Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Feb 2014 16:37:53 +0000 (UTC)
From:      Ryan Steinmetz <zi@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r342768 - in head/net/freeradius3: . files
Message-ID:  <201402051637.s15GbrYk030404@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: zi
Date: Wed Feb  5 16:37:52 2014
New Revision: 342768
URL: http://svnweb.freebsd.org/changeset/ports/342768
QAT: https://qat.redports.org/buildarchive/r342768/

Log:
  - More rlm_krb5 fixes
  - Add Cisco ASA dictionary file
  - Bump PORTREVISION

Added:
  head/net/freeradius3/files/dictionary.cisco.asa   (contents, props changed)
Modified:
  head/net/freeradius3/Makefile
  head/net/freeradius3/files/patch-rlm_krb5
  head/net/freeradius3/pkg-plist

Modified: head/net/freeradius3/Makefile
==============================================================================
--- head/net/freeradius3/Makefile	Wed Feb  5 16:34:47 2014	(r342767)
+++ head/net/freeradius3/Makefile	Wed Feb  5 16:37:52 2014	(r342768)
@@ -3,7 +3,7 @@
 
 PORTNAME=	freeradius
 DISTVERSION=	3.0.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \
 		ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \
@@ -86,7 +86,7 @@ ${UNIQUENAME}_SET+=	KERBEROS
 .if ${PORT_OPTIONS:MHEIMDAL_PORT}
 LIB_DEPENDS+=	krb5:${PORTSDIR}/security/heimdal
 .endif
-CONFIGURE_ARGS+=--enable-heimdal-krb5
+CONFIGURE_ARGS+=--enable-heimdal-krb5 --enable-pthread-support
 .else
 LIB_DEPENDS+=	krb5:${PORTSDIR}/security/krb5
 .endif
@@ -201,23 +201,6 @@ PLIST_SUB+=	RLMRUBY="@comment "
 EXPM=		yes
 .endif
 
-# No SMB option yet; rlm_smb is still unbuildable
-.if ${PORT_OPTIONS:MSMB}
-LIB_DEPENDS=	smbclient:${PORTSDIR}/net/samba-libsmbclient
-CONFIGURE_ARGS+=--with-rlm_smb
-CONFIGURE_ARGS+=--with-rlm-smb-lib-dir=${LOCALBASE}/lib
-CONFIGURE_ARGS+=--with-rlm-smb-include-dir=${LOCALBASE}/include
-PLIST_SUB+=	SMB=""
-.else
-CONFIGURE_ARGS+=--without-rlm_smb
-PLIST_SUB+=	SMB="@comment "
-.endif
-
-# SMB module is still experimental
-.if ${PORT_OPTIONS:MSMB} && empty(PORT_OPTIONS:MEXPERIMENTAL)
-EXPM=		yes
-.endif
-
 .if ${PORT_OPTIONS:MREDIS}
 LIB_DEPENDS+=	hiredis:${PORTSDIR}/databases/hiredis
 CONFIGURE_ARGS+=--with-rlm_redis --with-rlm_rediswho
@@ -412,6 +395,7 @@ pre-install:
 		PRE-INSTALL
 
 post-install:
+	@${INSTALL_DATA} ${FILESDIR}/dictionary.cisco.asa ${DATADIR}
 # If ${PREFIX}/etc/raddb isn't a directory (or a symlink), make a copy
 # of ${EXAMPLESDIR}/raddb as ${PREFIX}/etc/raddb, then bootstrap the
 # certificates

