  Pre-accounting.  Decide which accounting type to use.
+#
+preacct {
+	preprocess
+
+	#
+	#  Session start times are *implied* in RADIUS.
+	#  The NAS never sends a "start time".  Instead, it sends
+	#  a start packet, *possibly* with an Acct-Delay-Time.
+	#  The server is supposed to conclude that the start time
+	#  was "Acct-Delay-Time" seconds in the past.
+	#
+	#  The code below creates an explicit start time, which can
+	#  then be used in other modules.
+	#
+	#  The start time is: NOW - delay - session_length
+	#
+
+#	  update request {
+#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
+#	}
+
+
+	#
+	#  Ensure that we have a semi-unique identifier for every
+	#  request, and many NAS boxes are broken.
+	acct_unique
+
+	#
+	#  Look for IPASS-style 'realm/', and if not found, look for
+	#  '@realm', and decide whether or not to proxy, based on
+	#  that.
+	#
+	#  Accounting requests are generally proxied to the same
+	#  home server as authentication requests.
+#	IPASS
+	suffix
+#	ntdomain
+
+	#
+	#  Read the 'acct_users' file
+	files
+}
+
+#
+#  Accounting.  Log the accounting data.
+#
+accounting {
+	#
+	#  Create a 'detail'ed log of the packets.
+	#  Note that accounting requests which are proxied
+	#  are also logged in the detail file.
+	detail
+#	daily
+
+	#  Update the wtmp file
+	#
+	#  If you don't use "radlast", you can delete this line.
+#	unix
+
+	#
+	#  For Simultaneous-Use tracking.
+	#
+	#  Due to packet losses in the network, the data here
+	#  may be incorrect.  There is little we can do about it.
+#	radutmp
+#	sradutmp
+
+	#  Return an address to the IP Pool when we see a stop record.
+#	main_pool
+
+	#
+	#  Log traffic to an SQL database.
+	#
+	#  See "Accounting queries" in sql.conf
+#	sql
+
+	#
+	#  If you receive stop packets with zero session length,
+	#  they will NOT be logged in the database.  The SQL module
+	#  will print a message (only in debugging mode), and will
+	#  return "noop".
+	#
+	#  You can ignore these packets by uncommenting the following
+	#  three lines.  Otherwise, the server will not respond to the
+	#  accounting request, and the NAS will retransmit.
+	#
+#	if (noop) {
+#		ok
+#	}
+
+	#
+	#  Instead of sending the query to the SQL server,
+	#  write it into a log file.
+	#
+#	sql_log
+
+	#  Cisco VoIP specific bulk accounting
+#	pgsql-voip
+
+	# For Exec-Program and Exec-Program-Wait
+	exec
+
+	#  Filter attributes from the accounting response.
+	attr_filter.accounting_response
+
+	#
+	#  See "Autz-Type Status-Server" for how this works.
+	#
+#	Acct-Type Status-Server {
+#
+#	}
+}
+
+
+#  Session database, used for checking Simultaneous-Use. Either the radutmp 
+#  or rlm_sql module can handle this.
+#  The rlm_sql module is *much* faster
+session {
+	radutmp
+
+	#
+	#  See "Simultaneous Use Checking Queries" in sql.conf
+#	sql
+}
+
+
+#  Post-Authentication
+#  Once we KNOW that the user has been authenticated, there are
+#  additional steps we can take.
+post-auth {
+	#  Get an address from the IP Pool.
+#	main_pool
+
+	#
+	#  If you want to have a log of authentication replies,
+	#  un-comment the following line, and the 'detail reply_log'
+	#  section, above.
+#	reply_log
+
+	#
+	#  After authenticating the user, do another SQL query.
+	#
+	#  See "Authentication Logging Queries" in sql.conf
+#	sql
+
+	#
+	#  Instead of sending the query to the SQL server,
+	#  write it into a log file.
+	#
+#	sql_log
+
+	#
+	#  Un-comment the following if you have set
+	#  'edir_account_policy_check = yes' in the ldap module sub-section of
+	#  the 'modules' section.
+	#
+#	ldap
+
+	# For Exec-Program and Exec-Program-Wait
+	exec
+
+	#
+	#  Calculate the various WiMAX keys.  In order for this to work,
+	#  you will need to define the WiMAX NAI, usually via
+	#
+	#	update request {
+	#	       WiMAX-MN-NAI = "%{User-Name}"
+	#	}
+	#
+	#  If you want various keys to be calculated, you will need to
+	#  update the reply with "template" values.  The module will see
+	#  this, and replace the template values with the correct ones
+	#  taken from the cryptographic calculations.  e.g.
+	#
+	# 	update reply {
+	#		WiMAX-FA-RK-Key = 0x00
+	#		WiMAX-MSK = "%{EAP-MSK}"
+	#	}
+	#
+	#  You may want to delete the MS-MPPE-*-Keys from the reply,
+	#  as some WiMAX clients behave badly when those attributes
+	#  are included.  See "raddb/modules/wimax", configuration
+	#  entry "delete_mppe_keys" for more information.
+	#
+#	wimax
+
+	#  If there is a client certificate (EAP-TLS, sometimes PEAP
+	#  and TTLS), then some attributes are filled out after the
+	#  certificate verification has been performed.  These fields
+	#  MAY be available during the authentication, or they may be
+	#  available only in the "post-auth" section.
+	#
+	#  The first set of attributes contains information about the
+	#  issuing certificate which is being used.  The second
+	#  contains information about the client certificate (if
+	#  available).
+#
+#	update reply {
+#	       Reply-Message += "%{TLS-Cert-Serial}"
+#	       Reply-Message += "%{TLS-Cert-Expiration}"
+#	       Reply-Message += "%{TLS-Cert-Subject}"
+#	       Reply-Message += "%{TLS-Cert-Issuer}"
+#	       Reply-Message += "%{TLS-Cert-Common-Name}"
+#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
+#
+#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
+#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
+#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
+#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
+#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
+#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
+#	}
+
+	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
+	#  want to send it for all EAP sessions.  Therefore, the EAP
+	#  modules put required data into the EAP-Session-Id attribute.
+	#  This attribute is never put into a request or reply packet.
+	#
+	#  Uncomment the next few lines to copy the required data into
+	#  the EAP-Key-Name attribute
+#	if (reply:EAP-Session-Id) {
+#		update reply {
+#			EAP-Key-Name := "%{reply:EAP-Session-Id}"
+#		}
+#	}
+
+	#  If the WiMAX module did it's work, you may want to do more
+	#  things here, like delete the MS-MPPE-*-Key attributes.
+	#
+	#	if (updated) {
+	#		update reply {
+	#			MS-MPPE-Recv-Key !* 0x00
+	#			MS-MPPE-Send-Key !* 0x00
+	#		}
+	#	}
+
+	#
+	#  Access-Reject packets are sent through the REJECT sub-section of the
+	#  post-auth section.
+	#
+	#  Add the ldap module name (or instance) if you have set 
+	#  'edir_account_policy_check = yes' in the ldap module configuration
+	#
+	Post-Auth-Type REJECT {
+		# log failed authentications in SQL, too.
+#		sql
+		attr_filter.access_reject
+	}
+}
+
+#
+#  When the server decides to proxy a request to a home server,
+#  the proxied request is first passed through the pre-proxy
+#  stage.  This stage can re-write the request, or decide to
+#  cancel the proxy.
+#
+#  Only a few modules currently have this method.
+#
+pre-proxy {
+#	attr_rewrite
+
+	#  Uncomment the following line if you want to change attributes
+	#  as defined in the preproxy_users file.
+#	files
+
+	#  Uncomment the following line if you want to filter requests
+	#  sent to remote servers based on the rules defined in the
+	#  'attrs.pre-proxy' file.
+#	attr_filter.pre-proxy
+
+	#  If you want to have a log of packets proxied to a home
+	#  server, un-comment the following line, and the
+	#  'detail pre_proxy_log' section, above.
+#	pre_proxy_log
+}
+
+#
+#  When the server receives a reply to a request it proxied
+#  to a home server, the request may be massaged here, in the
+#  post-proxy stage.
+#
+post-proxy {
+
+	#  If you want to have a log of replies from a home server,
+	#  un-comment the following line, and the 'detail post_proxy_log'
+	#  section, above.
+#	post_proxy_log
+
+#	attr_rewrite
+
+	#  Uncomment the following line if you want to filter replies from
+	#  remote proxies based on the rules defined in the 'attrs' file.
+#	attr_filter.post-proxy
+
+	#
+	#  If you are proxying LEAP, you MUST configure the EAP
+	#  module, and you MUST list it here, in the post-proxy
+	#  stage.
+	#
+	#  You MUST also use the 'nostrip' option in the 'realm'
+	#  configuration.  Otherwise, the User-Name attribute
+	#  in the proxied request will not match the user name
+	#  hidden inside of the EAP packet, and the end server will
+	#  reject the EAP request.
+	#
+	eap
+
+	#
+	#  If the server tries to proxy a request and fails, then the
+	#  request is processed through the modules in this section.
+	#
+	#  The main use of this section is to permit robust proxying
+	#  of accounting packets.  The server can be configured to
+	#  proxy accounting packets as part of normal processing.
+	#  Then, if the home server goes down, accounting packets can
+	#  be logged to a local "detail" file, for processing with
+	#  radrelay.  When the home server comes back up, radrelay
+	#  will read the detail file, and send the packets to the
+	#  home server.
+	#
+	#  With this configuration, the server always responds to
+	#  Accounting-Requests from the NAS, but only writes
+	#  accounting packets to disk if the home server is down.
+	#
+#	Post-Proxy-Type Fail {
+#			detail
+#	}
+}
+

