Date: Wed, 5 Feb 2014 16:37:53 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r342768 - in head/net/freeradius3: . files Message-ID: <201402051637.s15GbrYk030404@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Wed Feb 5 16:37:52 2014 New Revision: 342768 URL: http://svnweb.freebsd.org/changeset/ports/342768 QAT: https://qat.redports.org/buildarchive/r342768/ Log: - More rlm_krb5 fixes - Add Cisco ASA dictionary file - Bump PORTREVISION Added: head/net/freeradius3/files/dictionary.cisco.asa (contents, props changed) Modified: head/net/freeradius3/Makefile head/net/freeradius3/files/patch-rlm_krb5 head/net/freeradius3/pkg-plist Modified: head/net/freeradius3/Makefile ============================================================================== --- head/net/freeradius3/Makefile Wed Feb 5 16:34:47 2014 (r342767) +++ head/net/freeradius3/Makefile Wed Feb 5 16:37:52 2014 (r342768) @@ -3,7 +3,7 @@ PORTNAME= freeradius DISTVERSION= 3.0.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \ ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \ @@ -86,7 +86,7 @@ ${UNIQUENAME}_SET+= KERBEROS .if ${PORT_OPTIONS:MHEIMDAL_PORT} LIB_DEPENDS+= krb5:${PORTSDIR}/security/heimdal .endif -CONFIGURE_ARGS+=--enable-heimdal-krb5 +CONFIGURE_ARGS+=--enable-heimdal-krb5 --enable-pthread-support .else LIB_DEPENDS+= krb5:${PORTSDIR}/security/krb5 .endif @@ -201,23 +201,6 @@ PLIST_SUB+= RLMRUBY="@comment " EXPM= yes .endif -# No SMB option yet; rlm_smb is still unbuildable -.if ${PORT_OPTIONS:MSMB} -LIB_DEPENDS= smbclient:${PORTSDIR}/net/samba-libsmbclient -CONFIGURE_ARGS+=--with-rlm_smb -CONFIGURE_ARGS+=--with-rlm-smb-lib-dir=${LOCALBASE}/lib -CONFIGURE_ARGS+=--with-rlm-smb-include-dir=${LOCALBASE}/include -PLIST_SUB+= SMB="" -.else -CONFIGURE_ARGS+=--without-rlm_smb -PLIST_SUB+= SMB="@comment " -.endif - -# SMB module is still experimental -.if ${PORT_OPTIONS:MSMB} && empty(PORT_OPTIONS:MEXPERIMENTAL) -EXPM= yes -.endif - .if ${PORT_OPTIONS:MREDIS} LIB_DEPENDS+= hiredis:${PORTSDIR}/databases/hiredis CONFIGURE_ARGS+=--with-rlm_redis --with-rlm_rediswho @@ -412,6 +395,7 @@ pre-install: PRE-INSTALL post-install: + @${INSTALL_DATA} ${FILESDIR}/dictionary.cisco.asa ${DATADIR} # If ${PREFIX}/etc/raddb isn't a directory (or a symlink), make a copy # of ${EXAMPLESDIR}/raddb as ${PREFIX}/etc/raddb, then bootstrap the # certificates Added: head/net/freeradius3/files/dictionary.cisco.asa ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/freeradius3/files/dictionary.cisco.asa Wed Feb 5 16:37:52 2014 (r342768) @@ -0,0 +1,369 @@ +# -*- text -*- +# Copyright (C) 2013 The FreeRADIUS Server project and contributors +# +# Cisco Adaptative Security Appliance (ASA) Dictionary +# +# http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187 +# +# $Id$ +# + +VENDOR Cisco-ASA 3076 + +BEGIN-VENDOR Cisco-ASA + +ATTRIBUTE ASA-Simultaneous-Logins 2 integer +ATTRIBUTE ASA-Primary-DNS 5 string +ATTRIBUTE ASA-Secondary-DNS 6 string +ATTRIBUTE ASA-Primary-WINS 7 string +ATTRIBUTE ASA-Secondary-WINS 8 string +ATTRIBUTE ASA-SEP-Card-Assignment 9 integer +ATTRIBUTE ASA-Tunneling-Protocols 11 integer +ATTRIBUTE ASA-IPsec-Sec-Association 12 string +ATTRIBUTE ASA-IPsec-Authentication 13 integer +ATTRIBUTE ASA-Banner1 15 string +ATTRIBUTE ASA-IPsec-Allow-Passwd-Store 16 integer +ATTRIBUTE ASA-Use-Client-Address 17 integer +ATTRIBUTE ASA-PPTP-Encryption 20 integer +ATTRIBUTE ASA-L2TP-Encryption 21 integer +ATTRIBUTE ASA-Group-Policy 25 string +ATTRIBUTE ASA-IPsec-Split-Tunnel-List 