Added: head/net/freeradius3/files/dictionary.cisco.asa
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/freeradius3/files/dictionary.cisco.asa	Wed Feb  5 16:37:52 2014	(r342768)
@@ -0,0 +1,369 @@
+# -*- text -*-
+# Copyright (C) 2013 The FreeRADIUS Server project and contributors
+#
+#        Cisco Adaptative Security Appliance (ASA) Dictionary
+#
+#       http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187
+#
+#       $Id$
+#
+
+VENDOR		Cisco-ASA			3076
+
+BEGIN-VENDOR	Cisco-ASA
+
+ATTRIBUTE	ASA-Simultaneous-Logins			2	integer
+ATTRIBUTE	ASA-Primary-DNS				5	string
+ATTRIBUTE	ASA-Secondary-DNS			6	string
+ATTRIBUTE	ASA-Primary-WINS			7	string
+ATTRIBUTE	ASA-Secondary-WINS			8	string
+ATTRIBUTE	ASA-SEP-Card-Assignment			9	integer
+ATTRIBUTE	ASA-Tunneling-Protocols			11	integer
+ATTRIBUTE	ASA-IPsec-Sec-Association		12	string
+ATTRIBUTE	ASA-IPsec-Authentication		13	integer
+ATTRIBUTE	ASA-Banner1				15	string
+ATTRIBUTE	ASA-IPsec-Allow-Passwd-Store		16	integer
+ATTRIBUTE	ASA-Use-Client-Address			17	integer
+ATTRIBUTE	ASA-PPTP-Encryption			20	integer
+ATTRIBUTE	ASA-L2TP-Encryption			21	integer
+ATTRIBUTE	ASA-Group-Policy			25	string
+ATTRIBUTE	ASA-IPsec-Split-Tunnel-List		27	string
+ATTRIBUTE	ASA-IPsec-Default-Domain		28	string
+ATTRIBUTE	ASA-IPsec-Split-DNS-Names		29	string
+ATTRIBUTE	ASA-IPsec-Tunnel-Type			30	integer
+ATTRIBUTE	ASA-IPsec-Mode-Config			31	integer
+ATTRIBUTE	ASA-IPsec-Over-UDP			34	integer
+ATTRIBUTE	ASA-IPsec-Over-UDP-Port			35	integer
+ATTRIBUTE	ASA-Banner2				36	string
+ATTRIBUTE	ASA-PPTP-MPPC-Compression		37	integer
+ATTRIBUTE	ASA-L2TP-MPPC-Compression		38	integer
+ATTRIBUTE	ASA-IPsec-IP-Compression		39	integer
+ATTRIBUTE	ASA-IPsec-IKE-Peer-ID-Check		40	integer
+ATTRIBUTE	ASA-IKE-Keep-Alives			41	integer
+ATTRIBUTE	ASA-IPsec-Auth-On-Rekey			42	integer
+ATTRIBUTE	ASA-Required-Client-Firewall-Vendor-Code 45	integer
+ATTRIBUTE	ASA-Required-Client-Firewall-Product-Code 46	integer
+ATTRIBUTE	ASA-Required-Client-Firewall-Description 47	string
+ATTRIBUTE	ASA-Require-HW-Client-Auth		48	integer
+ATTRIBUTE	ASA-Required-Individual-User-Auth	49	integer
+ATTRIBUTE	ASA-Authenticated-User-Idle-Timeout	50	integer
+ATTRIBUTE	ASA-Cisco-IP-Phone-Bypass		51	integer
+ATTRIBUTE	ASA-IPsec-Split-Tunneling-Policy	55	integer
+ATTRIBUTE	ASA-IPsec-Required-Client-Firewall-Capability 56	integer
+ATTRIBUTE	ASA-IPsec-Client-Firewall-Filter-Name	57	string
+ATTRIBUTE	ASA-IPsec-Client-Firewall-Filter-Optional 58	integer
+ATTRIBUTE	ASA-IPsec-Backup-Servers		59	integer
+ATTRIBUTE	ASA-IPsec-Backup-Server-List		60	string
+ATTRIBUTE	ASA-DHCP-Network-Scope			61	string
+ATTRIBUTE	ASA-Intercept-DHCP-Configure-Msg	62	integer
+ATTRIBUTE	ASA-MS-Client-Subnet-Mask		63	integer
+ATTRIBUTE	ASA-Allow-Network-Extension-Mode	64	integer
+ATTRIBUTE	ASA-Authorization-Type			65	integer
+ATTRIBUTE	ASA-Authorization-Required		66	integer
+ATTRIBUTE	ASA-Authorization-DN-Field		67	string
+ATTRIBUTE	ASA-Authorization-DN-Field		67	string
+ATTRIBUTE	ASA-IKE-KeepAlive-Confidence-Interval	68	integer
+ATTRIBUTE	ASA-WebVPN-Content-Filter-Parameters	69	integer
+ATTRIBUTE	ASA-WebVPN-HTML-Filter			69	integer
+ATTRIBUTE	ASA-WebVPN-URL-List			71	string
+ATTRIBUTE	ASA-WebVPN-Port-Forwarding-List		72	string
+ATTRIBUTE	ASA-WebVPN-Access-List			73	string
+ATTRIBUTE	ASA-WebVPNACL				73	string
+ATTRIBUTE	ASA-WebVPN-HTTP-Proxy-IP-Address	74	string
+ATTRIBUTE	ASA-Cisco-LEAP-Bypass			75	integer
+ATTRIBUTE	ASA-WebVPN-Default-Homepage		76	string
+ATTRIBUTE	ASA-Client-Type-Version-Limiting	77	string
+ATTRIBUTE	ASA-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List	78	string
+ATTRIBUTE	ASA-WebVPN-Port-Forwarding-Name		79	string
+ATTRIBUTE	ASA-IE-Proxy-Server			80	string
+ATTRIBUTE	ASA-IE-Proxy-Server-Policy		81	integer
+ATTRIBUTE	ASA-IE-Proxy-Exception-List		82	string
+ATTRIBUTE	ASA-IE-Proxy-Bypass-Local		83	integer
+ATTRIBUTE	ASA-IKE-Keepalive-Retry-Interval	84	integer