freeradius/config/tmp/freeradius/sites-available/dhcp

@@ -0,0 +1,283 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a virtual server that handles DHCP.
+#
+#		!!!! WARNING !!!!
+#
+#	This code is experimental, and SHOULD NOT be used in a
+#	production system.  It is intended for validation and
+#	experimentation ONLY.
+#
+#	In order for this to work, you will need to run configure:
+#
+#		$ ./configure --with-dhcp
+#		$ make
+#		$ vi share/dictionary
+#
+#	## Un-comment the line containing $INCLUDE dictionary.dhcp
+#	## Then, save the file.
+#
+#		$ make install
+#
+#	DHCP is NOT enabled by default.
+#
+#	The goal of this effort is to get the code in front of
+#	people who are interested in another DHCP server.
+#	We NEED FEEDBACK, patches, bug reports, etc.  Especially patches!
+#
+#	Please contribute, or this work will be nothing more than
+#	a curiosity.
+#
+#
+#	Q: What does it do?
+#	A: It allows the server to receive DHCP packets, and to
+#	   respond with static, pre-configured DHCP responses.
+#
+#	Q: Does it do static/dynamic IP assignment?
+#	A: No.  Or, maybe.  Try it and see.
+#
+#	Q: Does it read ISC configuration or lease files?
+#	A: No.  Please submit patches.
+#
+#	Q: Does it have DHCP feature X?
+#	A: No.  Please submit patches.
+#
+#	Q: Does it support option 82?
+#	A: Yes.
+#
+#	Q: Does it support other options?
+#	A: Maybe.  See dictionary.dhcp.  Please submit patches.
+#
+#	Q: It doesn't seem to do much of anything!
+#	A: Exactly.
+#
+#	$Id: 33da1f10a67dd38b889300bc998737a268ef0948 $
+#
+######################################################################
+
+#
+#  The DHCP functionality goes into a virtual server.
+#
+server dhcp {
+
+#  Define a DHCP socket.
+#
+#  The default port below is 6700, so you don't break your network.
+#  If you want it to do real DHCP, change this to 67, and good luck!
+#
+#  You can also bind the DHCP socket to an interface.
+#  See below, and raddb/radiusd.conf for examples.
+#
+#  This lets you run *one* DHCP server instance and have it listen on
+#  multiple interfaces, each with a separate policy.
+#
+#  If you have multiple interfaces, it is a good idea to bind the
+#  listen section to an interface.  You will also need one listen
+#  section per interface.
+#
+#  FreeBSD does *not* support binding sockets to interfaces.  Therefore,
+#  if you have multiple interfaces, broadcasts may go out of the wrong
+#  one, or even all interfaces.  The solution is to use the "setfib" command.
+#  If you have a network "10.10.0/24" on LAN1, you will need to do:
+#
+#  Pick any IP on the 10.10.0/24 network
+#	$ setfib 1 route add default 10.10.0.1
+#
+#  Edit /etc/rc.local, and add a line:
+#	setfib 1 /path/to/radiusd
+#
+#  The kern must be built with the following options:
+#	options    ROUTETABLES=2
+#  or any value larger than 2.
+#
+# The other only solution is to update FreeRADIUS to use BPF sockets.
+#
+
+	#  So that we only specify these values once, and then
+	#  use them in all of the listen sections.
+	port = 6700
+	ipaddr = 127.0.0.1
+	interface = lo0
+
+	#  When the machine is not Linux, or has only one network
+	#  interface, use the following listener.  It receives
+	#  broadcast *and* unicast packets.
+	listen {
+		type = dhcp
+
+		ipaddr = *
+		port = ${..port}
+		interface = ${..interface}
+
+		# The DHCP server defaults to allowing broadcast packets.
+		# Set this to "no" only when the server receives *all* packets
+		# from a relay agent.  i.e. when *no* clients are on the same
+		# LAN as the DHCP server.
+		#
+		# It's set to "no" here for testing.
+		broadcast = no
+	}
+
+	# When the machine is Linux and has multiple network interfaces, use
+	# the following two listeners instead of the one above.
+
+	#  Listen for broadcasts on a specific interface.
+	listen {
+		type = dhcp
+		ipaddr = 255.255.255.255
+		port = ${..port}
+		interface = ${..interface}
+
+		#
+		#  The source IP for unicast packets is chosen from the first
+		#  one of the following items which returns a valid IP
+		#  address:
+		#
+		#	src_ipaddr
+		#	ipaddr
+		#	reply:DHCP-Server-IP-Address
+		#	reply:DHCP-DHCP-Server-Identifier
+		#
+		#  For now, use the parent's "ipaddr", not the one
+		#  in this listen section
+		#
+                src_ipaddr = ${..ipaddr}
+	}
+
+	#  Listen for unicasts on an IP, but not bound to any interface.
+	#  This allows Linux systems to receive packets on interface X
+	#  when the IP is associated with interface Y.
+	#
+	#  Then, define which interface the packets go out of, via
+	#  "src_interface".  This means that the outbound packets
+	#  get sent via the correct interface.
+	listen {
+		type = dhcp
+		ipaddr = ${..ipaddr}
+		port = ${..port}
+
+		#
+		#  When sending unicast responses, this interface is
+		#  used as the source interface.  If unset, the value
+		#  is taken from the "interface" field in this
+		#  section.
+		#
+		#  This interface is also used when adding ARP entries.
+		#  FreeRADIUS doesn't open "raw" network sockets to send
+		#  unicast DHCP responses on the local network.  Instead,
+		#  it updates the ARP table for this interface with the
+		#  MAX and IP of the DHCP client.  The server can then
+		#  send a normal UDP unicast socket.
+		#
+		#  NOTE: The server MUST be running as "root" in order
+		#  to update the ARP table.  Or, it must have the
+		#  apropriate capabilities added to it after it starts up.
+		#
+		src_interface = ${..interface}
+	}
+
+#  Packets received on the socket will be processed through one
+#  of the following sections, named after the DHCP packet type.
+#  See dictionary.dhcp for the packet types.
+dhcp DHCP-Discover {
+	update reply {
+	       DHCP-Message-Type = DHCP-Offer
+	}
+
+	#  The contents here are invented.  Change them!
+	update reply {
+	        DHCP-Domain-Name-Server = 127.0.0.1
+	        DHCP-Domain-Name-Server = 127.0.0.2
+		DHCP-Subnet-Mask = 255.255.255.0
+		DHCP-Router-Address = 192.168.1.1
+		DHCP-IP-Address-Lease-Time = 86400
+		DHCP-DHCP-Server-Identifier = 192.168.1.1
+	}
+
+	#  Do a simple mapping of MAC to assigned IP.
+	#
+	#  See below for the definition of the "mac2ip"
+	#  module.
+	#
+	#mac2ip
+
+	#  If the MAC wasn't found in that list, do something else.
+	#  You could call a Perl, Python, or Java script here.
+
+	#if (notfound) {
+	# ...
+	#}
+
+	#  Or, allocate IPs from the DHCP pool in SQL.
+#	dhcp_sqlippool
+
+	ok
+}
+
+dhcp DHCP-Request {
+	update reply {
+	       DHCP-Message-Type = DHCP-Ack
+	}
+
+	#  The contents here are invented.  Change them!
+	update reply {
+	        DHCP-Domain-Name-Server = 127.0.0.1
+	        DHCP-Domain-Name-Server = 127.0.0.2
+		DHCP-Subnet-Mask = 255.255.255.0
+		DHCP-Router-Address = 192.168.1.1
+		DHCP-IP-Address-Lease-Time = 86400
+		DHCP-DHCP-Server-Identifier = 192.168.1.1
+	}
+
+	#  Do a simple mapping of MAC to assigned IP.
+	#
+	#  See below for the definition of the "mac2ip"
+	#  module.
+	#
+	#mac2ip
+
+	#  If the MAC wasn't found in that list, do something else.
+	#  You could call a Perl, Python, or Java script here.
+
+	#if (notfound) {
+	# ...
+	#}
+
+	#  Or, allocate IPs from the DHCP pool in SQL.
+#	dhcp_sqlippool
+
+	ok
+}
+
+#  If there's no named section for the packet type, then the packet
+#  is processed through this section.
+dhcp {
+	# send a DHCP NAK.
+	reject
+}
+
+
+}
+
+######################################################################
+#
+#  This next section is a sample configuration for the "passwd"
+#  module, that reads flat-text files.  It should go into
+#  radiusd.conf, in the "modules" section.
+#
+#  The file is in the format <mac>,<ip>
+#
+#	00:01:02:03:04:05,192.168.1.100
+#	01:01:02:03:04:05,192.168.1.101
+#	02:01:02:03:04:05,192.168.1.102
+#
+#  This lets you perform simple static IP assignment.
+#
+######################################################################
+
+#passwd mac2ip {
+#	filename = ${confdir}/mac2ip
+#	format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
+#	delimiter = ","
+#}

freeradius/config/tmp/freeradius/sites-available/dhcp.relay

@@ -0,0 +1,65 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a virtual server that handles DHCP relaying
+#
+#	Only one server can listen on a socket, so you cannot
+#	do DHCP relaying && run a DHCP server at the same time.
+#
+######################################################################
+
+server dhcp.eth1 {
+	# When the machine is not Linux, or has only one network interface, use
+	# the following listener:
+	listen {
+		# Listen for broadcasts + unicast on eth1
+		ipaddr = *
+		port = 67
+		type = dhcp
+		interface = eth1
+	}
+	# When the machine is Linux and has multiple network interfaces, use
+	# the following listeners instead:
+	listen {
+		# Listen for broadcasts on eth1
+		ipaddr = 255.255.255.255
+		port = 67
+		type = dhcp
+		interface = eth1
+	}
+	listen {
+		# Listen for unicast on our IP address, not bound to any
+		# interface but telling on which interface to forward the
+		# packets to.
+		ipaddr = 192.0.100.2
+		port = 67
+		type = dhcp
+		arp_interface = eth1
+	}
+
+	#  Packets received on the socket will be processed through one
+	#  of the following sections, named after the DHCP packet type.
+	#  See dictionary.dhcp for the packet types.
+	dhcp DHCP-Discover {
+		update config {
+			# IP Address of the DHCP server
+			DHCP-Relay-To-IP-Address := 192.0.1.2
+		}
+		update request {
+			# IP Address of the DHCP relay (eth1)
+			DHCP-Gateway-IP-Address := 192.0.100.2
+		}
+		ok
+	}
+
+	dhcp DHCP-Request {
+		update config {
+			# IP Address of the DHCP server
+			DHCP-Relay-To-IP-Address := 192.0.1.2
+		}
+		update request {
+			DHCP-Gateway-IP-Address := 192.0.100.2
+		}
+		ok
+	}
+}

