tests: added check for the application of radius configuration

tests/Makefile.am

@@ -17,7 +17,7 @@ dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-sc
 	ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \
 	test-cookie-timeout test-cookie-timeout-2 radius-test test-explicit-ip \
 	radius-test test-gssapi kerberos-test pam-test test-ban test-sighup \
-	test-cookie-invalidation
+	test-cookie-invalidation radius-test-config
 
 
 AM_CPPFLAGS = \

tests/docker-ocserv/Dockerfile-fedora-radius

@@ -36,6 +36,7 @@ ADD ocpasswd /usr/bin/
 ADD occtl /usr/bin/
 ADD myscript /usr/bin/
 ADD freeradius-users /etc/raddb/users
+ADD radius-dictionary /etc/radiusclient/dictionary
 # It's not possible to use mknod inside a container with the default LXC
 # template, so we untar it from this archive.
 ADD dev-tun.tgz /dev/

tests/docker-ocserv/Dockerfile-fedora-radius-config

@@ -0,0 +1,39 @@
+FROM fedora:21
+
+RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
+RUN yum install -y bash openssh-server nuttcp
+RUN yum install -y libnl3 libtalloc
+RUN yum install -y lz4
+RUN yum install -y freeradius-client
+RUN yum install -y freeradius
+RUN systemctl enable sshd
+RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
+
+RUN echo 'root:root' |chpasswd
+RUN useradd -m -d /home/admin -s /bin/bash admin
+RUN echo 'admin:admin' |chpasswd
+EXPOSE 443
+EXPOSE 443/udp
+EXPOSE 22
+
+RUN mkdir /etc/ocserv
+
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD ca.pem /etc/ocserv/
+ADD ocserv-radius-config.conf /etc/ocserv/ocserv.conf
+ADD radiusclient.conf /etc/radiusclient/
+ADD radius-clients.conf /etc/raddb/clients.conf
+ADD radiusclient-servers /etc/radiusclient/servers
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+ADD myscript /usr/bin/
+ADD freeradius-users /etc/raddb/users
+ADD radius-dictionary /etc/radiusclient/dictionary
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+CMD nuttcp -S;radiusd;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600

tests/docker-ocserv/Makefile.am

@@ -2,7 +2,8 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p
 	Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \
 	Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \
 	freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \
-	radiusclient-servers pam-ocserv ocserv-pam.conf ca.pem
+	radiusclient-servers pam-ocserv ocserv-pam.conf ca.pem ocserv-radius-config.conf \
+	Dockerfile-fedora-radius-config radius-dictionary
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"

tests/docker-ocserv/freeradius-users

@@ -84,3 +84,12 @@ test8	Cleartext-Password := "test8"
 	Framed-Routing = Broadcast-Listen,
 	Framed-MTU = 1500,
 
+testtime	Cleartext-Password := "test"
+	Service-Type = Framed-User,
+	Framed-Protocol = PPP,
+	Framed-IP-Address = 192.168.1.192,
+	Framed-IP-Netmask = 255.255.255.0,
+	Framed-MTU = 1500,
+	Session-Timeout = 120,
+	Acct-Interim-Interval = 60,
+

tests/docker-ocserv/ocserv-radius-config.conf

@@ -0,0 +1,309 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+#auth = "plain[/etc/ocserv/passwd]"
+#auth = "pam"
+auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
+enable-auth = "certificate"
+
+# Whether to enable support for the occtl tool (i.e., either through D-BUS,
+# or via a unix socket).
+use-occtl = true
+
+# socket file used for IPC with occtl. You only need to set that,
+# if you use more than a single servers.
+#occtl-socket-file = /var/run/occtl.socket
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+#auth = "plain[/etc/ocserv/ocpasswd]"
+
+acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+stats-report-time = 3600
+session-timeout = 4000
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 443
+udp-port = 443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 240
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /etc/ocserv/cert.pem
+server-key = /etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+ca-cert = /etc/ocserv/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# D-BUS usage. If disabled occtl tool cannot be used. If enabled
+# then ocserv must have access to register org.infradead.ocserv
+# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
+use-dbus = false
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.66.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+#dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+ipv6-network = fd91:6d87:7341:dd6b::
+ipv6-prefix = 64
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.66.0/255.255.255.0
+route = 192.168.155.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+route = fd91:6d87:7341:dd6b::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /etc/ocserv/config-per-user/
+#config-per-group = /etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+#cisco-client-compat = false
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"

tests/docker-ocserv/ocserv-radius.conf

@@ -4,7 +4,7 @@
 #auth = "certificate"
 #auth = "plain[/etc/ocserv/passwd]"
 #auth = "pam"
-auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas=ocserv1]"
+auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=ocserv1]"
 enable-auth = "certificate"
 
