Changes for version 3.0.26, bumped Alpine version to 3.17

oviserv · Mar 25, 2023 · 0e44318 · 0e44318
1 parent 37f121a
commit 0e44318
Show file tree

Hide file tree

Showing 6 changed files with 487 additions and 1 deletion.
diff --git a/docker/radiusd/Dockerfile b/docker/radiusd/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.17
 
 ARG TZ
 ARG RADIUS_HOST

diff --git a/docker/radiusd/scripts/patches/3.0.26/check-eap-tls.patch b/docker/radiusd/scripts/patches/3.0.26/check-eap-tls.patch
@@ -0,0 +1,37 @@
+--- /etc/raddb/sites-available/check-eap-tls.orig
++++ /etc/raddb/sites-available/check-eap-tls
+@@ -40,10 +40,31 @@
+ 	#
+ 	# By default, we just accept the request:
+ 	#
+-	update config {
+-		&Auth-Type := Accept
+-	}
++#	update config {
++#		&Auth-Type := Accept
++#	}
+
++	# At this place the certificate has been checked for validity
++	# The common name from the certificate is set as user name
++
++        update {
++                &request:User-Name := TLS-Client-Cert-Common-Name
++        }
++
++	# Check if the user name (common name) is available in the users (authorize) file
++        files
++
++	# Reject if the user name is not in the users file
++        if (ok) {
++                update config {
++                    &Auth-Type := Accept
++                }
++        }
++        else {
++                update config {
++                    &Auth-Type := Reject
++             }
++        }
+
+ 	#
+ 	# Check the client certificate matches a string, and reject otherwise
diff --git a/docker/radiusd/scripts/patches/3.0.26/default.patch b/docker/radiusd/scripts/patches/3.0.26/default.patch
@@ -0,0 +1,183 @@
+--- /etc/raddb/sites-available/default.orig
++++ default
+@@ -331,7 +331,7 @@
+ 	#
+ 	#  The chap module will set 'Auth-Type := CHAP' if we are
+ 	#  handling a CHAP request and Auth-Type has not already been set
+-	chap
++#	chap
+
+ 	#
+ 	#  If the users are logging in with an MS-CHAP-Challenge
+@@ -339,13 +339,13 @@
+ 	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+ 	#  to the request, which will cause the server to then use
+ 	#  the mschap module for authentication.
+-	mschap
++#	mschap
+
+ 	#
+ 	#  If you have a Cisco SIP server authenticating against
+ 	#  FreeRADIUS, uncomment the following line, and the 'digest'
+ 	#  line in the 'authenticate' section.
+-	digest
++#	digest
+
+ 	#
+ 	#  The WiMAX specification says that the Calling-Station-Id
+@@ -402,9 +402,9 @@
+ 	#  uncomment it as well; this will further reduce the number of
+ 	#  LDAP and/or SQL queries for TTLS or PEAP.
+ 	#
+-	-eap {
++	eap {
+ 		ok = return
+-#		updated = return
++		updated = return
+ 	}
+
+ 	#
+@@ -418,14 +418,14 @@
+ 	#
+ 	#  Read the 'users' file.  In v3, this is located in
+ 	#  raddb/mods-config/files/authorize
+-	files
++#	files
+
+ 	#
+ 	#  Look in an SQL database.  The schema of the database
+ 	#  is meant to mirror the "users" file.
+ 	#
+ 	#  See "Authorization Queries" in mods-available/sql
+-	-sql
++#	-sql
+
+ 	#
+ 	#  If you are using /etc/smbpasswd, and are also doing
+@@ -435,7 +435,7 @@
+
+ 	#
+ 	#  The ldap module reads passwords from the LDAP database.
+-	-ldap
++#	-ldap
+
+ 	#
+ 	#  If you're using Active Directory and PAP, then uncomment
+@@ -468,7 +468,7 @@
+ 	#  This module should be listed last, so that the other modules
+ 	#  get a chance to set Auth-Type for themselves.
+ 	#
+-	pap
++#	pap
+
+ 	#
+ 	#  If "status_server = yes", then Status-Server messages are passed
+@@ -522,6 +522,7 @@
+ #  Note that Auth-Type := Accept will NOT work with EAP.
+ #
+ #  Please do not put "unlang" configurations into the "authenticate"
++
+ #  section.  Put them in the "post-auth" section instead.  That's what
+ #  the post-auth section is for.
+ #
+@@ -530,35 +531,35 @@
+ 	#  PAP authentication, when a back-end database listed
+ 	#  in the 'authorize' section supplies a password.  The
+ 	#  password can be clear-text, or encrypted.
+-	Auth-Type PAP {
+-		pap
+-	}
++#	Auth-Type PAP {
++#		pap
++#	}
+
+ 	#
+ 	#  Most people want CHAP authentication
+ 	#  A back-end database listed in the 'authorize' section
+ 	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
+ 	#  won't work.
+-	Auth-Type CHAP {
+-		chap
+-	}
++#	Auth-Type CHAP {
++#		chap
++#	}
+
+ 	#
+ 	#  MSCHAP authentication.
+-	Auth-Type MS-CHAP {
+-		mschap
+-	}
++#	Auth-Type MS-CHAP {
++#		mschap
++#	}
+
+ 	#
+ 	#  For old names, too.
+ 	#
+-	mschap
++#	mschap
+
+ 	#
+ 	#  If you have a Cisco SIP server authenticating against
+ 	#  FreeRADIUS, uncomment the following line, and the 'digest'
+ 	#  line in the 'authorize' section.
+-	digest
++#	digest
+
+ 	#
+ 	#  Pluggable Authentication Modules.
+@@ -584,7 +585,7 @@
+
+ 	#
+ 	#  Allow EAP authentication.
+-	-eap
++	eap
+
+ 	#
+ 	#  The older configurations sent a number of attributes in
+@@ -675,7 +676,7 @@
+ 	#  Update the wtmp file
+ 	#
+ 	#  If you don't use "radlast", you can delete this line.
+-	unix
++#	unix
+
+ 	#
+ 	#  For Simultaneous-Use tracking.
+@@ -696,7 +697,7 @@
+ 	#  Log traffic to an SQL database.
+ 	#
+ 	#  See "Accounting queries" in mods-available/sql
+-	-sql
++#	-sql
+
+ 	#
+ 	#  If you receive stop packets with zero session length,
+@@ -852,7 +853,7 @@
+ 	#  After authenticating the user, do another SQL query.
+ 	#
+ 	#  See "Authentication Logging Queries" in mods-available/sql
+-	-sql
++#	-sql
+
+ 	#
+ 	#  Un-comment the following if you want to modify the user's object
+@@ -963,7 +964,7 @@
+ 		# Insert EAP-Failure message if the request was
+ 		# rejected by policy instead of because of an
+ 		# authentication failure
+-		-eap
++		eap
+
+ 		#  Remove reply message if the response contains an EAP-Message
+ 		remove_reply_message_if_eap
+@@ -1120,7 +1121,7 @@
+ 	#  hidden inside of the EAP packet, and the end server will
+ 	#  reject the EAP request.
+ 	#
+-	-eap
++	eap
+
+ 	#
+ 	#  If the server tries to proxy a request and fails, then the