freeradius/config/tmp/freeradius/sites-available/dynamic-clients

@@ -0,0 +1,224 @@
+# -*- text -*-
+######################################################################
+#
+#	Sample configuration file for dynamically updating the list
+#	of RADIUS clients at run time.
+#
+#	Everything is keyed off of a client "network".  (e.g. 192.168/16)
+#	This configuration lets the server know that clients within
+#	that network are defined dynamically.
+#
+#	When the server receives a packet from an unknown IP address
+#	within that network, it tries to find a dynamic definition
+#	for that client.  If the definition is found, the IP address
+#	(and other configuration) is added to the server's internal
+#	cache of "known clients", with a configurable lifetime.
+#
+#	Further packets from that IP address result in the client
+#	definition being found in the cache.  Once the lifetime is
+#	reached, the client definition is deleted, and any new requests
+#	from that client are looked up as above.
+#
+#	If the dynamic definition is not found, then the request is
+#	treated as if it came from an unknown client.  i.e. It is
+#	silently discarded.
+#
+#	As part of protection from Denial of Service (DoS) attacks,
+#	the server will add only one new client per second.  This CANNOT
+#	be changed, and is NOT configurable.
+#
+#	$Id: f8c3cc4ddd4a8e6434911fbcc444715f4ac95912 $
+#
+######################################################################
+
+#
+#  Define a network where clients may be dynamically defined.
+client dynamic {
+	ipaddr = 192.168.0.0
+
+	#
+	#  You MUST specify a netmask!
+	#  IPv4 /32 or IPv6 /128 are NOT allowed!
+	netmask = 16
+
+	#
+	#  Any other configuration normally found in a "client"
+	#  entry can be used here.
+
+	#
+	#  A shared secret does NOT have to be defined.  It can
+	#  be left out.
+
+	#
+	#  Define the virtual server used to discover dynamic clients.
+	dynamic_clients = dynamic_client_server
+
+	#
+	#  The directory where client definitions are stored.  This
+	#  needs to be used ONLY if the client definitions are stored
+	#  in flat-text files.  Each file in that directory should be
+	#  ONE and only one client definition.  The name of the file
+	#  should be the IP address of the client.
+	#
+	#  If you are storing clients in SQL, this entry should not
+	#  be used.
+#	directory = ${confdir}/dynamic-clients/
+
+	#
+	#  Define the lifetime (in seconds) for dynamic clients.
+	#  They will be cached for this lifetime, and deleted afterwards.
+	#
+	#  If the lifetime is "0", then the dynamic client is never
+	#  deleted.  The only way to delete the client is to re-start
+	#  the server.
+	lifetime = 3600
+}
+
+#
+#  This is the virtual server referenced above by "dynamic_clients".
+server dynamic_client_server {
+
+	#
+	#  The only contents of the virtual server is the "authorize" section.
+	authorize {
+
+		#
+		#  Put any modules you want here.  SQL, LDAP, "exec",
+		#  Perl, etc.  The only requirements is that the
+		#  attributes MUST go into the control item list.
+		#
+		#  The request that is processed through this section
+		#  is EMPTY.  There are NO attributes.  The request is fake,
+		#  and is NOT the packet that triggered the lookup of
+		#  the dynamic client.
+		#
+		#  The ONLY piece of useful information is either
+		#
+		#	Packet-Src-IP-Address (IPv4 clients)
+		#	Packet-Src-IPv6-Address (IPv6 clients)
+		#
+		#  The attributes used to define a dynamic client mirror
+		#  the configuration items in the "client" structure.
+		#
+
+		#
+		#  Example 1: Hard-code a client IP.  This example is
+		#             useless, but it documents the attributes
+		#             you need.
+		#
+		update control {
+
+			#
+			#  Echo the IP address of the client.
+			FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+
+			# require_message_authenticator
+			FreeRADIUS-Client-Require-MA = no
+
+			# secret
+			FreeRADIUS-Client-Secret = "testing123"
+
+			# shortname
+			FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
+
+			# nastype
+			FreeRADIUS-Client-NAS-Type = "other"
+
+			# virtual_server
+			#
+			#  This can ONLY be used if the network client
+			#  definition (e.g. "client dynamic" above) has
+			#  NO virtual_server defined.
+			#
+			#  If the network client definition does have a
+			#  virtual_server defined, then that is used,
+			#  and there is no need to define this attribute.
+			#  
+			FreeRADIUS-Client-Virtual-Server = "something"
+
+		}
+
+		#
+		#  Example 2: Read the clients from "clients" files
+		#             in a directory.
+		#
+
+		#             This requires you to uncomment the
+		#             "directory" configuration in the
+		#             "client dynamic" configuration above,
+		#	      and then put one file per IP address in
+		#             that directory.
+		#
+		dynamic_clients
+
+		#
+		#  Example 3: Look the clients up in SQL.
+		#
+		#  This requires the SQL module to be configured, of course.
+		if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
+			update control {
+				#
+				#  Echo the IP.
+				FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+
+				#
+				#  Do multiple SELECT statements to grab
+				#  the various definitions.
+				FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
+
+				FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
+
+				FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
+
+				FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
+			}
+
+		}
+
+		# Do an LDAP lookup in the elements OU, check to see if
+		# the Packet-Src-IP-Address object has a "ou"
+		# attribute, if it does continue.  Change "ACME.COM" to
+		# the real OU of your organization.
+		#
+		# Assuming the following schema:
+		#
+		# OU=Elements,OU=Radius,DC=ACME,DC=COM
+		#
+		# Elements will hold a record of every NAS in your
+		# Network.  Create Group objects based on the IP
+		# Address of the NAS and set the "Location" or "l"
+		# attribute to the NAS Huntgroup the NAS belongs to
+		# allow them to be centrally managed in LDAP.
+		#
+		# e.g.  CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
+		#
+		# With a "l" value of "CiscoRTR" for a Cisco Router
+		# that has a NAS-IP-Address or Source-IP-Address of
+		# 10.1.2.3.
+		#
+		# And with a "ou" value of the shared secret password
+		# for the NAS element. ie "password"
+		if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
+			update control {
+			       FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+
+				# Set the Client-Shortname to be the Location
+				# "l" just like in the Huntgroups, but this
+				# time to the shortname.
+
+				FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
+
+				# Lookup and set the Shared Secret based on
+				# the "ou" attribute.
+				FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
+			}
+		}
+
+		#
+		#  Tell the caller that the client was defined properly.
+		#
+		#  If the authorize section does NOT return "ok", then
+		#  the new client is ignored.
+		ok
+	}
+}

freeradius/config/tmp/freeradius/sites-available/example

@@ -0,0 +1,122 @@
+######################################################################
+#
+#	An example virtual server configuration.
+#
+#	$Id: 89950303b94d5763ebd96744500b7a00da186c08 $
+#
+######################################################################
+
+
+#
+#	This client will be available to any "listen" section that
+#	are defined outside of a virtual server section.  However,
+#	when the server receives a packet from this client, the
+#	request will be processed through the "example" virtual
+#	server, as the "client" section contains a configuration item
+#	to that effect.
+#
+#	Note that this client will be able to send requests to any
+#	port defined in a global "listen" section.  It will NOT,
+#	however, be able to send requests to a port defined in a
+#	"listen" section that is contained in a "server" section.
+#
+#	With careful matching of configurations, you should be able
+#	to:
+#
+#	- Define one authentication port, but process each client
+#	  through a separate virtual server.
+#
+#	- define multiple authentication ports, each with a private
+#	  list of clients.
+#
+#	- define multiple authentication ports, each of which may
+#	  have the same client listed, but with different shared
+#	  secrets
+#
+#	FYI: We use an address in the 192.0.2.* space for this example,
+#	as RFC 3330 says that that /24 range is used for documenation
+#	and examples, and should not appear on the net.  You shouldn't
+#	use it for anything, either.
+#
+client 192.0.2.10 {
+	shortname	= example-client
+	secret		= testing123
+	virtual_server  = example
+}
+
+######################################################################
+#
+#	An example virtual server.  It starts off with "server name {"
+#	The "name" is used to reference this server from a "listen"
+#	or "client" section.
+#
+######################################################################
+server example {
+	#
+	#	Listen on 192.0.2.1:1812 for Access-Requests
+	#
+	#	When the server receives a packet, it is processed
+	#	through the "authorize", etc. sections listed here,
+	#	NOT the global ones the "default" site.
+	#
+	listen {
+		ipaddr = 192.0.2.1
+		port = 1821
+		type = auth
+	}
+
+	#
+	#	This client is listed within the "server" section,
+	#	and is therefore known ONLY to the socket defined
+	#	in the "listen" section above.  If the client IP
+	#	sends a request to a different socket, the server
+	#	will treat it as an unknown client, and will not
+	#	respond.
+	#
+	#	In contrast, the client listed at the top of this file
+	#	is outside of any "server" section, and is therefore
+	#	global in scope.  It can send packets to any port
+	#	defined in a global "listen" section.  It CANNOT send
+	#	packets to the listen section defined above, though.
+	#
+	#	Note that you don't have to have a "virtual_server = example"
+	#	line here, as the client is encapsulated within
+	#	the "server" section.
+	#
+	client 192.0.2.9 {
+		shortname	= example-client
+		secret		= testing123
+	}
+
+	authorize {
+		#
+		#  Some example policies.  See "man unlang" for more.
+		#
+		if ("%{User-Name}" == "bob") {
+			update control {
+				Cleartext-Password := "bob"
+			}
+		}
+
+		#
+		#  And then reject the user.  The next line requires
+		#  that the "always reject {}" section is defined in
+		#  the "modules" section of radiusd.conf.
+		#
+		reject
+	}
+
+	authenticate {
+
+	}
+
+	post-auth {
+
+		Post-Auth-Type Reject {
+			update reply {
+				Reply-Message = "This is only an example."
+			}
+		}
+	}
+
+}