27 string +ATTRIBUTE ASA-IPsec-Default-Domain 28 string +ATTRIBUTE ASA-IPsec-Split-DNS-Names 29 string +ATTRIBUTE ASA-IPsec-Tunnel-Type 30 integer +ATTRIBUTE ASA-IPsec-Mode-Config 31 integer +ATTRIBUTE ASA-IPsec-Over-UDP 34 integer +ATTRIBUTE ASA-IPsec-Over-UDP-Port 35 integer +ATTRIBUTE ASA-Banner2 36 string +ATTRIBUTE ASA-PPTP-MPPC-Compression 37 integer +ATTRIBUTE ASA-L2TP-MPPC-Compression 38 integer +ATTRIBUTE ASA-IPsec-IP-Compression 39 integer +ATTRIBUTE ASA-IPsec-IKE-Peer-ID-Check 40 integer +ATTRIBUTE ASA-IKE-Keep-Alives 41 integer +ATTRIBUTE ASA-IPsec-Auth-On-Rekey 42 integer +ATTRIBUTE ASA-Required-Client-Firewall-Vendor-Code 45 integer +ATTRIBUTE ASA-Required-Client-Firewall-Product-Code 46 integer +ATTRIBUTE ASA-Required-Client-Firewall-Description 47 string +ATTRIBUTE ASA-Require-HW-Client-Auth 48 integer +ATTRIBUTE ASA-Required-Individual-User-Auth 49 integer +ATTRIBUTE ASA-Authenticated-User-Idle-Timeout 50 integer +ATTRIBUTE ASA-Cisco-IP-Phone-Bypass 51 integer +ATTRIBUTE ASA-IPsec-Split-Tunneling-Policy 55 integer +ATTRIBUTE ASA-IPsec-Required-Client-Firewall-Capability 56 integer +ATTRIBUTE ASA-IPsec-Client-Firewall-Filter-Name 57 string +ATTRIBUTE ASA-IPsec-Client-Firewall-Filter-Optional 58 integer +ATTRIBUTE ASA-IPsec-Backup-Servers 59 integer +ATTRIBUTE ASA-IPsec-Backup-Server-List 60 string +ATTRIBUTE ASA-DHCP-Network-Scope 61 string +ATTRIBUTE ASA-Intercept-DHCP-Configure-Msg 62 integer +ATTRIBUTE ASA-MS-Client-Subnet-Mask 63 integer +ATTRIBUTE ASA-Allow-Network-Extension-Mode 64 integer +ATTRIBUTE ASA-Authorization-Type 65 integer +ATTRIBUTE ASA-Authorization-Required 66 integer +ATTRIBUTE ASA-Authorization-DN-Field 67 string +ATTRIBUTE ASA-Authorization-DN-Field 67 string +ATTRIBUTE ASA-IKE-KeepAlive-Confidence-Interval 68 integer +ATTRIBUTE ASA-WebVPN-Content-Filter-Parameters 69 integer +ATTRIBUTE ASA-WebVPN-HTML-Filter 69 integer +ATTRIBUTE ASA-WebVPN-URL-List 71 string +ATTRIBUTE ASA-WebVPN-Port-Forwarding-List 72 string +ATTRIBUTE ASA-WebVPN-Access-List 73 string +ATTRIBUTE ASA-WebVPNACL 73 string +ATTRIBUTE ASA-WebVPN-HTTP-Proxy-IP-Address 74 string +ATTRIBUTE ASA-Cisco-LEAP-Bypass 75 integer +ATTRIBUTE ASA-WebVPN-Default-Homepage 76 string +ATTRIBUTE ASA-Client-Type-Version-Limiting 77 string +ATTRIBUTE ASA-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List 78 string +ATTRIBUTE ASA-WebVPN-Port-Forwarding-Name 79 string +ATTRIBUTE ASA-IE-Proxy-Server 80 string +ATTRIBUTE ASA-IE-Proxy-Server-Policy 81 integer +ATTRIBUTE ASA-IE-Proxy-Exception-List 82 string +ATTRIBUTE ASA-IE-Proxy-Bypass-Local 83 integer +ATTRIBUTE ASA-IKE-Keepalive-Retry-Interval 84 integer +ATTRIBUTE ASA-Tunnel-Group-Lock 85 string +ATTRIBUTE ASA-Access-List-Inbound 86 string +ATTRIBUTE ASA-Access-List-Outbound 87 string +ATTRIBUTE ASA-Perfect-Forward-Secrecy-Enable 88 integer +ATTRIBUTE ASA-NAC-Enable 89 integer +ATTRIBUTE ASA-NAC-Status-Query-Timer 90 integer +ATTRIBUTE ASA-NAC-Revalidation-Timer 91 integer +ATTRIBUTE ASA-NAC-Default-ACL 92 string +ATTRIBUTE ASA-WebVPN-URL-Entry-Enable 93 integer +ATTRIBUTE ASA-WebVPN-File-Access-Enable 94 integer +ATTRIBUTE ASA-WebVPN-File-Server-Entry-Enable 95 integer +ATTRIBUTE ASA-WebVPN-File-Server-Browsing-Enable 96 integer +ATTRIBUTE ASA-WebVPN-Port-Forwarding-Enable 97 integer +ATTRIBUTE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable 98 integer +ATTRIBUTE ASA-WebVPN-Port-Forwarding-HTTP-Proxy 99 integer +ATTRIBUTE ASA-WebVPN-Citrix-Metaframe-Enable 101 integer +ATTRIBUTE ASA-WebVPN-Apply-ACL 102 integer +ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Enable 103 integer +ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Required 104 integer +ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Keep-Installation 105 integer +ATTRIBUTE ASA-SVC-Keepalive 107 integer +ATTRIBUTE ASA-WebVPN-SVC-Keepalive-Frequency 107 integer +ATTRIBUTE ASA-SVC-DPD-Interval-Client 108 integer +ATTRIBUTE ASA-WebVPN-SVC-Client-DPD-Frequency 108 integer +ATTRIBUTE ASA-SVC-DPD-Interval-Gateway 109 integer +ATTRIBUTE ASA-WebVPN-SVC-Gateway-DPD-Frequency 109 integer +ATTRIBUTE ASA-SVC-Rekey-Time 110 integer +ATTRIBUTE ASA-WebVPN-SVC-Rekey-Time 110 integer +ATTRIBUTE ASA-WebVPN-SVC-Rekey-Method 111 integer +ATTRIBUTE ASA-WebVPN-SVC-Compression 112 integer +ATTRIBUTE ASA-WebVPN-Customization 113 string +ATTRIBUTE ASA-WebVPN-SSO-Server-Name 114 string +ATTRIBUTE ASA-WebVPN-Deny-Message 116 string +ATTRIBUTE ASA-WebVPN-HTTP-Compression 120 integer +ATTRIBUTE ASA-WebVPN-Keepalive-Ignore 121 integer +ATTRIBUTE ASA-Extended-Authentication-On-Rekey 122 integer +ATTRIBUTE ASA-SVC-DTLS 123 integer +ATTRIBUTE ASA-WebVPN-SVC-DTLS-Enable 123 integer +ATTRIBUTE ASA-WebVPN-Auto-HTTP-Signon 124 string +ATTRIBUTE ASA-SVC-MTU 125 integer +ATTRIBUTE ASA-WebVPN-SVC-DTLS-MTU 125 integer +ATTRIBUTE ASA-WebVPN-Hidden-Shares 126 integer +ATTRIBUTE ASA-SVC-Modules 127 string +ATTRIBUTE ASA-SVC-Profiles 128 string +ATTRIBUTE ASA-SVC-Ask 131 integer +ATTRIBUTE ASA-SVC-Ask-Timeout 132 integer +ATTRIBUTE ASA-IE-Proxy-PAC-URL 133 string +ATTRIBUTE ASA-Strip-Realm 135 integer +ATTRIBUTE ASA-Smart-Tunnel 136 string +ATTRIBUTE ASA-WebVPN-Smart-Tunnel 136 string +ATTRIBUTE ASA-WebVPN-ActiveX-Relay 137 integer +ATTRIBUTE ASA-Smart-Tunnel-Auto 138 integer +ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Auto-Start 138 integer +ATTRIBUTE ASA-Smart-Tunnel-Auto-Signon-Enable 139 string +ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Auto-Sign-On 139 string +ATTRIBUTE ASA-VLAN 140 integer +ATTRIBUTE ASA-NAC-Settings 141 string +ATTRIBUTE ASA-Member-Of 145 string +ATTRIBUTE ASA-TunnelGroupName 146 string +ATTRIBUTE ASA-WebVPN-Idle-Timeout-Alert-Interval 148 integer +ATTRIBUTE ASA-WebVPN-Session-Timeout-Alert-Interval 149 integer +ATTRIBUTE ASA-ClientType 150 integer +ATTRIBUTE ASA-SessionType 151 integer +ATTRIBUTE ASA-SessionSubtype 152 integer +ATTRIBUTE ASA-WebVPN-Download_Max-Size 157 integer +ATTRIBUTE ASA-WebVPN-Upload-Max-Size 158 integer +ATTRIBUTE ASA-WebVPN-Post-Max-Size 159 integer +ATTRIBUTE ASA-WebVPN-User-Storage 160 string +ATTRIBUTE ASA-WebVPN-Storage-Objects 161 string +ATTRIBUTE ASA-WebVPN-Storage-Key 162 string +ATTRIBUTE ASA-WebVPN-VDI 163 string +ATTRIBUTE ASA-Address-Pools 217 string +ATTRIBUTE ASA-IPv6-Address-Pools 218 string +ATTRIBUTE ASA-IPv6-VPN-Filter 219 string +ATTRIBUTE ASA-Privilege-Level 220 integer +ATTRIBUTE ASA-WebVPN-UNIX-User-ID 221 integer +ATTRIBUTE ASA-WebVPN-UNIX-Group-ID 222 integer +ATTRIBUTE ASA-WebVPN-Macro-Substitution-Value1 223 string +ATTRIBUTE ASA-WebVPN-Macro-Substitution-Value2 224 string +ATTRIBUTE ASA-WebVPNSmart-Card-Removal-Disconnect 225 integer +ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Tunnel-Policy 227 string +ATTRIBUTE ASA-WebVPN-Home-Page-Use-Smart-Tunnel 228 integer + +VALUE ASA-Authorization-Required No 0 +VALUE ASA-Authorization-Required Yes 1 + +VALUE ASA-Authorization-Type None 0 +VALUE ASA-Authorization-Type Radius 1 +VALUE ASA-Authorization-Type