+ATTRIBUTE	ASA-Tunnel-Group-Lock			85	string
+ATTRIBUTE	ASA-Access-List-Inbound			86	string
+ATTRIBUTE	ASA-Access-List-Outbound		87	string
+ATTRIBUTE	ASA-Perfect-Forward-Secrecy-Enable	88	integer
+ATTRIBUTE	ASA-NAC-Enable				89	integer
+ATTRIBUTE	ASA-NAC-Status-Query-Timer		90	integer
+ATTRIBUTE	ASA-NAC-Revalidation-Timer		91	integer
+ATTRIBUTE	ASA-NAC-Default-ACL			92	string
+ATTRIBUTE	ASA-WebVPN-URL-Entry-Enable		93	integer
+ATTRIBUTE	ASA-WebVPN-File-Access-Enable		94	integer
+ATTRIBUTE	ASA-WebVPN-File-Server-Entry-Enable	95	integer
+ATTRIBUTE	ASA-WebVPN-File-Server-Browsing-Enable	96	integer
+ATTRIBUTE	ASA-WebVPN-Port-Forwarding-Enable	97	integer
+ATTRIBUTE	ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable 98	integer
+ATTRIBUTE	ASA-WebVPN-Port-Forwarding-HTTP-Proxy	99	integer
+ATTRIBUTE	ASA-WebVPN-Citrix-Metaframe-Enable	101	integer
+ATTRIBUTE	ASA-WebVPN-Apply-ACL			102	integer
+ATTRIBUTE	ASA-WebVPN-SSL-VPN-Client-Enable	103	integer
+ATTRIBUTE	ASA-WebVPN-SSL-VPN-Client-Required	104	integer
+ATTRIBUTE	ASA-WebVPN-SSL-VPN-Client-Keep-Installation 105	integer
+ATTRIBUTE	ASA-SVC-Keepalive			107	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Keepalive-Frequency	107	integer
+ATTRIBUTE	ASA-SVC-DPD-Interval-Client		108	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Client-DPD-Frequency	108	integer
+ATTRIBUTE	ASA-SVC-DPD-Interval-Gateway		109	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Gateway-DPD-Frequency	109	integer
+ATTRIBUTE	ASA-SVC-Rekey-Time			110	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Rekey-Time		110	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Rekey-Method		111	integer
+ATTRIBUTE	ASA-WebVPN-SVC-Compression		112	integer
+ATTRIBUTE	ASA-WebVPN-Customization		113	string
+ATTRIBUTE	ASA-WebVPN-SSO-Server-Name		114	string
+ATTRIBUTE	ASA-WebVPN-Deny-Message			116	string
+ATTRIBUTE	ASA-WebVPN-HTTP-Compression		120	integer
+ATTRIBUTE	ASA-WebVPN-Keepalive-Ignore		121	integer
+ATTRIBUTE	ASA-Extended-Authentication-On-Rekey	122	integer
+ATTRIBUTE	ASA-SVC-DTLS				123	integer
+ATTRIBUTE	ASA-WebVPN-SVC-DTLS-Enable		123	integer
+ATTRIBUTE	ASA-WebVPN-Auto-HTTP-Signon		124	string
+ATTRIBUTE	ASA-SVC-MTU				125	integer
+ATTRIBUTE	ASA-WebVPN-SVC-DTLS-MTU			125	integer
+ATTRIBUTE	ASA-WebVPN-Hidden-Shares		126	integer
+ATTRIBUTE	ASA-SVC-Modules				127	string
+ATTRIBUTE	ASA-SVC-Profiles			128	string
+ATTRIBUTE	ASA-SVC-Ask				131	integer
+ATTRIBUTE	ASA-SVC-Ask-Timeout			132	integer
+ATTRIBUTE	ASA-IE-Proxy-PAC-URL			133	string
+ATTRIBUTE	ASA-Strip-Realm				135	integer
+ATTRIBUTE	ASA-Smart-Tunnel			136	string
+ATTRIBUTE	ASA-WebVPN-Smart-Tunnel			136	string
+ATTRIBUTE	ASA-WebVPN-ActiveX-Relay		137	integer
+ATTRIBUTE	ASA-Smart-Tunnel-Auto			138	integer
+ATTRIBUTE	ASA-WebVPN-Smart-Tunnel-Auto-Start	138	integer
+ATTRIBUTE	ASA-Smart-Tunnel-Auto-Signon-Enable	139	string
+ATTRIBUTE	ASA-WebVPN-Smart-Tunnel-Auto-Sign-On	139	string
+ATTRIBUTE	ASA-VLAN				140	integer
+ATTRIBUTE	ASA-NAC-Settings			141	string
+ATTRIBUTE	ASA-Member-Of				145	string
+ATTRIBUTE	ASA-TunnelGroupName			146	string
+ATTRIBUTE	ASA-WebVPN-Idle-Timeout-Alert-Interval	148	integer
+ATTRIBUTE	ASA-WebVPN-Session-Timeout-Alert-Interval 149	integer
+ATTRIBUTE	ASA-ClientType				150	integer
+ATTRIBUTE	ASA-SessionType				151	integer
+ATTRIBUTE	ASA-SessionSubtype			152	integer
+ATTRIBUTE	ASA-WebVPN-Download_Max-Size		157	integer
+ATTRIBUTE	ASA-WebVPN-Upload-Max-Size		158	integer
+ATTRIBUTE	ASA-WebVPN-Post-Max-Size		159	integer
+ATTRIBUTE	ASA-WebVPN-User-Storage			160	string
+ATTRIBUTE	ASA-WebVPN-Storage-Objects		161	string
+ATTRIBUTE	ASA-WebVPN-Storage-Key			162	string
+ATTRIBUTE	ASA-WebVPN-VDI				163	string
+ATTRIBUTE	ASA-Address-Pools			217	string
+ATTRIBUTE	ASA-IPv6-Address-Pools			218	string
+ATTRIBUTE	ASA-IPv6-VPN-Filter			219	string
+ATTRIBUTE	ASA-Privilege-Level			220	integer