freeradius/config/tmp/freeradius/sites-available/inner-tunnel

@@ -0,0 +1,421 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a virtual server that handles *only* inner tunnel
+#	requests for EAP-TTLS and PEAP types.
+#
+#	$Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $
+#
+######################################################################
+
+server inner-tunnel {
+
+#
+#  This next section is here to allow testing of the "inner-tunnel"
+#  authentication methods, independently from the "default" server.
+#  It is listening on "localhost", so that it can only be used from
+#  the same machine.
+#
+#	$ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+#  If it works, you have configured the inner tunnel correctly.  To check
+#  if PEAP will work, use:
+#
+#	$ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+#  If that works, PEAP should work.  If that command doesn't work, then
+#
+#	FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
+#
+#  Do NOT do any PEAP tests.  It won't help.  Instead, concentrate
+#  on fixing the inner tunnel configuration.  DO NOTHING ELSE.
+#
+listen {
+       ipaddr = 127.0.0.1
+       port = 18120
+       type = auth
+}
+
+
+#  Authorization. First preprocess (hints and huntgroups files),
+#  then realms, and finally look in the "users" file.
+#
+#  The order of the realm modules will determine the order that
+#  we try to find a matching realm.
+#
+#  Make *sure* that 'preprocess' comes before any realm if you 
+#  need to setup hints for the remote radius server
+authorize {
+	#
+	#  The chap module will set 'Auth-Type := CHAP' if we are
+	#  handling a CHAP request and Auth-Type has not already been set
+	chap
+
+	#
+	#  If the users are logging in with an MS-CHAP-Challenge
+	#  attribute for authentication, the mschap module will find
+	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+	#  to the request, which will cause the server to then use
+	#  the mschap module for authentication.
+	mschap
+
+	#
+	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+	#  using the system API's to get the password.  If you want
+	#  to read /etc/passwd or /etc/shadow directly, see the
+	#  passwd module, above.
+	#
+#	unix
+
+	#
+	#  Look for IPASS style 'realm/', and if not found, look for
+	#  '@realm', and decide whether or not to proxy, based on
+	#  that.
+#	IPASS
+
+	#
+	#  If you are using multiple kinds of realms, you probably
+	#  want to set "ignore_null = yes" for all of them.
+	#  Otherwise, when the first style of realm doesn't match,
+	#  the other styles won't be checked.
+	#
+	#  Note that proxying the inner tunnel authentication means
+	#  that the user MAY use one identity in the outer session
+	#  (e.g. "anonymous", and a different one here
+	#  (e.g. "user@example.com").  The inner session will then be
+	#  proxied elsewhere for authentication.  If you are not
+	#  careful, this means that the user can cause you to forward
+	#  the authentication to another RADIUS server, and have the
+	#  accounting logs *not* sent to the other server.  This makes
+	#  it difficult to bill people for their network activity.
+	#
+	suffix
+#	ntdomain
+
+	#
+	#  The "suffix" module takes care of stripping the domain
+	#  (e.g. "@example.com") from the User-Name attribute, and the
+	#  next few lines ensure that the request is not proxied.
+	#
+	#  If you want the inner tunnel request to be proxied, delete
+	#  the next few lines.
+	#
+	update control {
+	       Proxy-To-Realm := LOCAL
+	}
+
+	#
+	#  This module takes care of EAP-MSCHAPv2 authentication.
+	#
+	#  It also sets the EAP-Type attribute in the request
+	#  attribute list to the EAP type from the packet.
+	#
+	#  The example below uses module failover to avoid querying all
+	#  of the following modules if the EAP module returns "ok".
+	#  Therefore, your LDAP and/or SQL servers will not be queried
+	#  for the many packets that go back and forth to set up TTLS
+	#  or PEAP.  The load on those servers will therefore be reduced.
+	#
+	eap {
+		ok = return
+	}
+
+	#
+	#  Read the 'users' file
+	files
+
+	#
+	#  Look in an SQL database.  The schema of the database
+	#  is meant to mirror the "users" file.
+	#
+	#  See "Authorization Queries" in sql.conf
+#	sql
+
+	#
+	#  If you are using /etc/smbpasswd, and are also doing
+	#  mschap authentication, the un-comment this line, and
+	#  configure the 'etc_smbpasswd' module, above.
+#	etc_smbpasswd
+
+	#
+	#  The ldap module will set Auth-Type to LDAP if it has not
+	#  already been set
+#	ldap
+
+	#
+	#  Enforce daily limits on time spent logged in.
+#	daily
+
+	#
+	# Use the checkval module
+#	checkval
+
+	expiration
+	logintime
+
+	#
+	#  If no other module has claimed responsibility for
+	#  authentication, then try to use PAP.  This allows the
+	#  other modules listed above to add a "known good" password
+	#  to the request, and to do nothing else.  The PAP module
+	#  will then see that password, and use it to do PAP
+	#  authentication.
+	#
+	#  This module should be listed last, so that the other modules
+	#  get a chance to set Auth-Type for themselves.
+	#
+	pap
+}
+
+
+#  Authentication.
+#
+#
+#  This section lists which modules are available for authentication.
+#  Note that it does NOT mean 'try each module in order'.  It means
+#  that a module from the 'authorize' section adds a configuration
+#  attribute 'Auth-Type := FOO'.  That authentication type is then
+#  used to pick the apropriate module from the list below.
+#
+
+#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
+#  will figure it out on its own, and will do the right thing.  The
+#  most common side effect of erroneously setting the Auth-Type
+#  attribute is that one authentication method will work, but the
+#  others will not.
+#
+#  The common reasons to set the Auth-Type attribute by hand
+#  is to either forcibly reject the user, or forcibly accept him.
+#
+authenticate {
+	#
+	#  PAP authentication, when a back-end database listed
+	#  in the 'authorize' section supplies a password.  The
+	#  password can be clear-text, or encrypted.
+	Auth-Type PAP {
+		pap
+	}
+
+	#
+	#  Most people want CHAP authentication
+	#  A back-end database listed in the 'authorize' section
+	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
+	#  won't work.
+	Auth-Type CHAP {
+		chap
+	}
+
+	#
+	#  MSCHAP authentication.
+	Auth-Type MS-CHAP {
+		mschap
+	}
+
+	#
+	#  Pluggable Authentication Modules.
+#	pam
+
+	#
+	#  See 'man getpwent' for information on how the 'unix'
+	#  module checks the users password.  Note that packets
+	#  containing CHAP-Password attributes CANNOT be authenticated
+	#  against /etc/passwd!  See the FAQ for details.
+	#  
+	unix
+
+	# Uncomment it if you want to use ldap for authentication
+	#
+	# Note that this means "check plain-text password against
+	# the ldap database", which means that EAP won't work,
+	# as it does not supply a plain-text password.
+#	Auth-Type LDAP {
+#		ldap
+#	}
+
+	#
+	#  Allow EAP authentication.
+	eap
+}
+
+######################################################################
+#
+#	There are no accounting requests inside of EAP-TTLS or PEAP
+#	tunnels.
+#
+######################################################################
+
+
+#  Session database, used for checking Simultaneous-Use. Either the radutmp 
+#  or rlm_sql module can handle this.
+#  The rlm_sql module is *much* faster
+session {
+	radutmp
+
+	#
+	#  See "Simultaneous Use Checking Queries" in sql.conf
+#	sql
+}
+
+
+#  Post-Authentication
+#  Once we KNOW that the user has been authenticated, there are
+#  additional steps we can take.
+post-auth {
+	# Note that we do NOT assign IP addresses here.
+	# If you try to assign IP addresses for EAP authentication types,
+	# it WILL NOT WORK.  You MUST use DHCP.
+
+	#
+	#  If you want to have a log of authentication replies,
+	#  un-comment the following line, and the 'detail reply_log'
+	#  section, above.
+#	reply_log
+
+	#
+	#  After authenticating the user, do another SQL query.
+	#
+	#  See "Authentication Logging Queries" in sql.conf
+#	sql
+
+	#
+	#  Instead of sending the query to the SQL server,
+	#  write it into a log file.
+	#
+#	sql_log
+
+	#
+	#  Un-comment the following if you have set
+	#  'edir_account_policy_check = yes' in the ldap module sub-section of
+	#  the 'modules' section.
+	#
+#	ldap
+
+	#
+	#  Access-Reject packets are sent through the REJECT sub-section of the
+	#  post-auth section.
+	#
+	#  Add the ldap module name (or instance) if you have set 
+	#  'edir_account_policy_check = yes' in the ldap module configuration
+	#
+	Post-Auth-Type REJECT {
+		# log failed authentications in SQL, too.
+#		sql
+		attr_filter.access_reject
+	}
+
+	#
+	#  The example policy below updates the outer tunnel reply
+	#  (usually Access-Accept) with the User-Name from the inner
+	#  tunnel User-Name.  Since this section is processed in the
+	#  context of the inner tunnel, "request" here means "inner
+	#  tunnel request", and "outer.reply" means "outer tunnel
+	#  reply attributes".
+	#
+	#  This example is most useful when the outer session contains
+	#  a User-Name of "anonymous@....", or a MAC address.  If it
+	#  is enabled, the NAS SHOULD use the inner tunnel User-Name
+	#  in subsequent accounting packets.  This makes it easier to
+	#  track user sessions, as they will all be based on the real
+	#  name, and not on "anonymous".
+	#
+	#  The problem with doing this is that it ALSO exposes the
+	#  real user name to any intermediate proxies.  People use
+	#  "anonymous" identifiers outside of the tunnel for a very
+	#  good reason: it gives them more privacy.  Setting the reply
+	#  to contain the real user name removes ALL privacy from
+	#  their session.
+	#
+	#  If you want privacy to remain, see the
+	#  Chargeable-User-Identity attribute from RFC 4372.  In order
+	#  to use that attribute, you will have to allocate a
+	#  per-session identifier for the user, and store it in a
+	#  long-term database (e.g. SQL).  You should also use that
+	#  attribute INSTEAD of the configuration below.
+	#
+	#update outer.reply {
+	#	User-Name = "%{request:User-Name}"
+	#}
+
+}
+
+#
+#  When the server decides to proxy a request to a home server,
+#  the proxied request is first passed through the pre-proxy
+#  stage.  This stage can re-write the request, or decide to
+#  cancel the proxy.
+#
+#  Only a few modules currently have this method.
+#
+pre-proxy {
+#	attr_rewrite
+
+	#  Uncomment the following line if you want to change attributes
+	#  as defined in the preproxy_users file.
+#	files
+
+	#  Uncomment the following line if you want to filter requests
+	#  sent to remote servers based on the rules defined in the
+	#  'attrs.pre-proxy' file.
+#	attr_filter.pre-proxy
+
+	#  If you want to have a log of packets proxied to a home
+	#  server, un-comment the following line, and the
+	#  'detail pre_proxy_log' section, above.
+#	pre_proxy_log
+}
+
+#
+#  When the server receives a reply to a request it proxied
+#  to a home server, the request may be massaged here, in the
+#  post-proxy stage.
+#
+post-proxy {
+
+	#  If you want to have a log of replies from a home server,
+	#  un-comment the following line, and the 'detail post_proxy_log'
+	#  section, above.
+#	post_proxy_log
+
+#	attr_rewrite
+
+	#  Uncomment the following line if you want to filter replies from
+	#  remote proxies based on the rules defined in the 'attrs' file.
+#	attr_filter.post-proxy
+
+	#
+	#  If you are proxying LEAP, you MUST configure the EAP
+	#  module, and you MUST list it here, in the post-proxy
+	#  stage.
+	#
+	#  You MUST also use the 'nostrip' option in the 'realm'
+	#  configuration.  Otherwise, the User-Name attribute
+	#  in the proxied request will not match the user name
+	#  hidden inside of the EAP packet, and the end server will
+	#  reject the EAP request.
+	#
+	eap
+
+	#
+	#  If the server tries to proxy a request and fails, then the
+	#  request is processed through the modules in this section.
+	#
+	#  The main use of this section is to permit robust proxying
+	#  of accounting packets.  The server can be configured to
+	#  proxy accounting packets as part of normal processing.
+	#  Then, if the home server goes down, accounting packets can
+	#  be logged to a local "detail" file, for processing with
+	#  radrelay.  When the home server comes back up, radrelay
+	#  will read the detail file, and send the packets to the
+	#  home server.
+	#
+	#  With this configuration, the server always responds to
+	#  Accounting-Requests from the NAS, but only writes
+	#  accounting packets to disk if the home server is down.
+	#
+#	Post-Proxy-Type Fail {
+#			detail
+#	}
+
+}
+
+} # inner-tunnel server block

