- package rlm_sql_map and rlm_totp modules + (optional) rlm_sql_db2 in -module-sql...

[packages/freeradius-server.git] / cui-fr-2.2.0.patch

diff -Naur freeradius-server-2.2.0-orig/doc/cui_howto.txt freeradius-server-2.2.0/doc/cui_howto.txt
--- freeradius-server-2.2.0-orig/doc/cui_howto.txt      1970-01-01 01:00:00.000000000 +0100
+++ freeradius-server-2.2.0/doc/cui_howto.txt   2012-09-13 10:57:56.645722777 +0200
@@ -0,0 +1,78 @@
+Chargeable-User-Identity (CUI) support.
+
+1. OVERVIEW
+
+This extension introduces support for Chargeable-User-Identity (CUI) attribute 
+as defined in RFC 4372. 
+
+The CUI attribute is meant to support roaming scenarios where
+the user is accessing the network at one location (Service Provider - SP)
+while authenticated by a RADIUS server at another institution (Identity
+Provider - IdP). CUI provides means for the SP to request the IdP 
+to return a unique, persistent, opaque user identifier.
+
+As defined in RFC 4372, CUI request is sent as a NULL value (single
+zero byte) of CUI attribute inside the Access-Request packet. 
+CUI response should be sent as the CUI value inside the Access-Accept.
+
+This extension has the following functionality:
+
+The SP side (*requesting* CUI):
+       - add the CUI NULL attribute to Access-Request proxied from 
+         the local NAS to the IdP
+       - receive the CUI value from the IdP and store it in the local
+         database
+       - update Accounting-Request packets sent by NAS by adding 
+         the appropriate CUI attribute (unless the attibute is 
+         already present).
+
+The IdP side (*returning* CUI):
+       - respond to the CUI request by generating the CUI value. 
+         The value is created as the md5 hash if a configurable local
+         salt and the User-Name attribute value.
+
+While CUI support has been added for roaming it is also useful for local
+accounting.
+
+2. INSTALLATION
+
+The CUI *requesting* and CUI *returning* sides are implemented and
+described separately. Most likely you want to run both, so just follow
+the instructions of both sections.
+
+2.1 *requesting* CUI 
+
+       - Setup a MySQL database by creating (or using) a database of your
+         choice and create an additional table cui. The schema is located
+         in ${raddbdir}/sql/mysql/cui.sql.
+
+       - Enter the necessary details into ${raddbdir}/modules/cui.
+         Things you need to modify are: 
+           server - typically this will be localhost;
+           login - mysql user allowed to modify the tables
+           password - password for this user
+           radius_db - database name you wish to use
+
+       - Modify the the main configuration file 
+         "${raddbdir}/sites-availabe/default".
+         Search for CUI. There are four sections where CUI is mentioned.
+         Follow the instructions for *requesting* the CUI.
+
+2.2 *returning* CUI 
+
+       - Modify the the main configuration file
+         "${raddbdir}/sites-available/default".
+         Search for CUI. There are four sections where CUI is mentioned.
+         Follow the instructions for *returning* the CUI.
+         The cui_hash_key is used to safeguard the CUI from dictionary
+         attacks and should be set to some "random" string.
+
+       - Modify "${raddbdir}/sites-availabe/inner-tunnel"
+         Search for CUI. There is one section where CUI is mentioned.
+         Follow the instructions for *returning* the CUI.
+
+3. ACKNOWLEDGEMENTS
+
+Authors: Maja Gorecka-Wolniewicz <mgw@umk.pl>, Alan DeKok
+
+Contributors: Stefan Winter, Tomasz Wolniewicz
diff -Naur freeradius-server-2.2.0-orig/raddb/modules/cui freeradius-server-2.2.0/raddb/modules/cui
--- freeradius-server-2.2.0-orig/raddb/modules/cui      2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/modules/cui   2012-09-13 10:58:19.975050772 +0200
@@ -21,5 +21,5 @@
        connect_failure_retry_delay = 60
        cui_table = "cui"
        sql_user_name = "%{User-Name}"
-#$INCLUDE sql/${database}/cui.conf
+       $INCLUDE sql/${database}/cui.conf
 }
diff -Naur freeradius-server-2.2.0-orig/raddb/policy.conf freeradius-server-2.2.0/raddb/policy.conf
--- freeradius-server-2.2.0-orig/raddb/policy.conf      2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/policy.conf   2012-09-13 11:00:40.929563217 +0200
@@ -145,53 +145,80 @@
                 }
        }
 