+ATTRIBUTE	ASA-WebVPN-UNIX-User-ID			221	integer
+ATTRIBUTE	ASA-WebVPN-UNIX-Group-ID		222	integer
+ATTRIBUTE	ASA-WebVPN-Macro-Substitution-Value1	223	string
+ATTRIBUTE	ASA-WebVPN-Macro-Substitution-Value2	224	string
+ATTRIBUTE	ASA-WebVPNSmart-Card-Removal-Disconnect	225	integer
+ATTRIBUTE	ASA-WebVPN-Smart-Tunnel-Tunnel-Policy	227	string
+ATTRIBUTE	ASA-WebVPN-Home-Page-Use-Smart-Tunnel	228	integer
+
+VALUE	ASA-Authorization-Required	No			0
+VALUE	ASA-Authorization-Required	Yes			1
+
+VALUE	ASA-Authorization-Type		None			0
+VALUE	ASA-Authorization-Type		Radius			1
+VALUE	ASA-Authorization-Type		LDAP			2
+
+VALUE	ASA-Cisco-IP-Phone-Bypass	Disabled		0
+VALUE	ASA-Cisco-IP-Phone-Bypass	Enabled			1
+
+VALUE	ASA-Cisco-LEAP-Bypass		Disabled		0
+VALUE	ASA-Cisco-LEAP-Bypass		Enabled			1
+
+VALUE	ASA-ClientType			Cisco-VPN-Client-IKEv1	1
+VALUE	ASA-ClientType			AnyConnect-Client-SSL-VPN 2
+VALUE	ASA-ClientType			Clientless-SSL-VPN	3
+VALUE	ASA-ClientType			Cut-Through-Proxy	4
+VALUE	ASA-ClientType			L2TP/IPsec-SSL-VPN	5
+VALUE	ASA-ClientType			AnyConnect-Client-IPSec-VPN-IKEv2 6
+
+VALUE	ASA-Extended-Authentication-On-Rekey Disabled		0
+VALUE	ASA-Extended-Authentication-On-Rekey Enabled		1
+
+VALUE	ASA-IE-Proxy-Bypass-Local	None			0
+VALUE	ASA-IE-Proxy-Bypass-Local	Local			1
+
+VALUE	ASA-IE-Proxy-Server-Policy	No-Modify		1
+VALUE	ASA-IE-Proxy-Server-Policy	No-Proxy		2
+VALUE	ASA-IE-Proxy-Server-Policy	Auto-detect		3
+VALUE	ASA-IE-Proxy-Server-Policy	Use-Concentrator-Setting 4
+
+VALUE	ASA-IKE-Keep-Alives		Disabled		0
+VALUE	ASA-IKE-Keep-Alives		Enabled			1
+
+VALUE	ASA-Allow-Network-Extension-Mode Disabled		0
+VALUE	ASA-Allow-Network-Extension-Mode Enabled		1
+
+VALUE	ASA-Intercept-DHCP-Configure-Msg Disabled		0
+VALUE	ASA-Intercept-DHCP-Configure-Msg Enabled		1
+
+VALUE	ASA-IPsec-Allow-Passwd-Store	Disabled		0
+VALUE	ASA-IPsec-Allow-Passwd-Store	Enabled			1
+
+VALUE	ASA-IPsec-Authentication	None			0
+VALUE	ASA-IPsec-Authentication	RADIUS			1
+VALUE	ASA-IPsec-Authentication	LDAP-Authorization-only	2
+VALUE	ASA-IPsec-Authentication	NT-Domain		3
+VALUE	ASA-IPsec-Authentication	SDI			4
+VALUE	ASA-IPsec-Authentication	Internal		5
+VALUE	ASA-IPsec-Authentication	RADIUS-with-Expiry	6
+VALUE	ASA-IPsec-Authentication	Kerberos/Active-Directory 7
+
+VALUE	ASA-IPsec-Auth-On-Rekey		Disabled		0
+VALUE	ASA-IPsec-Auth-On-Rekey		Enabled			1
+
+VALUE	ASA-IPsec-Backup-Servers	Use-Client-Configured-List 1
+VALUE	ASA-IPsec-Backup-Servers	Disable-and-clear-client-list 2
+VALUE	ASA-IPsec-Backup-Servers	Use-Backup-Server-List	3
+
+VALUE	ASA-IPsec-Client-Firewall-Filter-Optional Required	0
+VALUE	ASA-IPsec-Client-Firewall-Filter-Optional Optional	1
+
+VALUE	ASA-IPsec-IKE-Peer-ID-Check	Required		1
+VALUE	ASA-IPsec-IKE-Peer-ID-Check	If-Supported-By-Peer-Certificate 2
+VALUE	ASA-IPsec-IKE-Peer-ID-Check	Do-Not-Check		3
+
+VALUE	ASA-IPsec-IP-Compression	Disabled		0
+VALUE	ASA-IPsec-IP-Compression	Enabled			1
+
+VALUE	ASA-IPsec-Mode-Config		Disabled		0
+VALUE	ASA-IPsec-Mode-Config		Enabled			1
+
+VALUE	ASA-IPsec-Over-UDP		Disabled		0
+VALUE	ASA-IPsec-Over-UDP		Enabled			1
+
+VALUE	ASA-IPsec-Required-Client-Firewall-Capability None	0
+VALUE	ASA-IPsec-Required-Client-Firewall-Capability Policy-Remotely-Defined 1
+VALUE	ASA-IPsec-Required-Client-Firewall-Capability Policy-Pushed 2
+VALUE	ASA-IPsec-Required-Client-Firewall-Capability Policy-from-Server 4
+
+VALUE	ASA-IPsec-Split-Tunneling-Policy No-Split-Tunneling	0
+VALUE	ASA-IPsec-Split-Tunneling-Policy Split-Tunneling	1
+VALUE	ASA-IPsec-Split-Tunneling-Policy Local-LAN-Permitted	2
+
+VALUE	ASA-IPsec-Tunnel-Type		LAN-to-LAN		1
+VALUE	ASA-IPsec-Tunnel-Type		Remote-Access		2
+
+VALUE	ASA-L2TP-MPPC-Compression	Disabled		0
+VALUE	ASA-L2TP-MPPC-Compression	Enabled			1
+
+VALUE	ASA-NAC-Enable			No			0
+VALUE	ASA-NAC-Enable			Yes			1
+
+VALUE	ASA-Perfect-Forward-Secrecy-Enable No			0
+VALUE	ASA-Perfect-Forward-Secrecy-Enable Yes			1