freeradius/config/tmp/freeradius/sites-available/originate-coa

@@ -0,0 +1,190 @@
+# -*- text -*-
+######################################################################
+#
+#  The server can originate Change of Authorization (CoA) or
+#  Disconnect request packets.  These packets are used to dynamically
+#  change the parameters of a users session (bandwidth, etc.), or
+#  to forcibly disconnect the user.
+#
+#  There are some caveats.  Not all NAS vendors support this
+#  functionality.  Even for the ones that do, it may be difficult to
+#  find out what needs to go into a CoA-Request or Disconnect-Request
+#  packet.  All we can suggest is to read the NAS documentation
+#  available from the vendor.  That documentation SHOULD describe
+#  what information their equipment needs to see in a CoA packet.
+#
+#  This information is usually a list of attributes such as:
+#
+#	NAS-IP-Address (or NAS-IPv6 address)
+#	NAS-Identifier
+#	User-Name
+#	Acct-Session-Id
+#
+#  CoA packets can be originated when a normal Access-Request or
+#  Accounting-Request packet is received.  Simply update the
+#  "coa" list:
+#
+#	update coa {
+#	       User-Name = "%{User-Name}"
+#	       Acct-Session-Id = "%{Acct-Session-Id}"
+#	       NAS-IP-Address = "%{NAS-IP-Address}"
+#	}
+#
+#  And the CoA packet will be sent.  You can also send Disconnect
+#  packets by using "update disconnect { ...".
+#
+#  This "update coa" entry can be placed in any section (authorize,
+#  preacct, etc.), EXCEPT for pre-proxy and post-proxy.  The CoA
+#  packets CANNOT be sent if the original request has been proxied.
+#
+#  The CoA functionality works best when the RADIUS server and 
+#  the NAS receiving CoA packets are on the same network.
+#
+#  If "update coa { ... " is used, and then later it becomes necessary
+#  to not send a CoA request, the following example can suppress the
+#  CoA packet:
+#
+#	update control {
+#		Send-CoA-Request = No
+#	}
+#
+#  The default destination of a CoA packet is the NAS (or client)
+#  the sent the original Access-Request or Accounting-Request.  See
+#  raddb/clients.conf for a "coa_server" configuration that ties
+#  a client to a specific home server, or to a home server pool.
+#
+#  If you need to send the packet to a different destination, update
+#  the "coa" list with one of:
+#
+#	Packet-Dst-IP-Address = ...
+#	Packet-Dst-IPv6-Address = ...
+#	Home-Server-Pool = ...
+#
+#  That specifies an Ipv4 or IPv6 address, or a home server pool
+#  (such as the "coa" pool example below).  This use is not
+#  recommended, however,  It is much better to point the client
+#  configuration directly at the CoA server/pool, as outlined
+#  earlier.
+#
+#  If the CoA port is non-standard, you can also set:
+#
+#	Packet-Dst-Port
+#
+#  to have the value of the port.
+#
+######################################################################
+
+#
+#  When CoA packets are sent to a NAS, the NAS is acting as a
+#  server (see RFC 5176).  i.e. it has a type (accepts CoA and/or
+#  Disconnect packets), an IP address (or IPv6 address), a
+#  destination port, and a shared secret.
+#
+#  This information *cannot* go into a "client" section.  In the future,
+#  FreeRADIUS will be able to receive, and to proxy CoA packets.
+#  Having the CoA configuration as below means that we can later do
+#  load-balancing, fail-over, etc. of CoA servers.  If the CoA
+#  configuration went into a "client" section, it would be impossible
+#  to do proper proxying of CoA requests.
+#
+home_server localhost-coa {
+	type = coa
+
+	#
+	#  Note that a home server of type "coa" MUST be a real NAS,
+	#  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
+	#  server.
+	#
+	ipaddr = 127.0.0.1
+	port = 3799
+
+	#  This secret SHOULD NOT be the same as the shared
+	#  secret in a "client" section.
+	secret = testing1234
+
+	#  CoA specific parameters.  See raddb/proxy.conf for details.
+	coa {
+		irt = 2
+		mrt = 16
+		mrc = 5
+		mrd = 30
+	}
+}
+
+#
+#  CoA servers can be put into pools, just like normal servers.
+#
+home_server_pool coa {
+	type = fail-over
+
+	# Point to the CoA server above.
+	home_server = localhost-coa
+
+	#  CoA requests are run through the pre-proxy section.
+	#  CoA responses are run through the post-proxy section.
+	virtual_server = originate-coa.example.com
+
+	#
+	#  Home server pools of type "coa" cannot (currently) have
+	#  a "fallback" configuration.
+	#
+}
+
+#
+#  When this virtual server is run, the original request has FINISHED
+#  processing.  i.e. the reply has already been sent to the NAS.
+#  You can access the attributes in the original packet, reply, and
+#  control items, but changing them will have NO EFFECT.
+#
+#  The CoA packet is in the "proxy-request" attribute list.
+#  The CoA reply (if any) is in the "proxy-reply" attribute list.
+#
+server originate-coa.example.com {
+  pre-proxy {
+	update proxy-request {
+		NAS-IP-Address = 127.0.0.1
+	}
+  }
+
+  #
+  # Handle the responses here.
+  #
+  post-proxy {
+	switch "%{proxy-reply:Packet-Type}" {
+		case CoA-ACK {
+			ok
+		}
+
+		case CoA-NAK {
+			# the NAS didn't like the CoA request
+			ok
+		}
+
+		case Disconnect-ACK {
+			ok
+		}
+
+		case Disconnect-NAK {
+			# the NAS didn't like the Disconnect request
+			ok
+		}
+
+		# Invalid packet type.  This shouldn't happen.
+		case {
+		     fail
+		}
+	}
+
+	#
+	#  These methods are run when there is NO response
+	#  to the request.
+	#
+	Post-Proxy-Type Fail-CoA {
+		ok
+	}
+
+	Post-Proxy-Type Fail-Disconnect {
+		ok
+	}
+  }
+}

freeradius/config/tmp/freeradius/sites-available/proxy-inner-tunnel

@@ -0,0 +1,47 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a virtual server that handles *only* inner tunnel
+#	requests for EAP-TTLS and PEAP types.
+#
+#	$Id: 1ce4137d5f93ff65a92ebaac676690cc718846ad $
+#
+######################################################################
+
+server proxy-inner-tunnel {
+
+#
+#  This example is very simple.  All inner tunnel requests get
+#  proxied to another RADIUS server.
+#
+authorize {
+	#
+	#  Do other things here, as necessary.
+	#
+	#  e.g. run the "realms" module, to decide how to proxy
+	#  the inner tunnel request.
+	#
+
+	update control {
+		#  You should update this to be one of your realms.
+		Proxy-To-Realm := "example.com"
+	}
+}
+
+authenticate {
+	#
+	#  This is necessary so that the inner tunnel EAP-MSCHAPv2
+	#  method can be called.  That method takes care of turning
+	#  EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary.
+	eap
+}
+
+post-proxy {
+	#
+	#  This is necessary for LEAP, or if you set:
+	#
+	#  proxy_tunneled_request_as_eap = no
+	#
+	eap
+}
+}