-       #       
-       #  The following policies are for the Chargeable-User-Identity
-       #  (CUI) configuration.
+       #
+       #       The following policies are for the Operator-Name handling
+       #       (RFC5580) 
+       #
+       operator_name {
+               if (Packet-Type == Access-Request) {
+                       update  request {
+                               Operator-Name := "%{config:sp_operator_name}"
+                               Chargeable-User-Identity = '\\000'
+                       }
+               }
+       }
+       
+       #
+       #       The following policies are for the Chargeable-User-Identity
+       #       (CUI) configuration. See doc/cui_howto.txt for more information.
        #
 
        #
-       #  The client indicates it can do CUI by sending a CUI attribute        
-       #  containing one zero byte
+       #       The client requests the CUI by sending a CUI attribute
+       #       containing one zero byte.
        #
-       cui_authorize {
-               update request {
-                       Chargeable-User-Identity:='\\000'
+       cui_pre-proxy {
+               if (Packet-Type == Access-Request) {
+                       update proxy-request {
+                               Chargeable-User-Identity = '\\000'
+                       }
                }
        }
 
        #
-       #  Add a CUI attribute based on the User-Name, and a secret key
-       #  known only to this server.
+       #       Add a CUI attribute based on the User-Name, and a secret key
+       #       known only to this server.
        #
        cui_postauth {
-               if (FreeRadius-Proxied-To == 127.0.0.1) {
-                       if (outer.request:Chargeable-User-Identity) {
-                               update outer.reply {
-                                       Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
+               if (FreeRadius-Proxied-To == "127.0.0.1") {
+                       #
+                       #  Add the CUI to Access-Accept, but only if the CUI
+                       #  was set in the request.
+                       #
+                       if (outer.request:Chargeable-User-Identity && (outer.request:Operator-Name) || !("%{config:cui_require_operator_name}") ) {
+                               update reply {
+                               Chargeable-User-Identity := "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{outer.request:Operator-Name}:-}}"
                                }
                        }
                }
                else {
-                       if (Chargeable-User-Identity) {
+                       #
+                       #  If the CUI was set in the request and the CUI reply
+                       #  is not already set by inner auth, add it to
+                       #  Access-Accept
+                       #
+                       if (!("%{control:Proxy-To-Realm}") && \
+                               (Chargeable-User-Identity) && \
+                               !(reply:Chargeable-User-Identity) && \
+                               ( (Operator-Name) || ! ("%{config:cui_require_operator_name}") ) ) {
                                update reply {
-                                       Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
+                                       Chargeable-User-Identity = "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{Operator-Name}:-}}"
                                }
                        }
                }
        }
 
        #
-       #  If there is a CUI attribute in the reply, add it to the DB.
+       #       If there is a CUI attribute in the reply, add it to the DB.
        #
        cui_updatedb {
-               if (reply:Chargeable-User-Identity) {
+               if ("%{reply:Chargeable-User-Identity}") {
                        cui
                }
        }
 