LDAP 2 + +VALUE ASA-Cisco-IP-Phone-Bypass Disabled 0 +VALUE ASA-Cisco-IP-Phone-Bypass Enabled 1 + +VALUE ASA-Cisco-LEAP-Bypass Disabled 0 +VALUE ASA-Cisco-LEAP-Bypass Enabled 1 + +VALUE ASA-ClientType Cisco-VPN-Client-IKEv1 1 +VALUE ASA-ClientType AnyConnect-Client-SSL-VPN 2 +VALUE ASA-ClientType Clientless-SSL-VPN 3 +VALUE ASA-ClientType Cut-Through-Proxy 4 +VALUE ASA-ClientType L2TP/IPsec-SSL-VPN 5 +VALUE ASA-ClientType AnyConnect-Client-IPSec-VPN-IKEv2 6 + +VALUE ASA-Extended-Authentication-On-Rekey Disabled 0 +VALUE ASA-Extended-Authentication-On-Rekey Enabled 1 + +VALUE ASA-IE-Proxy-Bypass-Local None 0 +VALUE ASA-IE-Proxy-Bypass-Local Local 1 + +VALUE ASA-IE-Proxy-Server-Policy No-Modify 1 +VALUE ASA-IE-Proxy-Server-Policy No-Proxy 2 +VALUE ASA-IE-Proxy-Server-Policy Auto-detect 3 +VALUE ASA-IE-Proxy-Server-Policy Use-Concentrator-Setting 4 + +VALUE ASA-IKE-Keep-Alives Disabled 0 +VALUE ASA-IKE-Keep-Alives Enabled 1 + +VALUE ASA-Allow-Network-Extension-Mode Disabled 0 +VALUE ASA-Allow-Network-Extension-Mode Enabled 1 + +VALUE ASA-Intercept-DHCP-Configure-Msg Disabled 0 +VALUE ASA-Intercept-DHCP-Configure-Msg Enabled 1 + +VALUE ASA-IPsec-Allow-Passwd-Store Disabled 0 +VALUE ASA-IPsec-Allow-Passwd-Store Enabled 1 + +VALUE ASA-IPsec-Authentication None 0 +VALUE ASA-IPsec-Authentication RADIUS 1 +VALUE ASA-IPsec-Authentication LDAP-Authorization-only 2 +VALUE ASA-IPsec-Authentication NT-Domain 3 +VALUE ASA-IPsec-Authentication SDI 4 +VALUE ASA-IPsec-Authentication Internal 5 +VALUE ASA-IPsec-Authentication RADIUS-with-Expiry 6 +VALUE ASA-IPsec-Authentication Kerberos/Active-Directory 7 + +VALUE ASA-IPsec-Auth-On-Rekey Disabled 0 +VALUE ASA-IPsec-Auth-On-Rekey Enabled 1 + +VALUE ASA-IPsec-Backup-Servers Use-Client-Configured-List 1 +VALUE ASA-IPsec-Backup-Servers Disable-and-clear-client-list 2 +VALUE ASA-IPsec-Backup-Servers Use-Backup-Server-List 3 + +VALUE ASA-IPsec-Client-Firewall-Filter-Optional Required 0 +VALUE ASA-IPsec-Client-Firewall-Filter-Optional Optional 1 + +VALUE ASA-IPsec-IKE-Peer-ID-Check Required 1 +VALUE ASA-IPsec-IKE-Peer-ID-Check If-Supported-By-Peer-Certificate 2 +VALUE ASA-IPsec-IKE-Peer-ID-Check Do-Not-Check 3 + +VALUE ASA-IPsec-IP-Compression Disabled 0 +VALUE ASA-IPsec-IP-Compression Enabled 1 + +VALUE ASA-IPsec-Mode-Config Disabled 0 +VALUE ASA-IPsec-Mode-Config Enabled 1 + +VALUE ASA-IPsec-Over-UDP Disabled 0 +VALUE ASA-IPsec-Over-UDP Enabled 1 + +VALUE ASA-IPsec-Required-Client-Firewall-Capability None 0 +VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-Remotely-Defined 1 +VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-Pushed 2 +VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-from-Server 4 + +VALUE ASA-IPsec-Split-Tunneling-Policy No-Split-Tunneling 0 +VALUE ASA-IPsec-Split-Tunneling-Policy Split-Tunneling 1 +VALUE ASA-IPsec-Split-Tunneling-Policy Local-LAN-Permitted 2 + +VALUE ASA-IPsec-Tunnel-Type LAN-to-LAN 1 +VALUE ASA-IPsec-Tunnel-Type Remote-Access 2 + +VALUE ASA-L2TP-MPPC-Compression Disabled 0 +VALUE ASA-L2TP-MPPC-Compression Enabled 1 + +VALUE ASA-NAC-Enable No 0 +VALUE ASA-NAC-Enable Yes 1 + +VALUE ASA-Perfect-Forward-Secrecy-Enable No 0 +VALUE ASA-Perfect-Forward-Secrecy-Enable Yes 1 + +VALUE ASA-PPTP-MPPC-Compression Disabled 0 +VALUE ASA-PPTP-MPPC-Compression Enabled 1 + +VALUE ASA-Required-Client-Firewall-Vendor-Code Cisco-CIC 1 +VALUE ASA-Required-Client-Firewall-Vendor-Code Zone-Labs 2 +VALUE ASA-Required-Client-Firewall-Vendor-Code NetworkICE 3 +VALUE