testing: Config changes for FreeRADIUS 3.0

Also includes some changes for jessie's version of FreeRADIUS 2 (was
previously a custom version).

Besides the move to a subdir the config files were adapted for 3.0.

The rlm_sim_files module was removed with FreeRADIUS 3 and Debian's
package of FreeRADIUS 2 does not ship it, so we now replicate it using
the files module (via users file, which is actually a symlink to
mods-config/files/authorize in the default installation of FreeRADIUS 3).
Another approach was tried using rlm_passwd, however, that module does
not read binary/hex data, only printable strings, which would require
changing the triplets.
For 2.x a hack in the site config is necessary to make the attributes
available to the EAP-SIM module.

Author: tobiasbrunner

testing/hosts/alice/etc/freeradius/3.0/clients.conf

@@ -0,0 +1,5 @@
+client moon {
+  ipaddr = 10.1.0.1
+  secret = gv6URkSs
+  require_message_authenticator = yes
+}

testing/hosts/alice/etc/freeradius/3.0/radiusd.conf

@@ -0,0 +1,99 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius/3.0
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${sysconfdir}/raddb/certs
+cadir   = ${sysconfdir}/raddb/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  correct_escapes: use correct backslash escaping
+correct_escapes = true
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Logging section
+log {
+  destination = files
+  colourise = yes
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes
+  auth_badpass = yes
+  auth_goodpass = yes
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  SECURITY CONFIGURATION
+security {
+  user = freerad
+  group = freerad
+  allow_core_dumps = no
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+  auto_limit_acct = no
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/mods-enabled/
+}
+
+# Policies
+policy {
+  $INCLUDE policy.d/
+}
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/

testing/hosts/alice/etc/freeradius/radiusd.conf

@@ -101,8 +101,6 @@ thread pool {
 modules {
   $INCLUDE ${confdir}/modules/
   $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
 }
 
 # Instantiation

testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap

@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}

testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf

@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}

testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default

@@ -0,0 +1,56 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  suffix
+  files
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}

testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel

@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"

testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users

@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}