freeradius/config/tmp/freeradius/sites-available/robust-proxy-accounting

@@ -0,0 +1,167 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a sample configuration for robust proxy accounting.
+#	accounting packets are proxied, OR logged locally if all
+#	home servers are down.  When the home servers come back up,
+#	the accounting packets are forwarded.
+#
+#	This method enables the server to proxy all packets to the
+#	home servers when they're up, AND to avoid writing to the
+#	detail file in most situations.
+#
+#	In most situations, proxying of accounting messages is done
+#	in a "pass-through" fashion.  If the home server does not
+#	respond, then the proxy server does not respond to the NAS.
+#	That means that the NAS must retransmit packets, sometimes
+#	forever.  This example shows how the proxy server can still
+#	respond to the NAS, even if all home servers are down.
+#
+#	This configuration could be done MUCH more simply if ALL
+#	packets were written to the detail file.  But that would
+#	involve a lot more disk writes, which may not be a good idea.
+#
+#	This file is NOT meant to be used as-is.  It needs to be
+#	edited to match your local configuration.
+#
+#	$Id: 9bf86978db676ef16f6062f4d359385e291cc930 $
+#
+######################################################################
+
+#  (1) Define two home servers.
+home_server home1.example.com {
+	type = acct
+	ipaddr = 192.0.2.10
+	port = 1813
+	secret = testing123
+
+	#  Mark this home server alive ONLY when it starts being responsive
+	status_check = request
+	username = "test_user_status_check"
+
+	#  Set the response timeout aggressively low.
+	#  You MAY have to increase this, depending on tests with
+	#  your local installation.
+	response_window = 6
+}
+
+home_server home2.example.com {
+	type = acct
+	ipaddr = 192.0.2.20
+	port = 1813
+	secret = testing123
+
+	#  Mark this home server alive ONLY when it starts being responsive
+	status_check = request
+	username = "test_user_status_check"
+
+	#  Set the response timeout aggressively low.
+	#  You MAY have to increase this, depending on tests with
+	#  your local installation.
+	response_window = 6
+}
+
+#  (2) Define a virtual server to be used when both of the
+#  home servers are down.
+home_server acct_detail.example.com {
+	virtual_server = acct_detail.example.com
+}
+
+#  Put all of the servers into a pool.
+home_server_pool acct_pool.example.com {
+	type = load-balance	# other types are OK, too.
+
+	home_server = home1.example.com
+	home_server = home2.example.com
+	# add more home_server's here.
+
+	# If all home servers are down, try a home server that
+	# is a local virtual server.
+	fallback = acct_detail.example.com
+
+	# for pre/post-proxy policies
+	virtual_server = home.example.com
+}
+
+#  (3) Define a realm for these home servers.
+#  It should NOT be used as part of normal proxying decisions!
+realm acct_realm.example.com {
+	acct_pool = acct_pool.example.com
+}
+
+#  (4) Define a detail file writer.
+#   See raddb/modules/detail.example.com
+
+#  (5) Define the virtual server to write the packets to the detail file
+#  This will be called when ALL home servers are down, because of the
+#  "fallback" configuration in the home server pool.
+server acct_detail.example.com {
+	accounting {
+		detail.example.com
+	}
+}
+
+#  (6) Define a virtual server to handle pre/post-proxy re-writing
+server home.example.com {
+	pre-proxy {
+		#  Insert pre-proxy rules here
+	}
+
+	post-proxy {
+		#  Insert post-proxy rules here
+
+		#  This will be called when the CURRENT packet failed
+		#  to be proxied.  This may happen when one home server
+		#  suddenly goes down, even though another home server
+		#  may be alive.
+		#
+		#  i.e. the current request has run out of time, so it
+		#  cannot fail over to another (possibly) alive server.
+		#
+		#  We want to respond to the NAS, so that it can stop
+		#  re-sending the packet.  We write the packet to the
+		#  "detail" file, where it will be read, and sent to
+		#  another home server.
+		#
+		Post-Proxy-Type Fail {
+			detail.example.com
+		}
+	}
+
+
+	#  Read accounting packets from the detail file(s) for
+	#  the home server.
+	#
+	#  Note that you can have only ONE "listen" section reading
+	#  detail files from a particular directory.  That is why the
+	#  destination host name is used as part of the directory name
+	#  below.  Having two "listen" sections reading detail files
+	#  from the same directory WILL cause problems.  The packets
+	#  may be read by one, the other, or both "listen" sections.
+	listen {
+		type = detail
+		filename = "${radacctdir}/detail.example.com/detail-*:*"
+		load_factor = 10
+	}
+
+	#  All packets read from the detail file are proxied back to
+	#  the home servers.
+	#
+	#  The normal pre/post-proxy rules are applied to them, too.
+	#
+	#  If the home servers are STILL down, then the server stops
+	#  reading the detail file, and queues the packets for a later
+	#  retransmission.  The Post-Proxy-Type "Fail" handler is NOT
+	#  called.
+	#
+	#  When the home servers come back up, the packets are forwarded,
+	#  and the detail file processed as normal.
+	accounting {
+		# You may want accounting policies here...
+
+		update control {
+			Proxy-To-Realm := "acct_realm.example.com"
+		}
+	}
+
+}

freeradius/config/tmp/freeradius/sites-available/soh

@@ -0,0 +1,34 @@
+# This is a simple server for the MS SoH requests generated by the
+# peap module - see "eap.conf" for more info
+
+# Requests are ONLY passed through the authorize section, and cannot
+# current be proxied (in any event, the radius attributes used are
+# internal).
+
+server soh-server {
+	authorize {
+		if (SoH-Supported == no) {
+			# client NAKed our request for SoH - not supported, or turned off
+			update config {
+				Auth-Type = Accept
+			}
+		}
+		else {
+			# client replied; check something - this is a local policy issue!
+			if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) {
+				update config {
+					Auth-Type = Reject
+				}
+				update reply {
+					Reply-Message = "You must have antivirus enabled & installed!"
+				}
+			}
+			else {
+				update config {
+					Auth-Type = Accept
+				}
+			}
+		}
+	}
+}
+

freeradius/config/tmp/freeradius/sites-available/status

@@ -0,0 +1,127 @@
+# -*- text -*-
+######################################################################
+#
+#	A virtual server to handle ONLY Status-Server packets.
+#
+#	Server statistics can be queried with a properly formatted
+#	Status-Server request.  See dictionary.freeradius for comments.
+#
+#	If radiusd.conf has "status_server = yes", then any client
+#	will be able to send a Status-Server packet to any port
+#	(listen section type "auth", "acct", or "status"), and the
+#	server will respond.
+#
+#	If radiusd.conf has "status_server = no", then the server will
+#	ignore Status-Server packets to "auth" and "acct" ports.  It
+#	will respond only if the Status-Server packet is sent to a
+#	"status" port.
+#
+#	The server statistics are available ONLY on socket of type
+#	"status".  Qeuries for statistics sent to any other port
+#	are ignored.
+#
+#	Similarly, a socket of type "status" will not process
+#	authentication or accounting packets.  This is for security.
+#
+#	$Id: 4e4f4179911adf96ca375a860d65903b86becade $
+#
+######################################################################
+
+server status {
+	listen {
+		#  ONLY Status-Server is allowed to this port.
+		#  ALL other packets are ignored.
+		type = status
+
+		ipaddr = 127.0.0.1
+		port = 18121
+	}
+
+	#
+	#  We recommend that you list ONLY management clients here.
+	#  i.e. NOT your NASes or Access Points, and for an ISP,
+	#  DEFINITELY not any RADIUS servers that are proxying packets
+	#  to you.
+	#
+	#  If you do NOT list a client here, then any client that is
+	#  globally defined (i.e. all of them) will be able to query
+	#  these statistics.
+	#
+	#  Do you really want your partners seeing the internal details
+	#  of what your RADIUS server is doing?
+	#
+	client admin {
+		ipaddr = 127.0.0.1
+		secret = adminsecret
+	}
+
+	#
+	#  Simple authorize section.  The "Autz-Type Status-Server"
+	#  section will work here, too.  See "raddb/sites-available/default".
+	authorize {
+		ok
+
+		# respond to the Status-Server request.
+		Autz-Type Status-Server {
+			ok
+		}
+	}
+}
+
+#	Statistics can be queried via a number of methods:
+#
+#	All packets received/sent by the server (1 = auth, 2 = acct)
+#		FreeRADIUS-Statistics-Type = 3
+#
+#	All packets proxied by the server (4 = proxy-auth, 8 = proxy-acct)
+#		FreeRADIUS-Statistics-Type = 12
+#
+#	All packets sent && received:
+#		FreeRADIUS-Statistics-Type = 15
+#
+#	Internal server statistics:
+#		FreeRADIUS-Statistics-Type = 16
+#
+#	All packets for a particular client (globally defined)
+#		FreeRADIUS-Statistics-Type = 35
+#		FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
+#
+#	All packets for a client attached to a "listen" ip/port
+#		FreeRADIUS-Statistics-Type = 35
+#		FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
+#		FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
+#		FreeRADIUS-Stats-Server-Port = 1812
+#
+#	All packets for a "listen" IP/port
+#		FreeRADIUS-Statistics-Type = 67
+#		FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
+#		FreeRADIUS-Stats-Server-Port = 1812
+#
+#	All packets for a home server IP / port
+#		FreeRADIUS-Statistics-Type = 131
+#		FreeRADIUS-Stats-Server-IP-Address = 192.168.1.2
+#		FreeRADIUS-Stats-Server-Port = 1812
+
+#
+#  You can also get exponentially weighted moving averages of
+#  response times (in usec) of home servers.  Just set the config
+#  item "historic_average_window" in a home_server section.
+#
+#  By default it is zero (don't calculate it).  Useful values
+#  are between 100, and 10,000.  The server will calculate and
+#  remember the moving average for this window, and for 10 times
+#  that window.
+#
+
+#
+#  Some of this could have been simplified.  e.g. the proxy-auth and
+#  proxy-acct bits aren't completely necessary.  But using them permits
+#  the server to be queried for ALL inbound && outbound packets at once.
+#  This gives a good snapshot of what the server is doing.
+#
+#  Due to internal limitations, the statistics might not be exactly up
+#  to date.  Do not expect all of the numbers to add up perfectly.
+#  The Status-Server packets are also counted in the total requests &&
+#  responses.  The responses are counted only AFTER the response has
+#  been sent.
+#