+
+VALUE	ASA-PPTP-MPPC-Compression	Disabled		0
+VALUE	ASA-PPTP-MPPC-Compression	Enabled			1
+
+VALUE	ASA-Required-Client-Firewall-Vendor-Code Cisco-CIC	1
+VALUE	ASA-Required-Client-Firewall-Vendor-Code Zone-Labs	2
+VALUE	ASA-Required-Client-Firewall-Vendor-Code NetworkICE	3
+VALUE	ASA-Required-Client-Firewall-Vendor-Code Sygate		4
+VALUE	ASA-Required-Client-Firewall-Vendor-Code Cisco-IPSA	5
+
+VALUE	ASA-Required-Individual-User-Auth Disabled		0
+VALUE	ASA-Required-Individual-User-Auth Enabled		1
+
+VALUE	ASA-Require-HW-Client-Auth	Disabled		0
+VALUE	ASA-Require-HW-Client-Auth	Enabled			1
+
+VALUE	ASA-SessionSubtype		None			0
+VALUE	ASA-SessionSubtype		Clientless		1
+VALUE	ASA-SessionSubtype		Client			2
+VALUE	ASA-SessionSubtype		Client-Only		3
+
+VALUE	ASA-SessionType			None			0
+VALUE	ASA-SessionType			AnyConnect-Client-SSL-VPN 1
+VALUE	ASA-SessionType			AnyConnect-Client-IPSec-VPN/IKEv2 2
+VALUE	ASA-SessionType			Clientless-SSL-VPN	3
+VALUE	ASA-SessionType			Clientless-Email-Proxy	4
+VALUE	ASA-SessionType			Cisco-VPN-Client/IKEv1	5
+VALUE	ASA-SessionType			IKEv1-LAN-to-LAN	6
+VALUE	ASA-SessionType			IKEv2-LAN-to-LAN	7
+VALUE	ASA-SessionType			VPN-Load-Balancing	8
+
+VALUE	ASA-Smart-Tunnel-Auto		Disabled		0
+VALUE	ASA-Smart-Tunnel-Auto		Enabled			1
+VALUE	ASA-Smart-Tunnel-Auto		AutoStart		2
+
+VALUE	ASA-Strip-Realm			Disabled		0
+VALUE	ASA-Strip-Realm			Enabled			1
+
+VALUE	ASA-SVC-Ask			Disabled		0
+VALUE	ASA-SVC-Ask			Enabled			1
+VALUE	ASA-SVC-Ask			Enable-Default-Service	3
+VALUE	ASA-SVC-Ask			Enable-Default-Clientless 5
+
+VALUE	ASA-SVC-DTLS			FALSE			0
+VALUE	ASA-SVC-DTLS			TRUE			1
+
+VALUE	ASA-Use-Client-Address		Disabled		0
+VALUE	ASA-Use-Client-Address		Enabled			1
+
+VALUE	ASA-WebVPN-Apply-ACL		Disabled		0
+VALUE	ASA-WebVPN-Apply-ACL		Enabled			1
+
+VALUE	ASA-WebVPN-Citrix-Metaframe-Enable Disabled		0
+VALUE	ASA-WebVPN-Citrix-Metaframe-Enable Enabled		1
+
+VALUE	ASA-WebVPN-File-Access-Enable	Disabled		0
+VALUE	ASA-WebVPN-File-Access-Enable	Enabled			1
+
+VALUE	ASA-WebVPN-File-Server-Browsing-Enable Disabled		0
+VALUE	ASA-WebVPN-File-Server-Browsing-Enable Enabled		1
+
+VALUE	ASA-WebVPN-File-Server-Entry-Enable Disabled		0
+VALUE	ASA-WebVPN-File-Server-Entry-Enable Enabled		1
+
+VALUE	ASA-WebVPN-Hidden-Shares	None			0
+VALUE	ASA-WebVPN-Hidden-Shares	Visible			1
+
+VALUE	ASA-WebVPN-HTTP-Compression	Off			0
+VALUE	ASA-WebVPN-HTTP-Compression	Deflate-Compression	1
+
+VALUE	ASA-WebVPN-Port-Forwarding-Enable Disabled		0
+VALUE	ASA-WebVPN-Port-Forwarding-Enable Enabled		1
+
+VALUE	ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Disabled 0
+VALUE	ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Enabled 1
+
+VALUE	ASA-WebVPN-Port-Forwarding-HTTP-Proxy Disabled		0
+VALUE	ASA-WebVPN-Port-Forwarding-HTTP-Proxy Enabled		1
+
+VALUE	ASA-WebVPNSmart-Card-Removal-Disconnect Disabled	0
+VALUE	ASA-WebVPNSmart-Card-Removal-Disconnect Enabled		1
+
+VALUE	ASA-WebVPN-Smart-Tunnel-Auto-Start Disabled		0
+VALUE	ASA-WebVPN-Smart-Tunnel-Auto-Start Enabled		1
+VALUE	ASA-WebVPN-Smart-Tunnel-Auto-Start AutoStart		2
+
+VALUE	ASA-WebVPN-SSL-VPN-Client-Enable Disabled		0
+VALUE	ASA-WebVPN-SSL-VPN-Client-Enable Enabled		1
+
+VALUE	ASA-WebVPN-SSL-VPN-Client-Keep-Installation Disabled	0
+VALUE	ASA-WebVPN-SSL-VPN-Client-Keep-Installation Enabled	1
+
+VALUE	ASA-WebVPN-SSL-VPN-Client-Required Disabled		0
+VALUE	ASA-WebVPN-SSL-VPN-Client-Required Enabled		1
+
+VALUE	ASA-WebVPN-SVC-DTLS-Enable	Disabled		0
+VALUE	ASA-WebVPN-SVC-DTLS-Enable	Enabled			1
+
+VALUE	ASA-WebVPN-SVC-Rekey-Method	Off			0
+VALUE	ASA-WebVPN-SVC-Rekey-Method	SSL			1
+VALUE	ASA-WebVPN-SVC-Rekey-Method	New-Tunnel		2
+
+VALUE	ASA-WebVPN-SVC-Compression	Off			0
+VALUE	ASA-WebVPN-SVC-Compression	Deflate-Compression	1
+
+VALUE	ASA-WebVPN-URL-Entry-Enable	Disabled		0
+VALUE	ASA-WebVPN-URL-Entry-Enable	Enabled			1
+
+END-VENDOR      Cisco-ASA