ASA-Required-Client-Firewall-Vendor-Code Sygate 4 +VALUE ASA-Required-Client-Firewall-Vendor-Code Cisco-IPSA 5 + +VALUE ASA-Required-Individual-User-Auth Disabled 0 +VALUE ASA-Required-Individual-User-Auth Enabled 1 + +VALUE ASA-Require-HW-Client-Auth Disabled 0 +VALUE ASA-Require-HW-Client-Auth Enabled 1 + +VALUE ASA-SessionSubtype None 0 +VALUE ASA-SessionSubtype Clientless 1 +VALUE ASA-SessionSubtype Client 2 +VALUE ASA-SessionSubtype Client-Only 3 + +VALUE ASA-SessionType None 0 +VALUE ASA-SessionType AnyConnect-Client-SSL-VPN 1 +VALUE ASA-SessionType AnyConnect-Client-IPSec-VPN/IKEv2 2 +VALUE ASA-SessionType Clientless-SSL-VPN 3 +VALUE ASA-SessionType Clientless-Email-Proxy 4 +VALUE ASA-SessionType Cisco-VPN-Client/IKEv1 5 +VALUE ASA-SessionType IKEv1-LAN-to-LAN 6 +VALUE ASA-SessionType IKEv2-LAN-to-LAN 7 +VALUE ASA-SessionType VPN-Load-Balancing 8 + +VALUE ASA-Smart-Tunnel-Auto Disabled 0 +VALUE ASA-Smart-Tunnel-Auto Enabled 1 +VALUE ASA-Smart-Tunnel-Auto AutoStart 2 + +VALUE ASA-Strip-Realm Disabled 0 +VALUE ASA-Strip-Realm Enabled 1 + +VALUE ASA-SVC-Ask Disabled 0 +VALUE ASA-SVC-Ask Enabled 1 +VALUE ASA-SVC-Ask Enable-Default-Service 3 +VALUE ASA-SVC-Ask Enable-Default-Clientless 5 + +VALUE ASA-SVC-DTLS FALSE 0 +VALUE ASA-SVC-DTLS TRUE 1 + +VALUE ASA-Use-Client-Address Disabled 0 +VALUE ASA-Use-Client-Address Enabled 1 + +VALUE ASA-WebVPN-Apply-ACL Disabled 0 +VALUE ASA-WebVPN-Apply-ACL Enabled 1 + +VALUE ASA-WebVPN-Citrix-Metaframe-Enable Disabled 0 +VALUE ASA-WebVPN-Citrix-Metaframe-Enable Enabled 1 + +VALUE ASA-WebVPN-File-Access-Enable Disabled 0 +VALUE ASA-WebVPN-File-Access-Enable Enabled 1 + +VALUE ASA-WebVPN-File-Server-Browsing-Enable Disabled 0 +VALUE ASA-WebVPN-File-Server-Browsing-Enable Enabled 1 + +VALUE ASA-WebVPN-File-Server-Entry-Enable Disabled 0 +VALUE ASA-WebVPN-File-Server-Entry-Enable Enabled 1 + +VALUE ASA-WebVPN-Hidden-Shares None 0 +VALUE ASA-WebVPN-Hidden-Shares Visible 1 + +VALUE ASA-WebVPN-HTTP-Compression Off 0 +VALUE ASA-WebVPN-HTTP-Compression Deflate-Compression 1 + +VALUE ASA-WebVPN-Port-Forwarding-Enable Disabled 0 +VALUE ASA-WebVPN-Port-Forwarding-Enable Enabled 1 + +VALUE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Disabled 0 +VALUE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Enabled 1 + +VALUE ASA-WebVPN-Port-Forwarding-HTTP-Proxy Disabled 0 +VALUE ASA-WebVPN-Port-Forwarding-HTTP-Proxy Enabled 1 + +VALUE ASA-WebVPNSmart-Card-Removal-Disconnect Disabled 0 +VALUE ASA-WebVPNSmart-Card-Removal-Disconnect Enabled 1 + +VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start Disabled 0 +VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start Enabled 1 +VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start AutoStart 2 + +VALUE ASA-WebVPN-SSL-VPN-Client-Enable Disabled 0 +VALUE ASA-WebVPN-SSL-VPN-Client-Enable Enabled 1 + +VALUE ASA-WebVPN-SSL-VPN-Client-Keep-Installation Disabled 0 +VALUE ASA-WebVPN-SSL-VPN-Client-Keep-Installation Enabled 1 + +VALUE ASA-WebVPN-SSL-VPN-Client-Required Disabled 0 +VALUE ASA-WebVPN-SSL-VPN-Client-Required Enabled 1 + +VALUE ASA-WebVPN-SVC-DTLS-Enable Disabled 0 +VALUE ASA-WebVPN-SVC-DTLS-Enable Enabled 1 + +VALUE ASA-WebVPN-SVC-Rekey-Method Off 0 +VALUE ASA-WebVPN-SVC-Rekey-Method SSL 1 +VALUE ASA-WebVPN-SVC-Rekey-Method New-Tunnel 2 + +VALUE ASA-WebVPN-SVC-Compression Off 0 +VALUE ASA-WebVPN-SVC-Compression Deflate-Compression 1 + +VALUE ASA-WebVPN-URL-Entry-Enable Disabled 0 +VALUE ASA-WebVPN-URL-Entry-Enable Enabled 1 + +END-VENDOR