freeradius/config/tmp/freeradius/sites-available/virtual.example.com

@@ -0,0 +1,26 @@
+# -*- text -*-
+######################################################################
+#
+#	Sample virtual server for internally proxied requests.
+#
+#	See the "realm virtual.example.com" example in "proxy.conf".
+#
+#	$Id: d8eff1c615627fdb5ac1d82a67b03f620de3a7a9 $
+#
+######################################################################
+
+#
+#  Sample contents: just do everything that the default configuration does.
+#
+#  You WILL want to edit this to your local needs.  We suggest copying
+#  the "default" file here, and then editing it.  That way, any
+#  changes to the 'default" file will not affect this virtual server,
+#  and vice-versa.
+#
+#  When this virtual server receives the request, the original
+#  attributes can be accessed as "outer.request", "outer.control", etc.
+#  See "man unlang" for more details.
+#
+server virtual.example.com {
+$INCLUDE	${confdir}/sites-available/default
+}

freeradius/config/tmp/freeradius/sites-available/vmps

@@ -0,0 +1,98 @@
+# -*- text -*-
+######################################################################
+#
+#	As of version 2.0.0, the server also supports the VMPS
+#	protocol.
+#
+#	$Id: 13f4e955799583b1b8f843e8965465178ff6038f $
+#
+######################################################################
+
+server vmps {
+	listen {
+		# VMPS sockets only support IPv4 addresses.
+		ipaddr = *
+
+		#  Port on which to listen.
+		#  Allowed values are:
+		#	integer port number
+		#	1589 is the default VMPS port.
+		port = 1589
+
+		#  Type of packets to listen for.  Here, it is VMPS.
+		type = vmps
+
+		#  Some systems support binding to an interface, in addition
+		#  to the IP address.  This feature isn't strictly necessary,
+		#  but for sites with many IP addresses on one interface,
+		#  it's useful to say "listen on all addresses for
+		#  eth0".
+		#
+		#  If your system does not support this feature, you will
+		#  get an error if you try to use it.
+		#
+		#	interface = eth0
+	}
+
+	#  If you have switches that are allowed to send VMPS, but NOT
+	#  RADIUS packets, then list them here as "client" sections.
+	#
+	#  Note that for compatibility with RADIUS, you still have to
+	#  list a "secret" for each client, though that secret will not
+	#  be used for anything.
+
+
+	#  And the REAL contents.  This section is just like the
+	#  "post-auth" section of radiusd.conf.  In fact, it calls the
+	#  "post-auth" component of the modules that are listed here.
+	#  But it's called "vmps" to highlight that it's for VMPS.
+	#
+	vmps {
+		#
+		#  Some requests may not have a MAC address.  Try to
+		#  create one using other attributes.
+		if (!VMPS-Mac) {
+			if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
+        			update request {
+					VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
+				}
+			}
+			else {
+				update request {
+					VMPS-Mac = "%{VMPS-Cookie}"
+				}
+			}
+		}
+
+		#  Do a simple mapping of MAC to VLAN.
+		#
+		#  See radiusd.conf for the definition of the "mac2vlan"
+		#  module.
+		#
+		#mac2vlan
+
+		# required VMPS reply attributes
+		update reply {
+			VMPS-Packet-Type = VMPS-Join-Response
+			VMPS-Cookie = "%{VMPS-Mac}"
+
+			VMPS-VLAN-Name = "please_use_real_vlan_here"
+
+			#
+			#  If you have VLAN's in a database, you can select
+			#  the VLAN name based on the MAC address.
+			#
+			#VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}"
+		}
+		
+		# correct reply packet type for reconfirmation requests
+		#   
+		if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
+			update reply {
+				VMPS-Packet-Type := VMPS-Reconfirm-Response
+			}
+		}
+	}
+
+	# Proxying of VMPS requests is NOT supported.
+}

freeradius/config/tmp/freeradius/sites-enabled/default

@@ -0,0 +1 @@
+../sites-available/default

freeradius/config/tmp/freeradius/sites-enabled/inner-tunnel

@@ -0,0 +1 @@
+../sites-available/inner-tunnel

freeradius/config/tmp/freeradius/sql.conf

@@ -0,0 +1,115 @@
+# -*- text -*-
+##
+## sql.conf -- SQL modules
+##
+##	$Id: 6f346ec9f1d12190f132da20537f99607df71760 $
+
+######################################################################
+#
+#  Configuration for the SQL module
+#
+#  The database schemas and queries are located in subdirectories:
+#
+#	sql/DB/schema.sql	Schema
+#	sql/DB/dialup.conf	Basic dialup (including policy) queries
+#	sql/DB/counter.conf	counter
+#	sql/DB/ippool.conf	IP Pools in SQL
+#	sql/DB/ippool.sql	schema for IP pools.
+#
+#  Where "DB" is mysql, mssql, oracle, or postgresql.
+#
+
+sql {
+	#
+	#  Set the database to one of:
+	#
+	#	mysql, mssql, oracle, postgresql
+	#
+	database = "mysql"
+
+	#
+	#  Which FreeRADIUS driver to use.
+	#
+	driver = "rlm_sql_${database}"
+
+	# Connection info:
+	server = "localhost"
+	#port = 3306
+	login = "radius"
+	password = "radpass"
+
+	# Database table configuration for everything except Oracle
+	radius_db = "radius"
+	# If you are using Oracle then use this instead
+        # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
+
+	# If you want both stop and start records logged to the
+	# same SQL table, leave this as is.  If you want them in
+	# different tables, put the start table in acct_table1
+	# and stop table in acct_table2
+	acct_table1 = "radacct"
+	acct_table2 = "radacct"
+
+	# Allow for storing data after authentication
+	postauth_table = "radpostauth"
+
+	authcheck_table = "radcheck"
+	authreply_table = "radreply"
+
+	groupcheck_table = "radgroupcheck"
+	groupreply_table = "radgroupreply"
+
+	# Table to keep group info
+	usergroup_table = "radusergroup"
+
+	# If set to 'yes' (default) we read the group tables
+	# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
+	# read_groups = yes
+
+	# Remove stale session if checkrad does not see a double login
+	deletestalesessions = yes
+
+	# Print all SQL statements when in debug mode (-x)
+	sqltrace = no
+	sqltracefile = ${logdir}/sqltrace.sql
+
+	# number of sql connections to make to server
+	#
+	# Setting this to LESS than the number of threads means
+	# that some threads may starve, and you will see errors
+	# like "No connections available and at max connection limit"
+	#
+	# Setting this to MORE than the number of threads means
+	# that there are more connections than necessary.
+	# 
+	num_sql_socks = ${thread[pool].max_servers}
+
+	# number of seconds to dely retrying on a failed database
+	# connection (per_socket)
+	connect_failure_retry_delay = 60
+
+	# lifetime of an SQL socket.  If you are having network issues
+	# such as TCP sessions expiring, you may need to set the socket
+	# lifetime.  If set to non-zero, any open connections will be
+	# closed "lifetime" seconds after they were first opened.
+	lifetime = 0
+
+	# Maximum number of queries used by an SQL socket.  If you are
+	# having issues with SQL sockets lasting "too long", you can
+	# limit the number of queries performed over one socket.  After
+	# "max_qeuries", the socket will be closed.  Use 0 for "no limit".
+	max_queries = 0
+
+	# Set to 'yes' to read radius clients from the database ('nas' table)
+	# Clients will ONLY be read on server startup.  For performance
+	# and security reasons, finding clients via SQL queries CANNOT
+	# be done "live" while the server is running.
+	# 
+	#readclients = yes
+
+	# Table to keep radius client info
+	nas_table = "nas"
+
+	# Read driver-specific configuration
+	$INCLUDE sql/${database}/dialup.conf
+}

freeradius/config/tmp/freeradius/sqlippool.conf

@@ -0,0 +1,67 @@
+##  Configuration for the SQL based IP Pool module (rlm_sqlippool)
+##
+##  The database schemas are available at:
+##
+##       raddb/sql/DB/ippool.sql
+##
+##  $Id: 94fabc032f681407e9e6141d85ac1841c0b6d28b $
+
+sqlippool {
+
+ #########################################
+ ## SQL instance to use (from sql.conf) ##
+ ##
+ ##  If you have multiple sql instances, such as "sql sql1 {...}",
+ ##  use the *instance* name here: sql1.
+ #########################################
+ sql-instance-name = "sql"
+
+ ## SQL table to use for ippool range and lease info
+ ippool_table = "radippool"
+
+ ## IP lease duration. (Leases expire even if Acct Stop packet is lost)
+ lease-duration = 3600
+
+ ## Attribute which should be considered unique per NAS
+ ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
+ ## Using Calling-Station-Id works for NAS that send fixed NAS-Port
+ ## ONLY change this if you know what you are doing!
+ pool-key = "%{NAS-Port}"
+ # pool-key = "%{Calling-Station-Id}"
+
+ ################################################################
+ #
+ #  WARNING: MySQL has certain limitations that means it can
+ #           hand out the same IP address to 2 different users.
+ #
+ #           We suggest using an SQL DB with proper transaction
+ #           support, such as PostgreSQL, or using MySQL
+ #	     with InnoDB.
+ #
+ ################################################################
+
+ #
+ #  Use the same database as configured in the "sql" module, "database"
+ #  configuration item.  Change the "postgresql" name below to be the
+ #  same as the "database" field of the SQL module referred to in the
+ #  "sql-instance-name", above.
+ #
+$INCLUDE sql/postgresql/ippool.conf
+ 
+ ## Logging configuration. (Comment out to disable logging)
+ sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
+  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \
+  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
+ (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
+
+ sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
+  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ sqlippool_log_nopool = "No Pool-Name defined \
+  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+}

