aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/eap_radius
Commit message (Collapse)AuthorAgeFilesLines
* eap-radius: Optionally send Class attributes in RADIUS accounting messagesTobias Brunner2017-11-023-21/+83
| | | | | | | If enabled, add the RADIUS Class attributes received in Access-Accept messages to RADIUS accounting messages as suggested by RFC 2865 section 5.25. Fixes #2451.
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-071-1/+1
|
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-261-4/+7
|
* Use standard unsigned integer typesAndreas Steffen2016-03-247-40/+40
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-171-2/+58
| | | | Closes strongswan/strongswan#19.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* eap-radius: Don't send RADIUS Accounting Start messages twiceTobias Brunner2015-08-061-0/+5
| | | | | | | | If a client does Mode Config during reauthentication the assign_vips() event might be triggered twice, we should not send another Start message in that case. Fixes #937.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-061-5/+12
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* eap-radius: Keep track of stats for SAs migrated during IKEv1 reauthenticationTobias Brunner2015-05-211-88/+229
|
* eap-radius: Remove cache entries for expired SAs during ike/child_rekeyTobias Brunner2015-05-211-0/+53
|
* eap-radius: Add cache for usage stats of expired/rekeyed SAsTobias Brunner2015-05-211-6/+102
| | | | | | | | | | | | | There are several situations that the previous code didn't handle that well, for example, interim updates during rekeying (until the rekeyed SA was deleted the numbers were too high, then suddenly dropped afterwards), or rekeying for IKEv1 in general because rekeyed IPsec SAs stay installed until they expire (so if they were still around when the IKE_SA was terminated, the reported numbers in the Stop message were too high). If intermediate updates are not used the cache entries for rekeyed CHILD_SA will accumulate, we can't clean them up as we don't get child_updown() events for them.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-21/+3
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-5/+5
|
* eap-radius: Use the single-server legacy server options as fallbackMartin Willi2014-12-121-3/+10
|
* eap-radius: Add option to set interval for interim accounting updatesTobias Brunner2014-10-101-0/+10
| | | | | | Any interval returned by the RADIUS server in the Access-Accept message overrides the configured interval. But it might be useful if RADIUS is only used for accounting.
* eap-radius: Forward Cisco and Microsoft specific DNS/NBNS attributesTobias Brunner2014-09-091-0/+50
| | | | Fixes #677.
* eap-radius: Increase buffer for accounting attributes to maximum attribute sizeMartin Willi2014-06-251-1/+1
| | | | Fixes #624.
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-042-7/+7
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-2/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-311-20/+2
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵Tobias Brunner2014-03-311-1/+6
| | | | | | accouting updates Fixes #528.
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-126-33/+33
|
* eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASKTobias Brunner2013-10-111-0/+5
|
* eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributesTobias Brunner2013-10-111-0/+93
| | | | | | | | | | | | | | | Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55) radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27) attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1) or a UNITY_LOCAL_LAN (if the value is 2). So if the following attributes would be configured for a RADIUS user CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0" CVPN3000-IPSec-Split-Tunneling-Policy := 1 A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets would be sent to the client during the ModeCfg exchange.
* eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributesTobias Brunner2013-10-111-3/+25
| | | | | | The contents of the CVPN3000-IPSec-Default-Domain(28) and CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in the corresponding Unity configuration attributes.
* eap-radius: Increase buffer for attributes sent in RADIUS accounting messagesTobias Brunner2013-09-271-1/+1
| | | | 64 bytes might be too short for user names/identities.
* eap-radius: support XAuth configuration profiles, defining multiple XAuth roundsMartin Willi2013-09-031-22/+157
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-032-2/+5
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* eap-radius: do RADIUS/IKE attribute forwarding in XAuth backendMartin Willi2013-07-292-1/+5
|
* eap-radius: support plain XAuth RADIUS authentication using User-PasswordMartin Willi2013-07-294-0/+253
|
* eap-radius: export function to build common attributes of Access-RequestMartin Willi2013-07-292-24/+39
|
* eap-radius: export function to process common attributes of Access-AcceptMartin Willi2013-07-292-31/+36
|
* eap-radius: use watcher instead of receiver thread on DAE socketMartin Willi2013-07-181-11/+7
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-4/+7
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* eap-radius: fix add_attribute/framed_ip method signaturesMartin Willi2013-07-011-2/+2
|
* eap-radius: Do initialization in a plugin feature callbackTobias Brunner2013-06-111-28/+47
|
* eap-radius: add an option to disable accounting for tunnels without virtual IPMartin Willi2013-05-061-0/+30
|
* eap-radius: use IKE_SA unique id instead of peer identity to manage virtual IPsMartin Willi2013-05-063-34/+100
| | | | Fixes some corner cases if multiple tunnels use the same peer identity.
* fixed typoAndreas Steffen2013-04-191-1/+1
|
* eap-radius: Add an option to exclude ports from Called/Calling-Station-IdMartin Willi2013-04-102-9/+37
|
* Fixed Doxygen comment in eap_radius pluginTobias Brunner2013-03-271-2/+3
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-2/+2
|
* Removed unused variable 'id'Tobias Brunner2013-03-191-2/+1
|
* Don't create interim update entries if RADIUS accounting is disabledMartin Willi2013-03-142-7/+7
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-30 03:14:51 +0000