        #
-       #  If we had stored a CUI for the User, add it to the request.
+       #       If we had stored a CUI for the User, add it to the request.
        #
        cui_accounting {
                #
@@ -199,20 +226,22 @@
                #  in the DB.
                #
                if (!Chargeable-User-Identity) {
-                       update request {
-                               Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
+                       update control {
+                               Chargeable-User-Identity = "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
                        }
                }
-
                #
-               #  If it exists now, then write out when we last saw
-               #  this CUI.
+               #  If it exists now, then update request and write out 
+               #  when we last saw this CUI.
                #
-               if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
+                if (control:Chargeable-User-Identity && \
+                       (control:Chargeable-User-Identity != "")) {
+                       update request {
+                               Chargeable-User-Identity := "%{control:Chargeable-User-Identity}"
+                       }
                        cui
                }
        }
-
        #
        #  Normalize the MAC Addresses in the Calling/Called-Station-Id
        #
diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/default freeradius-server-2.2.0/raddb/sites-available/default
--- freeradius-server-2.2.0-orig/raddb/sites-available/default  2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/sites-available/default       2012-09-13 11:04:54.939298452 +0200
@@ -1,3 +1,13 @@
+#  If *returning* the CUI, set cui_hash_key to some random string
+#  and uncomment the line below
+#       cui_hash_key = "some secret value"
+#  If *returning* the CUI and the Operator-Name attribute in request is 
+#  required, uncomment the line below
+#       cui_require_operator_name = yes
+#  If Operator-Name attribute is used, uncomment the line below and
+#  fill out with one of your registered DNS domain names, which
+#  will be used as the Operator-Name attribute value
+#       sp_operator_name = "1your.registered.domain.name"
 ######################################################################
 #
 #      As of 2.0.0, FreeRADIUS supports virtual hosts using the
@@ -376,6 +386,11 @@
 #  Accounting.  Log the accounting data.
 #
 accounting {
+       #  cui_accounting reads the record form the temporary database,
+       #  selects the corresponding CUI value, as set cui_updatedb
+       #  and adds the CUI attribute to the accounting request
+       #  uncomment the line below if *requesting* the CUI
+#      cui_accounting
        #
        #  Create a 'detail'ed log of the packets.
        #  Note that accounting requests which are proxied
@@ -459,6 +474,17 @@
 #  Once we KNOW that the user has been authenticated, there are
 #  additional steps we can take.
 post-auth {
+       #  cui_postauth reacts to the Chargeable-User-Identity request
+       #  by adding the md5 hash created from a configurable local
+       #  salt (cui_hash_key) and the (inner) User-Name value
+       #  uncomment the line below if *returning* the CUI
+#      cui_postauth
+       #
+       #  cui_updatedb updates the temporary database adding
+       #  the record containing the received CUI value to be later
+       #  used in accounting
+       #  uncomment the line below if *requesting* the CUI
+#      cui_updatedb
        #  Get an address from the IP Pool.
 #      main_pool
 
@@ -581,6 +607,14 @@
        #  Uncomment the following line if you want to change attributes
        #  as defined in the preproxy_users file.
 #      files
+       
+       # operator_name adds Operator-Name value to Access-Request
+#      operator_name
+
+       #  cui_pre-proxy adds the NULL CUI value to Access-Request
+       #  thus making it a Chargeable-User-Identity request
+       #  uncomment the line below if *requesting* the CUI
+#      cui_pre-proxy
 