freeradius/config/tmp/freeradius/templates.conf

@@ -0,0 +1,108 @@
+# -*- text -*-
+##
+## templates.conf -- configurations to be used in multiple places
+##
+##	$Id: c26e7d3945427350ebe8995f6c197efaecec5eb4 $
+
+######################################################################
+#
+#  Version 2.0 has a useful new feature called "templates".
+#
+#  Use templates by adding a line in radiusd.conf:
+#
+#	$INCLUDE templates.conf
+#
+#  The goal of the templates is to have common configuration located
+#  in this file, and to list only the *differences* in the individual
+#  sections.  This feature is most useful for sections like "clients"
+#  or "home_servers", where many may be defined, and each one has
+#  similar repeated configuration.
+#
+#  Something similar to templates can be done by putting common
+#  configuration into separate files, and using "$INCLUDE file...",
+#  but this is more flexible, and simpler to understand.  It's also
+#  cheaper for the server, because "$INCLUDE" makes a copy of the
+#  configuration for inclusion, and templates are simply referenced.
+#
+#  The templates are defined in the "templates" section, so that they
+#  do not affect the rest of the server configuration.
+#
+#  A section can reference a template by using "$template name"
+#
+templates {
+	  #
+	  #  The contents of the templates section are other
+	  #  configuration sections that would normally go into
+	  #  the configuration files.
+	  #
+
+	  #
+	  #  This is a default template for the "home_server" section.
+	  #  Note that there is no name for the section.
+	  #
+	  #  Any configuration item that is valid for a "home_server"
+	  #  section is also valid here.  When a "home_server" section
+	  #  is defined in proxy.conf, this section is referenced as
+	  #  the template.
+	  #
+	  #  Configuration items that are explicitly listed in a
+	  #  "home_server" section of proxy.conf are used in
+	  #  preference to the configuration items listed here.
+	  #
+	  #  However, if a configuration item is NOT listed in a
+	  #  "home_server" section of proxy.conf, then the value here
+	  #  is used.
+	  #
+	  #  This functionality lets you put common configuration into
+	  #  a template, and to put only the unique configuration
+	  #  items in "proxy.conf".  Each section in proxy.conf can
+	  #  then contain a line "$template home_server", which will
+	  #  cause it to reference this template.
+	  #
+	  home_server {
+		      	response_window = 20
+			zombie_period = 40
+			revive_interval = 120
+			#
+			#  Etc.
+	  }
+
+	  #
+	  #  You can also have named templates.  For example, if you
+	  #  are proxying to 3 different home servers all at the same
+	  #  site, with identical configurations (other than IP
+	  #  addresses), you can use this named template.
+	  #
+
+	  #  Then, each "home_server" section in "proxy.conf" would
+	  #  only list the IP address of that home server, and a
+	  #  line saying
+	  #
+	  #		$template example_com
+	  #
+	  #  That would tell FreeRADIUS to look in the section below
+	  #  for the rest of the configuration items.
+	  #
+	  #  For various reasons, you shouldn't have a "." in the template
+	  #  name.  Doing so means that the server will be unable to find
+	  #  the template.
+	  #
+	  example_com {
+		      type = auth
+		      port = 1812
+		      secret = testing123
+		      response_window = 20
+		      #
+		      # Etc...
+	  }
+
+	  #
+	  #  You can have templates for other sections, too, but they
+	  #  seem to be most useful for home_servers.
+	  #
+	  #  For now, you can use templates only for sections in
+	  #  radiusd.conf, not sub-sections.  So you still have to use
+	  #  the "$INCLUDE file.." method for things like defining
+	  #  multiple "sql" modules, each with similar configuration.
+	  #	  
+}

freeradius/config/tmp/freeradius/users

@@ -0,0 +1,206 @@
+#
+# Please read the documentation file ../doc/processing_users_file,
+# or 'man 5 users' (after installing the server) for more information.
+#
+# This file contains authentication security and configuration
+# information for each user.  Accounting requests are NOT processed
+# through this file.  Instead, see 'acct_users', in this directory.
+#
+# The first field is the user's name and can be up to
+# 253 characters in length.  This is followed (on the same line) with
+# the list of authentication requirements for that user.  This can
+# include password, comm server name, comm server port number, protocol
+# type (perhaps set by the "hints" file), and huntgroup name (set by
+# the "huntgroups" file).
+#
+# If you are not sure why a particular reply is being sent by the
+# server, then run the server in debugging mode (radiusd -X), and
+# you will see which entries in this file are matched.
+#
+# When an authentication request is received from the comm server,
+# these values are tested. Only the first match is used unless the
+# "Fall-Through" variable is set to "Yes".
+#
+# A special user named "DEFAULT" matches on all usernames.
+# You can have several DEFAULT entries. All entries are processed
+# in the order they appear in this file. The first entry that
+# matches the login-request will stop processing unless you use
+# the Fall-Through variable.
+#
+# If you use the database support to turn this file into a .db or .dbm
+# file, the DEFAULT entries _have_ to be at the end of this file and
+# you can't have multiple entries for one username.
+#
+# Indented (with the tab character) lines following the first
+# line indicate the configuration values to be passed back to
+# the comm server to allow the initiation of a user session.
+# This can include things like the PPP configuration values
+# or the host to log the user onto.
+#
+# You can include another `users' file with `$INCLUDE users.other'
+#
+
+#
+# For a list of RADIUS attributes, and links to their definitions,
+# see:
+#
+# http://www.freeradius.org/rfc/attributes.html
+#
+
+#
+# Deny access for a specific user.  Note that this entry MUST
+# be before any other 'Auth-Type' attribute which results in the user
+# being authenticated.
+#
+# Note that there is NO 'Fall-Through' attribute, so the user will not
+# be given any additional resources.
+#
+#lameuser Auth-Type := Reject
+#   Reply-Message = "Your account has been disabled."
+
+#
+# Deny access for a group of users.
+#
+# Note that there is NO 'Fall-Through' attribute, so the user will not
+# be given any additional resources.
+#
+#DEFAULT  Group == "disabled", Auth-Type := Reject
+#   Reply-Message = "Your account has been disabled."
+#
+
+#
+# This is a complete entry for "steve". Note that there is no Fall-Through
+# entry so that no DEFAULT entry will be used, and the user will NOT
+# get any attributes in addition to the ones listed here.
+#
+#steve  Cleartext-Password := "testing"
+# Service-Type = Framed-User,
+# Framed-Protocol = PPP,
+# Framed-IP-Address = 172.16.3.33,
+# Framed-IP-Netmask = 255.255.255.0,
+# Framed-Routing = Broadcast-Listen,
+# Framed-Filter-Id = "std.ppp",
+# Framed-MTU = 1500,
+# Framed-Compression = Van-Jacobsen-TCP-IP
+
+#
+# This is an entry for a user with a space in their name.
+# Note the double quotes surrounding the name.
+#
+#"John Doe" Cleartext-Password := "hello"
+#   Reply-Message = "Hello, %{User-Name}"
+
+#
+# Dial user back and telnet to the default host for that port
+#
+#Deg  Cleartext-Password := "ge55ged"
+# Service-Type = Callback-Login-User,
+# Login-IP-Host = 0.0.0.0,
+# Callback-Number = "9,5551212",
+# Login-Service = Telnet,
+# Login-TCP-Port = Telnet
+
+#
+# Another complete entry. After the user "dialbk" has logged in, the
+# connection will be broken and the user will be dialed back after which
+# he will get a connection to the host "timeshare1".
+#
+#dialbk Cleartext-Password := "callme"
+# Service-Type = Callback-Login-User,
+# Login-IP-Host = timeshare1,
+# Login-Service = PortMaster,
+# Callback-Number = "9,1-800-555-1212"
+
+#
+# user "swilson" will only get a static IP number if he logs in with
+# a framed protocol on a terminal server in Alphen (see the huntgroups file).
+#
+# Note that by setting "Fall-Through", other attributes will be added from
+# the following DEFAULT entries
+#
+#swilson  Service-Type == Framed-User, Huntgroup-Name == "alphen"
+#   Framed-IP-Address = 192.168.1.65,
+#   Fall-Through = Yes
+
+#
+# If the user logs in as 'username.shell', then authenticate them
+# using the default method, give them shell access, and stop processing
+# the rest of the file.
+#
+#DEFAULT  Suffix == ".shell"
+#   Service-Type = Login-User,
+#   Login-Service = Telnet,
+#   Login-IP-Host = your.shell.machine
+
+
+#
+# The rest of this file contains the several DEFAULT entries.
+# DEFAULT entries match with all login names.
+# Note that DEFAULT entries can also Fall-Through (see first entry).
+# A name-value pair from a DEFAULT entry will _NEVER_ override
+# an already existing name-value pair.
+#
+
+#
+# Set up different IP address pools for the terminal servers.
+# Note that the "+" behind the IP address means that this is the "base"
+# IP address. The Port-Id (S0, S1 etc) will be added to it.
+#
+#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "alphen"
+#   Framed-IP-Address = 192.168.1.32+,
+#   Fall-Through = Yes
+
+#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "delft"
+#   Framed-IP-Address = 192.168.2.32+,
+#   Fall-Through = Yes
+
+#
+# Sample defaults for all framed connections.
+#
+#DEFAULT  Service-Type == Framed-User
+# Framed-IP-Address = 255.255.255.254,
+# Framed-MTU = 576,
+# Service-Type = Framed-User,
+# Fall-Through = Yes
+
+#
+# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
+# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
+# by the terminal server in which case there may not be a "P" suffix.
+# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
+#
+DEFAULT Framed-Protocol == PPP
+  Framed-Protocol = PPP,
+  Framed-Compression = Van-Jacobson-TCP-IP
+
+#
+# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
+#
+DEFAULT Hint == "CSLIP"
+  Framed-Protocol = SLIP,
+  Framed-Compression = Van-Jacobson-TCP-IP
+
+#
+# Default for SLIP: dynamic IP address, SLIP mode.
+#
+DEFAULT Hint == "SLIP"
+  Framed-Protocol = SLIP
+
+#
+# Last default: rlogin to our main server.
+#
+#DEFAULT
+# Service-Type = Login-User,
+# Login-Service = Rlogin,
+# Login-IP-Host = shellbox.ispdomain.com
+
+# #
+# # Last default: shell on the local terminal server.
+# #
+# DEFAULT
+#   Service-Type = Administrative-User
+
+# MUST be cleartext
+root Cleartext-Password := "toor42"
+
+# On no match, the user is denied access.