Cisco-ASA Modified: head/net/freeradius3/files/patch-rlm_krb5 ============================================================================== --- head/net/freeradius3/files/patch-rlm_krb5 Wed Feb 5 16:34:47 2014 (r342767) +++ head/net/freeradius3/files/patch-rlm_krb5 Wed Feb 5 16:37:52 2014 (r342768) @@ -1,5 +1,5 @@ --- ./src/modules/rlm_krb5/configure.orig 2014-01-13 20:13:56.000000000 -0500 -+++ ./src/modules/rlm_krb5/configure 2014-02-03 14:45:22.000000000 -0500 ++++ ./src/modules/rlm_krb5/configure 2014-02-05 08:27:14.000000000 -0500 @@ -1468,6 +1468,73 @@ } # ac_fn_c_try_link @@ -728,7 +728,7 @@ --- ./src/modules/rlm_krb5/configure.ac.orig 2014-01-13 20:13:56.000000000 -0500 -+++ ./src/modules/rlm_krb5/configure.ac 2014-02-03 14:45:22.000000000 -0500 ++++ ./src/modules/rlm_krb5/configure.ac 2014-02-05 08:27:14.000000000 -0500 @@ -31,9 +31,9 @@ dnl # if test "$krb5_config" != 'not-found'; then @@ -777,13 +777,13 @@ AC_SUBST(mod_ldflags) AC_SUBST(mod_cflags) --- ./src/modules/rlm_krb5/krb5.c.orig 2014-01-13 20:13:56.000000000 -0500 -+++ ./src/modules/rlm_krb5/krb5.c 2014-02-03 14:47:32.000000000 -0500 ++++ ./src/modules/rlm_krb5/krb5.c 2014-02-05 08:27:22.000000000 -0500 @@ -15,19 +15,19 @@ */ /** - * $Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $ -+ * $Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $ ++ * $Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $ * @file krb5.h * @brief Context management functions for rlm_krb5 * @@ -791,7 +791,7 @@ * @copyright 2013 Arran Cudbard-Bell <a.cudbardb@freeradius.org> */ -RCSID("$Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $") -+RCSID("$Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $") ++RCSID("$Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $") #include <freeradius-devel/radiusd.h> #include "krb5.h" @@ -806,26 +806,67 @@ ret = fr_thread_local_set(krb5_error_buffer, buffer); if (ret != 0) { - ERROR("Failed setting up TLS for krb5 error buffer: %s", fr_syserror(ret)); -+ ERROR("Failed setting up TLS for krb5 error buffer."); ++ ERROR("Failed setting up TLS for krb5 error buffer: %s", strerror(ret)); free(buffer); return NULL; } -@@ -69,7 +69,13 @@ +@@ -69,7 +69,18 @@ msg = krb5_get_error_message(context, code); if (msg) { strlcpy(buffer, msg, KRB5_STRERROR_BUFSIZE); +#ifdef HAVE_KRB5_FREE_ERROR_MESSAGE krb5_free_error_message(context, msg); +#elif defined(HAVE_KRB5_FREE_ERROR_STRING) -+ krb5_free_error_string(context, msg); ++ { ++ char *free; ++ ++ memcpy(&free, &msg, sizeof(free)); ++ krb5_free_error_string(context, free); ++ } +#else +# error "No way to free error strings, missing krb5_free_error_message() and krb5_free_error_string()" +#endif } else { strlcpy(buffer, "Unknown error", KRB5_STRERROR_BUFSIZE); } +@@ -102,6 +113,13 @@ + if (conn->keytab) { + krb5_kt_close(conn->context, conn->keytab); + } ++ ++#ifdef HEIMDAL_KRB5 ++ if (conn->ccache) { ++ krb5_cc_destroy(conn->context, conn->ccache); ++ } ++#endif ++ + return 0; + } + +@@ -140,14 +158,13 @@ + } + + #ifdef HEIMDAL_KRB5 +- /* +- * Setup krb5_verify_user options +- * +- * Not entirely sure this is necessary, but as we use context +- * to get the cache handle, we probably do have to do this with +- * the cloned context. +- */ +- krb5_cc_default(conn->context, &conn->ccache); ++ ret = krb5_cc_new_unique(conn->context, "MEMORY", NULL, &conn->ccache); ++ if (ret) { ++ ERROR("rlm_krb5 (%s): Credential cache creation failed: %s", inst->xlat_name, ++ rlm_krb5_error(conn->context, ret)); ++ ++ return NULL; ++ } + + krb5_verify_opt_init(&conn->options); + krb5_verify_opt_set_ccache(&conn->options, conn->ccache); --- ./src/modules/rlm_krb5/krb5.h.orig 2014-01-13 20:13:56.000000000 -0500 -+++ ./src/modules/rlm_krb5/krb5.h 2014-02-03 14:45:22.000000000 -0500 ++++ ./src/modules/rlm_krb5/krb5.h 2014-02-05 08:27:14.000000000 -0500 @@ -15,14 +15,14 @@ */ @@ -853,13 +894,13 @@ # include <et/com_err.h> # else --- ./src/modules/rlm_krb5/rlm_krb5.c.orig 2014-01-13 20:13:56.000000000 -0500 -+++ ./src/modules/rlm_krb5/rlm_krb5.c 2014-02-03 14:45:22.000000000 -0500 ++++ ./src/modules/rlm_krb5/rlm_krb5.c 2014-02-05 08:27:14.000000000 -0500 @@ -15,7 +15,7 @@ */ /** - * $Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $ -+ * $Id: caf186e694151905d607447151fa65e429fb95e3 $ ++ * $Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $ * @file rlm_krb5.c * @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC. * @@ -868,27 +909,175 @@ * @copyright 2000 Alan DeKok <aland@ox.org> */ -RCSID("$Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $") -+RCSID("$Id: caf186e694151905d607447151fa65e429fb95e3 $") ++RCSID("$Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $") #include <freeradius-devel/radiusd.h> #include <freeradius-devel/modules.h> -@@ -84,7 +84,7 @@ +@@ -82,15 +82,33 @@ + DEBUG("Using MIT Kerberos library"); + #endif - #ifndef KRB5_IS_THREAD_SAFE +-#ifndef KRB5_IS_THREAD_SAFE ++ if (!krb5_is_thread_safe()) { - DEBUGI("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled"); -+ WDEBUG("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled"); ++/* ++ * rlm_krb5 was built as threadsafe ++ */ ++#ifdef KRB5_IS_THREAD_SAFE ++ ERROR("Build time libkrb5 was threadsafe, but run time library claims not to be"); ++ ERROR("Modify runtime linker path (LD_LIBRARY_PATH on most systems), to prefer threadsafe libkrb5"); ++ return -1; ++/* ++ * rlm_krb5 was not built as threadsafe ++ */ ++#else ++ WDEBUG("libkrb5 is not threadsafe, recompile it with thread support enabled (" ++# ifdef HEIMDAL_KRB5 ++ "--enable-pthread-support" ++# else ++ "--disable-thread-support=no" ++# endif ++ ")"); WDEBUG("rlm_krb5 will run in single threaded mode, performance may be degraded"); } else { WDEBUG("Build time libkrb5 was not threadsafe, but run time library claims to be"); -@@ -331,8 +331,9 @@ - break; + WDEBUG("Reconfigure and recompile rlm_krb5 to enable thread support"); +- } + #endif ++ } ++ + inst->xlat_name = cf_section_name2(conf); + if (!inst->xlat_name) { + inst->xlat_name = cf_section_name1(conf); +@@ -277,6 +295,40 @@ + return RLM_MODULE_OK; + } + ++/** Log error message and return appropriate rcode ++ * ++ * Translate kerberos error codes into return codes. ++ * @param request Current request. ++ * @param ret code from kerberos. ++ * @param conn used in the last operation. ++ */ ++static rlm_rcode_t krb5_process_error(REQUEST *request, rlm_krb5_handle_t *conn, int ret) ++{ ++ rad_assert(ret != 0); ++ rad_assert(conn); /* Silences warnings */ ++ ++ switch (ret) { ++ case KRB5_LIBOS_BADPWDMATCH: ++ case KRB5KRB_AP_ERR_BAD_INTEGRITY: ++ REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret)); ++ return RLM_MODULE_REJECT; ++ ++ case KRB5KDC_ERR_KEY_EXP: ++ case KRB5KDC_ERR_CLIENT_REVOKED: ++ case KRB5KDC_ERR_SERVICE_REVOKED: ++ REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret)); ++ return RLM_MODULE_USERLOCK; ++ ++ case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: ++ RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret)); ++ return RLM_MODULE_NOTFOUND; ++ ++ default: ++ REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret)); ++ return RLM_MODULE_FAIL; ++ } ++} ++ + #ifdef HEIMDAL_KRB5 - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: + /* +@@ -316,34 +368,10 @@ + */ + ret = krb5_verify_user_opt(conn->context, client, request->password->vp_strvalue, &conn->options); + if (ret) { +- switch (ret) { +- case KRB5_LIBOS_BADPWDMATCH: +- case KRB5KRB_AP_ERR_BAD_INTEGRITY: +- REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_REJECT; +- break; +- +- case KRB5KDC_ERR_KEY_EXP: +- case KRB5KDC_ERR_CLIENT_REVOKED: +- case KRB5KDC_ERR_SERVICE_REVOKED: +- REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_USERLOCK; +- break; +- +- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: - RDEBUG("User not found: %s (%i)", ret, rlm_krb5_error(conn->context, ret)); -+ RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret)); - rcode = RLM_MODULE_NOTFOUND; -+ break; +- rcode = RLM_MODULE_NOTFOUND; +- +- default: +- REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_FAIL; +- break; +- } +- +- goto cleanup; ++ rcode = krb5_process_error(request, conn, ret); + } + +- cleanup: ++cleanup: + if (client) { + krb5_free_principal(conn->context, client); + } +@@ -401,45 +429,20 @@ + * Retrieve the TGT from the TGS/KDC and check we can decrypt it. + */ + memcpy(&password, &request->password->vp_strvalue, sizeof(password)); ++ RDEBUG("Retrieving and decrypting TGT"); + ret = krb5_get_init_creds_password(conn->context, &init_creds, client, password, + NULL, NULL, 0, NULL, inst->gic_options); + if (ret) { +- error: +- switch (ret) { +- case KRB5_LIBOS_BADPWDMATCH: +- case KRB5KRB_AP_ERR_BAD_INTEGRITY: +- REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_REJECT; +- break; +- +- case KRB5KDC_ERR_KEY_EXP: +- case KRB5KDC_ERR_CLIENT_REVOKED: +- case KRB5KDC_ERR_SERVICE_REVOKED: +- REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_USERLOCK; +- break; +- +- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: +- REDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_NOTFOUND; +- break; +- +- default: +- REDEBUG("Error retrieving or verifying credentials (%i): %s", ret, +- rlm_krb5_error(conn->context, ret)); +- rcode = RLM_MODULE_FAIL; +- break; +- } +- +- goto cleanup; ++ rcode = krb5_process_error(request, conn, ret); + } - default: - REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret)); +- RDEBUG("Successfully retrieved and decrypted TGT"); +- ++ RDEBUG("Attempting to authenticate against service principal"); + ret = krb5_verify_init_creds(conn->context, &init_creds, inst->server, conn->keytab, NULL, inst->vic_options); +- if (ret) goto error; ++ if (ret) { ++ rcode = krb5_process_error(request, conn, ret); ++ } + +- cleanup: ++cleanup: + if (client) { + krb5_free_principal(conn->context, client); + } Modified: head/net/freeradius3/pkg-plist ============================================================================== --- head/net/freeradius3/pkg-plist Wed Feb 5 16:34:47 2014 (r342767) +++ head/net/freeradius3/pkg-plist Wed Feb 5 16:37:52 2014 (r342768) @@ -428,6 +428,7 @@ include/freeradius/udpfromto.h %%DATADIR%%/dictionary.camiant %%DATADIR%%/dictionary.chillispot %%DATADIR%%/dictionary.cisco +%%DATADIR%%/dictionary.cisco.asa %%DATADIR%%/dictionary.cisco.bbsm %%DATADIR%%/dictionary.cisco.vpn3000 %%DATADIR%%/dictionary.cisco.vpn5000
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402051637.s15GbrYk030404>