regenerate from raddb source

Author: alandekok

doc/antora/modules/reference/pages/raddb/clients.conf.adoc

@@ -81,22 +81,45 @@ a secret any more!
 
 The secret can be any string, up to 8k characters in length.
 
-Control codes can be entered via octal encoding,
-e.g. `\101\102` is the same as `AB`
-Quotation marks can be entered by escaping them,
-e.g. `foo\"bar`
+Control codes can be entered via octal encoding:
 
-An important note on security:  The security of the
-RADIUS protocol depends *completely* on this secret! We
-recommend using a shared secret that is composed of:
+`secret = "\101\102"` is the same as `AB`
 
-  * upper case letters
-  * lower case letters
-  * numbers
+Quotation marks can be entered by escaping them:
 
-And is *at least* 8 characters, but preferably 16 characters in
-length.  The secret *must* be random, and should not be words,
-phrase, or anything else that is recognisable.
+`secret = "foo\"bar"`
+
+or by using triple quotes:
+
+`secret = """foo"bar"""
+
+A note on security: The security of the RADIUS protocol
+depends COMPLETELY on this secret!  We recommend using a
+shared secret that at LEAST 16 characters long.  It should
+preferably be 32 characters in length.  The secret MUST be
+random, and should not be words, phrase, or anything else
+that is recognisable.
+
+Computing power has increased enormously since RADIUS was
+first defined.  A hobbyist with a high-end GPU can try ALL
+of the 8-character shared secrets in about a day.  The
+security of shared secrets increases MUCH more with the
+length of the shared secret, than with number of different
+characters used in it.  So don't bother trying to use
+"special characters" or anything else in an attempt to get
+un-guessable secrets.  Instead, just get data from a secure
+random number generator, and use that.
+
+You should create shared secrets using a method like this:
+
+dd if=/dev/random bs=1 count=24 | base64
+
+This process will give output which takes 24 random bytes,
+and converts them to 32 characters of ASCII.  The output
+should be accepted by all RADIUS clients.
+
+You should NOT create shared secrets by hand.  They will
+not be random.  They will will be trivial to crack.
 
 The default secret below is only for testing, and should
 not be used in any real environment.
@@ -105,17 +128,32 @@ not be used in any real environment.
 
 require_message_authenticator::Require Message-Authenticator in Access-Requests.
 
-https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an
-Access-Request. The configuration item below allows the server
-to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`
-and it does not, then the packet will be silently discarded.
-
-If value is auto, then if any packet received from the client
-contains a valid Message-Authenticator attribute, then the server
-will require it from all future packets from that client.
-
-NOTE: This setting overrides the identically named config item in the
-radius listener.
+https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in
+an Access-Request. The configuration item below allows the
+server to require it. If a client is required to include a
+`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` and it does not, then the packet
+will be silently discarded.
+
+If value is` auto`, then when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packet from
+the client contains a valid `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`
+attribute, the server will then require that it exist in
+all future `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets from that client.
+
+This flag exists solely for legacy clients which do not
+send `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in all `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`
+packets.  We do not recommend setting it to `no`, as that
+may allow the BlastRADIUS attack to take place.
+
+The number one way to protect yourself from the BlastRADIUS
+attack is to update all RADIUS servers, and then set this
+flag to `yes`.  If all RADIUS servers are updated, and if
+all of them have this flag set to `yes` for all clients,
+then your network is safe.  You can then upgrade the
+clients when it is convenient, instead of rushing the
+upgrades.
+
+NOTE: This per-client setting overrides the identically
+named configuration item in the `listen` section.
 
 Allowed values: yes, no, auto
 
@@ -124,35 +162,39 @@ The default is "no".
 
 
 limit_proxy_state:: Control whether Proxy-State is allowed in
-packets from this client which do not have a Message-Authenticator.
+packets from this client which do not have a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`.
 
-The blastradius prefix attack allows an attacker to manipulate
-the contents of response packets without knowing the shared secret.
+The BlastRADIUS attack allows an attacker to manipulate the
+contents of responses to `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets, without
+knowing the shared secret.
 
 The attack relies on controlling a portion of the data sent back
 in the response by the RADIUS server. As Proxy-State is always
 echoed back verbatim from the request, it can be leveraged to
 manipulate the data sent back from the server and facilitate the
 attack.
 