Modified: head/net/freeradius3/files/patch-rlm_krb5
==============================================================================
--- head/net/freeradius3/files/patch-rlm_krb5	Wed Feb  5 16:34:47 2014	(r342767)
+++ head/net/freeradius3/files/patch-rlm_krb5	Wed Feb  5 16:37:52 2014	(r342768)
@@ -1,5 +1,5 @@
 --- ./src/modules/rlm_krb5/configure.orig	2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/configure	2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/configure	2014-02-05 08:27:14.000000000 -0500
 @@ -1468,6 +1468,73 @@
  
  } # ac_fn_c_try_link
@@ -728,7 +728,7 @@
  
  
 --- ./src/modules/rlm_krb5/configure.ac.orig	2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/configure.ac	2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/configure.ac	2014-02-05 08:27:14.000000000 -0500
 @@ -31,9 +31,9 @@
  	dnl #
  	if test "$krb5_config" != 'not-found'; then
@@ -777,13 +777,13 @@
  AC_SUBST(mod_ldflags)
  AC_SUBST(mod_cflags)
 --- ./src/modules/rlm_krb5/krb5.c.orig	2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/krb5.c	2014-02-03 14:47:32.000000000 -0500
++++ ./src/modules/rlm_krb5/krb5.c	2014-02-05 08:27:22.000000000 -0500
 @@ -15,19 +15,19 @@
   */
  
  /**
 - * $Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $
-+ * $Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $
++ * $Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $
   * @file krb5.h
   * @brief Context management functions for rlm_krb5
   *
@@ -791,7 +791,7 @@
   * @copyright 2013  Arran Cudbard-Bell <a.cudbardb@freeradius.org>
   */
 -RCSID("$Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $")
-+RCSID("$Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $")
++RCSID("$Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $")
  