        #  Uncomment the following line if you want to filter requests
        #  sent to remote servers based on the rules defined in the
diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel freeradius-server-2.2.0/raddb/sites-available/inner-tunnel
--- freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel     2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/sites-available/inner-tunnel  2012-09-13 11:05:56.237168046 +0200
@@ -261,6 +261,12 @@
 #  Once we KNOW that the user has been authenticated, there are
 #  additional steps we can take.
 post-auth {
+       #  cui_postauth reacts to the Chargeable-User-Identity request
+       #  by adding the md5 hash created from a configurable local
+       #  salt (cui_hash_key) and the (inner) User-Name value
+       #  uncomment the line below if *returning* the CUI
+#      cui_postauth
+
        # Note that we do NOT assign IP addresses here.
        # If you try to assign IP addresses for EAP authentication types,
        # it WILL NOT WORK.  You MUST use DHCP.
diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf freeradius-server-2.2.0/raddb/sql/mysql/cui.conf
--- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf       2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/sql/mysql/cui.conf    2012-09-13 10:59:05.245170029 +0200
@@ -1,31 +1,55 @@
 # -*- text -*-
-
 ##
-##  Queries to update the CUI table.
+## cui.conf -- SQL - CUI queries
 ##
-postauth_query = "INSERT IGNORE INTO ${cui_table} \
-       (clientipaddress, callingstationid, username, cui, lastaccounting) \
-        VALUES \
-       ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='0000-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'";
+##      $Id$
+#
+#      This is a part of the  Chargeable-User-Identity module
+#      See doc/cui_howto.txt for more information
+
+
+#      postauth_query creates a temporary record remembering
+#      Client-IP-Address, Calling-Station-Id, User-Name,
+#      Chargeable-User-Identity.
+#      This information is used later to correlate accounting requests 
+#      with the information received in Access-Accept
+#
+       postauth_query = "INSERT IGNORE INTO ${cui_table} \
+               (clientipaddress, callingstationid, username, \
+               cui, lastaccounting) \
+                VALUES \
+               ('%{Client-IP-Address}', '%{Calling-Station-Id}', \
+               '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \
+               ON DUPLICATE KEY UPDATE \
+               lastaccounting='0000-00-00 00:00:00', \
+               cui='%{reply:Chargeable-User-Identity}'";
+
+#      accounting_start_query and accounting_update_query are called
+#      by Accounting-Request Start or Interim Update.
+#      The appropriate temporary record is updates by entering
+#      the current time as the lastaccounting field.
+#      The value of lastaccounting can be used to clean up the database 
+#      from stale temporary records.
+#
+       accounting_start_query = "UPDATE ${cui_table} \
+               SET lastaccounting = CURRENT_TIMESTAMP \
+               WHERE clientipaddress = '%{Client-IP-Address}' \
+                AND callingstationid = '%{Calling-Station-Id}' \
+                AND username = '%{User-Name}' \
+               AND cui = '%{Chargeable-User-Identity}'";
 
-accounting_start_query = "UPDATE ${cui_table} \
-       SET \
-                lastaccounting = CURRENT_TIMESTAMP \
-       WHERE clientipaddress = '%{Client-IP-Address}' \
-        AND callingstationid = '%{Calling-Station-Id}' \
-        AND username = '%{User-Name}' \
-       AND cui = '%{Chargeable-User-Identity}'";
-  
-accounting_update_query = "UPDATE ${cui_table} \
-       SET \
-                lastaccounting = CURRENT_TIMESTAMP \
-       WHERE clientipaddress = '%{Client-IP-Address}' \
-        AND callingstationid = '%{Calling-Station-Id}' \
-        AND username = '%{User-Name}' \
-       AND cui = '%{Chargeable-User-Identity}'";
+       accounting_update_query = "UPDATE ${cui_table} \
+               SET lastaccounting = CURRENT_TIMESTAMP \
+               WHERE clientipaddress = '%{Client-IP-Address}' \
+                AND callingstationid = '%{Calling-Station-Id}' \
+                AND username = '%{User-Name}' \
+               AND cui = '%{Chargeable-User-Identity}'";
 
-accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
-       clientipaddress = '%{Client-IP-Address}' \
-       AND callingstationid = '%{Calling-Station-Id}' \
-       AND username = '%{User-Name}' \
-       AND cui = '%{Chargeable-User-Identity}'";
+#      accounting_stop_query is called by Accounting-Request Stop.
+#      It deletes the temporary record form the database.
+#
+       accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
+               clientipaddress = '%{Client-IP-Address}' \
+               AND callingstationid = '%{Calling-Station-Id}' \
+               AND username = '%{User-Name}' \
+               AND cui = '%{Chargeable-User-Identity}'";
diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql freeradius-server-2.2.0/raddb/sql/mysql/cui.sql
--- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql        2012-09-10 13:51:34.000000000 +0200
+++ freeradius-server-2.2.0/raddb/sql/mysql/cui.sql     2012-09-13 10:59:05.245170029 +0200
@@ -1,3 +1,7 @@
+#
+# Table structure for table 'cui'
+#
+#
 CREATE TABLE `cui` (
   `clientipaddress` varchar(15) NOT NULL default '',
   `callingstationid` varchar(50) NOT NULL default '',