-The attack also relies on defficiencies in the original RADIUS
-standards that provided no integrity protection for Access-Requests.
+The attack also relies on deficiencies in the original
+RADIUS standards which do not provide xintegrity protection
+for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`s.
 
 The attack is mitigated by requiring the Message-Authenticator,
 which contains a HMAC over the entire request, preventing
 modification of the request by the attacker.
 
-If value is auto, and the first packet received from the client
-does not contain a Proxy-State attribute, Proxy-State will be
-disallowed in any future packets which do not contain a
-Message-Authenticator.
+If value is` auto`, then when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packet
+from the client contains does not contain a `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]`
+attribute, the server will the discard `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`
+packets from the client which contain `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]`, but no
+`Message-Authenticator.
 
-This provides some level of protection against the blastradius
-attack, without requiring Message-Authenticator, or breaking existing
-deployments.
+This provides some level of protection against the
+blastradius attack, without requiring
+`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in all packets, or breaking
+existing deployments.
 
 NOTE: This setting overrides the identically named config item in the
-radius listener.
+radius `listen` section.
 
 Allowed values: yes, no, auto
 

doc/antora/modules/reference/pages/raddb/dictionary.adoc

@@ -11,7 +11,7 @@ edited by local administrators.  It will be loaded
 
 NOTE: We recommend using local variables inside of "unlang"
       sections instead of defining attributes in this file. See
-      the xref:index.adoc[reference documentation]
+      the xref:reference:index.adoc[reference documentation]
       for more information on
       xref:unlang/local.adoc[local variables].
 
@@ -147,11 +147,15 @@ copy of the v3 dictionary, then it won't work.  Migrations across
 major version numbers means that the configuration files are *not*
 100% compatible. This includes the dictionaries!
 
-All of the v3 compatibility names are in the RADIUS namespace.
+The v3 compatibility names are in the RADIUS namespace.
 There are no aliases for DHCPv4.
 
 
 
+This dictionary includes v3-compatible names like "Cleartext-Password",
+or "NT-Password".
+
+
 == Default Configuration
 
 ```
@@ -162,4 +166,5 @@ There are no aliases for DHCPv4.
 #$INCLUDE ${dictdir}/radius/v3/dictionary.cisco
 #$INCLUDE ${dictdir}/radius/v3/dictionary.aruba
 #END-PROTOCOL RADIUS
+#$INCLUDE ${dictdir}/freeradius/v3/dictionary.freeradius.internal
 ```

doc/antora/modules/reference/pages/raddb/mods-available/chap.adoc

@@ -2,7 +2,7 @@
 
 
 
-= CHAP module
+= CHAP
 
 This module authenticates requests containing a `link:https://freeradius.org/rfc/rfc2865.html#CHAP-Password[CHAP-Password]` attribute.
 

doc/antora/modules/reference/pages/raddb/mods-available/detail.adoc

@@ -115,7 +115,7 @@ NOTE: The attributes should be listed one to a line.
 
 ```
 detail {
-	filename = ${radacctdir}/%{Net.Src.IP}/detail-%Y-%m-%d
+	filename = "${radacctdir}/%{Net.Src.IP}/detail-%Y-%m-%d"
 #	filename = ${radacctdir}/detail
 	escape_filenames = no
 	permissions = 0600

doc/antora/modules/reference/pages/raddb/mods-available/detail.example.com.adoc

@@ -35,6 +35,6 @@ corner cases.
 
 ```
 detail detail.example.com {
-	filename = ${radacctdir}/detail.example.com/detail-%Y-%m-%dT%H:%G:00
+	filename = "${radacctdir}/detail.example.com/detail-%Y-%m-%dT%H:%G:00"
 }
 ```

doc/antora/modules/reference/pages/raddb/mods-available/detail.log.adoc

@@ -65,25 +65,25 @@ See the example in `raddb/sites-available/default`.
 