  #include <freeradius-devel/radiusd.h>
  #include "krb5.h"
@@ -806,26 +806,67 @@
  		ret = fr_thread_local_set(krb5_error_buffer, buffer);
  		if (ret != 0) {
 -			ERROR("Failed setting up TLS for krb5 error buffer: %s", fr_syserror(ret));
-+			ERROR("Failed setting up TLS for krb5 error buffer.");
++			ERROR("Failed setting up TLS for krb5 error buffer: %s", strerror(ret));
  			free(buffer);
  			return NULL;
  		}
-@@ -69,7 +69,13 @@
+@@ -69,7 +69,18 @@
  	msg = krb5_get_error_message(context, code);
  	if (msg) {
  		strlcpy(buffer, msg, KRB5_STRERROR_BUFSIZE);
 +#ifdef HAVE_KRB5_FREE_ERROR_MESSAGE
  		krb5_free_error_message(context, msg);
 +#elif defined(HAVE_KRB5_FREE_ERROR_STRING)
-+		krb5_free_error_string(context, msg);
++		{
++			char *free;
++
++			memcpy(&free, &msg, sizeof(free));
++			krb5_free_error_string(context, free);
++		}
 +#else
 +#  error "No way to free error strings, missing krb5_free_error_message() and krb5_free_error_string()"
 +#endif
  	} else {
  		strlcpy(buffer, "Unknown error", KRB5_STRERROR_BUFSIZE);
  	}
+@@ -102,6 +113,13 @@
+ 	if (conn->keytab) {
+ 		krb5_kt_close(conn->context, conn->keytab);
+ 	}
++
++#ifdef HEIMDAL_KRB5
++	if (conn->ccache) {
++		krb5_cc_destroy(conn->context, conn->ccache);
++	}
++#endif
++
+ 	return 0;
+ }
+ 
+@@ -140,14 +158,13 @@
+ 	}
+ 
+ #ifdef HEIMDAL_KRB5
+-	/*
+-	 *	Setup krb5_verify_user options
+-	 *
+-	 *	Not entirely sure this is necessary, but as we use context
+-	 *	to get the cache handle, we probably do have to do this with
+-	 *	the cloned context.
+-	 */
+-	krb5_cc_default(conn->context, &conn->ccache);
++	ret = krb5_cc_new_unique(conn->context, "MEMORY", NULL, &conn->ccache);
++	if (ret) {
++		ERROR("rlm_krb5 (%s): Credential cache creation failed: %s", inst->xlat_name,
++		      rlm_krb5_error(conn->context, ret));
++
++		return NULL;
++	}
+ 
+ 	krb5_verify_opt_init(&conn->options);
+ 	krb5_verify_opt_set_ccache(&conn->options, conn->ccache);
 --- ./src/modules/rlm_krb5/krb5.h.orig	2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/krb5.h	2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/krb5.h	2014-02-05 08:27:14.000000000 -0500
 @@ -15,14 +15,14 @@
   */
  
@@ -853,13 +894,13 @@
  #    include <et/com_err.h>
  #  else
 --- ./src/modules/rlm_krb5/rlm_krb5.c.orig	2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/rlm_krb5.c	2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/rlm_krb5.c	2014-02-05 08:27:14.000000000 -0500
 @@ -15,7 +15,7 @@
   */
  
  /**
 - * $Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $
-+ * $Id: caf186e694151905d607447151fa65e429fb95e3 $
++ * $Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $
   * @file rlm_krb5.c
   * @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC.
   *
@@ -868,27 +909,175 @@
   * @copyright 2000  Alan DeKok <aland@ox.org>
   */
 -RCSID("$Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $")
-+RCSID("$Id: caf186e694151905d607447151fa65e429fb95e3 $")
++RCSID("$Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $")
  
  #include <freeradius-devel/radiusd.h>
  #include <freeradius-devel/modules.h>
-@@ -84,7 +84,7 @@
+@@ -82,15 +82,33 @@
+ 	DEBUG("Using MIT Kerberos library");
+ #endif
  
- #ifndef KRB5_IS_THREAD_SAFE
+-#ifndef KRB5_IS_THREAD_SAFE
++
  	if (!krb5_is_thread_safe()) {
 -		DEBUGI("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled");
-+		WDEBUG("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled");
++/*
++ *	rlm_krb5 was built as threadsafe
++ */
++#ifdef KRB5_IS_THREAD_SAFE
++		ERROR("Build time libkrb5 was threadsafe, but run time library claims not to be");
++		ERROR("Modify runtime linker path (LD_LIBRARY_PATH on most systems), to prefer threadsafe libkrb5");
++		return -1;
++/*
++ *	rlm_krb5 was not built as threadsafe
++ */
++#else
++		WDEBUG("libkrb5 is not threadsafe, recompile it with thread support enabled ("
++#  ifdef HEIMDAL_KRB5
++		       "--enable-pthread-support"
++#  else
++		       "--disable-thread-support=no"
++#  endif
++		       ")");
  		WDEBUG("rlm_krb5 will run in single threaded mode, performance may be degraded");
  	} else {
  		WDEBUG("Build time libkrb5 was not threadsafe, but run time library claims to be");
-@@ -331,8 +331,9 @@
- 			break;
+ 		WDEBUG("Reconfigure and recompile rlm_krb5 to enable thread support");
+-	}
+ #endif
++	}
++
+ 	inst->xlat_name = cf_section_name2(conf);
+ 	if (!inst->xlat_name) {
+ 		inst->xlat_name = cf_section_name1(conf);
+@@ -277,6 +295,40 @@
+ 	return RLM_MODULE_OK;
+ }
+ 
++/** Log error message and return appropriate rcode
++ *
++ * Translate kerberos error codes into return codes.
++ * @param request Current request.
++ * @param ret code from kerberos.
++ * @param conn used in the last operation.
++ */
++static rlm_rcode_t krb5_process_error(REQUEST *request, rlm_krb5_handle_t *conn, int ret)
++{
++	rad_assert(ret != 0);
++	rad_assert(conn);	/* Silences warnings */
++
++	switch (ret) {
++	case KRB5_LIBOS_BADPWDMATCH:
++	case KRB5KRB_AP_ERR_BAD_INTEGRITY:
++		REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++		return RLM_MODULE_REJECT;
++
++	case KRB5KDC_ERR_KEY_EXP:
++	case KRB5KDC_ERR_CLIENT_REVOKED:
++	case KRB5KDC_ERR_SERVICE_REVOKED:
++		REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++		return RLM_MODULE_USERLOCK;
++
++	case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
++		RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++		return RLM_MODULE_NOTFOUND;
++
++	default:
++		REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++		return RLM_MODULE_FAIL;
++	}
++}
++
+ #ifdef HEIMDAL_KRB5
  