 ```
 detail auth_log {
-	filename = ${radacctdir}/%{Net.Src.IP}/auth-detail-%Y-%m-%d
+	filename = "${radacctdir}/%{Net.Src.IP}/auth-detail-%Y-%m-%d"
 	permissions = 0600
 	suppress {
 		User-Password
 	}
 }
 detail reply_log {
-	filename = ${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d
+	filename = "${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d"
 	permissions = 0600
 }
 detail pre_proxy_log {
-	filename = ${radacctdir}/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d
+	filename = "${radacctdir}/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d"
 	permissions = 0600
 #	suppress {
 #		User-Password
 #	}
 }
 detail post_proxy_log {
-	filename = ${radacctdir}/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d
+	filename = "${radacctdir}/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d"
 	permissions = 0600
 }
 ```

doc/antora/modules/reference/pages/raddb/mods-available/eap.adoc

@@ -77,6 +77,14 @@ request will still end up being rejected.
 
 type:: Only EAP types listed below with a `type = <EAP-Type>` pair will be allowed.
 
+If the `control.EAP-Type` attribute is set, then that is used to form the list of
+allowed EAP types, with the first instance being the default type and others also
+being allowed.
+
+Setting an EAP type in `control.EAP-Type` which is not allowed below, will not have
+any effect, since this list determines which methods are loaded and potentially
+available.
+
 
 
 ### EAP-MD5
@@ -207,15 +215,15 @@ the following sections:
 | `clear session { ... }`
 | Clear stateful session information from a cache.
 
-| `verify certificate { ... }` 
+| `verify certificate { ... }`
 | Apply policies based on the client certificate presented.
 
 | `staple certificate { ... }`
 | Gather stapling information for one or more of our certificates.
 |===
 
 More information about the various sections can be found in the virtual server
-link:../../../../../../sites-available/tls-cache.adoc[sites-available/tls-cache].
+xref:reference:raddb/sites-available/tls-session.adoc[sites-available/tls-session].
 
 
 auto_chain::
@@ -943,7 +951,7 @@ Both `copy_request_to_tunnel` and `use_tunneled_reply` have been
 removed in v4.0.
 
 See the new policy `copy_request_to_tunnel` in
-link:../../../../../../sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` for
+xref:reference:raddb/sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` for
 more information.
 ====
 
@@ -1016,6 +1024,7 @@ the fix does appear to work.
 NOTE: To use `PEAP` you must also configure an inner method in
 `mods-enabled/eap_inner`.
 
+
 tls::  Point to the common TLS configuration
 
 Which `tls-config` section the TLS negotiation parameters are
@@ -1038,11 +1047,13 @@ Both `copy_request_to_tunnel` and `use_tunneled_reply` have been
 removed in v4.0.
 
 See the new policy `copy_request_to_tunnel` in
-link:../../../../../../sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap`
+xref:reference:raddb/sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap`
 for more information.
+
 ====
 
 
+
 virtual_server:: The virtual server used for "inner" authentication.
 
 The inner tunneled request can be sent through a virtual
@@ -1367,7 +1378,7 @@ eap {
 		auth_type = PAP
 	}
 	tls-config tls-common {
-#		virtual_server = tls-cache
+#		virtual_server = tls-session
 #		auto_chain = no
 		chain rsa {
 #			format = "PEM"

doc/antora/modules/reference/pages/raddb/mods-available/files.adoc

@@ -39,8 +39,18 @@ match_attr:: List and attribute to populate with the `name` of the matched entry
 Note: the attriubte type should be capable of holding data of the type
 used as key values.
 Particularly useful if matching IP addresses to subnets, since the populated
-value will be the subnet.  In that case it is best to use 0.0.0.0/0 in place
-of DEFAULT for any catch-all entries.
+value will be the subnet.  In that case it is best to use `0.0.0.0/0` in place
+of `DEFAULT` for any catch-all entries.
+
+
+
+v3_compat:: Version 3 compatibility flag.
+
+When this flag is set, any enumeration names (e.g. Service-Type := Framed-User)
+do not need to have the v4 "::" prefix.  This flag helps with migrating v3
+configurations to v4.
+
+Default value "false".  Allowerd vlaues, "true' and "false".
 
 
 
@@ -55,6 +65,7 @@ files {
 #	key = "%{&Stripped-User-Name || &User-Name}"
 	filename = ${moddir}/authorize
 #	match_attr = &control.User-Category
+#	v3_compat = false
 }
 files files_accounting {
 #	key = "%{&Stripped-User-Name || &User-Name}"