- 		case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+ /*
+@@ -316,34 +368,10 @@
+ 	 */
+ 	ret = krb5_verify_user_opt(conn->context, client, request->password->vp_strvalue, &conn->options);
+ 	if (ret) {
+-		switch (ret) {
+-		case KRB5_LIBOS_BADPWDMATCH:
+-		case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+-			REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_REJECT;
+-			break;
+-
+-		case KRB5KDC_ERR_KEY_EXP:
+-		case KRB5KDC_ERR_CLIENT_REVOKED:
+-		case KRB5KDC_ERR_SERVICE_REVOKED:
+-			REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_USERLOCK;
+-			break;
+-
+-		case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
 -			RDEBUG("User not found: %s (%i)", ret, rlm_krb5_error(conn->context, ret));
-+			RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
- 			rcode = RLM_MODULE_NOTFOUND;
-+			break;
+-			rcode = RLM_MODULE_NOTFOUND;
+-
+-		default:
+-			REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_FAIL;
+-			break;
+-		}
+-
+-		goto cleanup;
++		rcode =  krb5_process_error(request, conn, ret);
+ 	}
+ 
+-	cleanup:
++cleanup:
+ 	if (client) {
+ 		krb5_free_principal(conn->context, client);
+ 	}
+@@ -401,45 +429,20 @@
+ 	 * 	Retrieve the TGT from the TGS/KDC and check we can decrypt it.
+ 	 */
+ 	memcpy(&password, &request->password->vp_strvalue, sizeof(password));
++	RDEBUG("Retrieving and decrypting TGT");
+ 	ret = krb5_get_init_creds_password(conn->context, &init_creds, client, password,
+ 					   NULL, NULL, 0, NULL, inst->gic_options);
+ 	if (ret) {
+-		error:
+-		switch (ret) {
+-		case KRB5_LIBOS_BADPWDMATCH:
+-		case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+-			REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_REJECT;
+-			break;
+-
+-		case KRB5KDC_ERR_KEY_EXP:
+-		case KRB5KDC_ERR_CLIENT_REVOKED:
+-		case KRB5KDC_ERR_SERVICE_REVOKED:
+-			REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_USERLOCK;
+-			break;
+-
+-		case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+-			REDEBUG("User not found (%i): %s", ret,  rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_NOTFOUND;
+-			break;
+-
+-		default:
+-			REDEBUG("Error retrieving or verifying credentials (%i): %s", ret,
+-				rlm_krb5_error(conn->context, ret));
+-			rcode = RLM_MODULE_FAIL;
+-			break;
+-		}
+-
+-		goto cleanup;
++		rcode = krb5_process_error(request, conn, ret);
+ 	}
  
- 		default:
- 			REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+-	RDEBUG("Successfully retrieved and decrypted TGT");
+-
++	RDEBUG("Attempting to authenticate against service principal");
+ 	ret = krb5_verify_init_creds(conn->context, &init_creds, inst->server, conn->keytab, NULL, inst->vic_options);
+-	if (ret) goto error;
++	if (ret) {
++		rcode = krb5_process_error(request, conn, ret);
++	}
+ 
+-	cleanup:
++cleanup:
+ 	if (client) {
+ 		krb5_free_principal(conn->context, client);
+ 	}

Modified: head/net/freeradius3/pkg-plist
==============================================================================
--- head/net/freeradius3/pkg-plist	Wed Feb  5 16:34:47 2014	(r342767)
+++ head/net/freeradius3/pkg-plist	Wed Feb  5 16:37:52 2014	(r342768)
@@ -428,6 +428,7 @@ include/freeradius/udpfromto.h
 %%DATADIR%%/dictionary.camiant
 %%DATADIR%%/dictionary.chillispot
 %%DATADIR%%/dictionary.cisco
+%%DATADIR%%/dictionary.cisco.asa
 %%DATADIR%%/dictionary.cisco.bbsm
 %%DATADIR%%/dictionary.cisco.vpn3000
 %%DATADIR%%/dictionary.cisco.vpn5000



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402051637.s15GbrYk030404>