 # Whether to enable support for the occtl tool (i.e., either through D-BUS,

tests/docker-ocserv/radius-dictionary

@@ -0,0 +1,284 @@
+#
+# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl
+#
+#	This file contains dictionary translations for parsing
+#	requests and generating responses.  All transactions are
+#	composed of Attribute/Value Pairs.  The value of each attribute
+#	is specified as one of 4 data types.  Valid data types are:
+#
+#	string - 0-253 octets
+#	ipaddr - 4 octets in network byte order
+#	integer - 32 bit value in big endian order (high byte first)
+#	date - 32 bit value in big endian order - seconds since
+#					00:00:00 GMT,  Jan.  1,  1970
+#
+#	Enumerated values are stored in the user file with dictionary
+#	VALUE translations for easy administration.
+#
+#	Example:
+#
+#	ATTRIBUTE	  VALUE
+#	---------------   -----
+#	Framed-Protocol = PPP
+#	7		= 1	(integer encoding)
+#
+
+#
+#	Following are the proper new names. Use these.
+#
+ATTRIBUTE	User-Name		1	string
+ATTRIBUTE	Password		2	string
+ATTRIBUTE	CHAP-Password		3	string
+ATTRIBUTE	NAS-IP-Address		4	ipaddr
+ATTRIBUTE	NAS-Port-Id		5	integer
+ATTRIBUTE	Service-Type		6	integer
+ATTRIBUTE	Framed-Protocol		7	integer
+ATTRIBUTE	Framed-IP-Address	8	ipaddr
+ATTRIBUTE	Framed-IP-Netmask	9	ipaddr
+ATTRIBUTE	Framed-Routing		10	integer
+ATTRIBUTE	Filter-Id		11	string
+ATTRIBUTE	Framed-MTU		12	integer
+ATTRIBUTE	Framed-Compression	13	integer
+ATTRIBUTE	Login-IP-Host		14	ipaddr
+ATTRIBUTE	Login-Service		15	integer
+ATTRIBUTE	Login-TCP-Port		16	integer
+ATTRIBUTE	Reply-Message		18	string
+ATTRIBUTE	Callback-Number		19	string
+ATTRIBUTE	Callback-Id		20	string
+ATTRIBUTE	Framed-Route		22	string
+ATTRIBUTE	Framed-IPX-Network	23	ipaddr
+ATTRIBUTE	State			24	string
+ATTRIBUTE	Class			25	string
+ATTRIBUTE	Vendor-Specific		26	string
+ATTRIBUTE	Session-Timeout		27	integer
+ATTRIBUTE	Idle-Timeout		28	integer
+ATTRIBUTE	Termination-Action	29	integer
+ATTRIBUTE	Called-Station-Id	30	string
+ATTRIBUTE	Calling-Station-Id	31	string
+ATTRIBUTE	NAS-Identifier		32	string
+ATTRIBUTE	Proxy-State		33	string
+ATTRIBUTE	Login-LAT-Service	34	string
+ATTRIBUTE	Login-LAT-Node		35	string
+ATTRIBUTE	Login-LAT-Group		36	string
+ATTRIBUTE	Framed-AppleTalk-Link	37	integer
+ATTRIBUTE	Framed-AppleTalk-Network	38	integer
+ATTRIBUTE	Framed-AppleTalk-Zone	39	string
+ATTRIBUTE	Acct-Status-Type	40	integer
+ATTRIBUTE	Acct-Delay-Time		41	integer
+ATTRIBUTE	Acct-Input-Octets	42	integer
+ATTRIBUTE	Acct-Output-Octets	43	integer
+ATTRIBUTE	Acct-Session-Id		44	string
+ATTRIBUTE	Acct-Authentic		45	integer
+ATTRIBUTE	Acct-Session-Time	46	integer
+ATTRIBUTE	Acct-Input-Packets	47	integer
+ATTRIBUTE	Acct-Output-Packets	48	integer
+ATTRIBUTE	Acct-Terminate-Cause	49	integer
+ATTRIBUTE	Acct-Multi-Session-Id	50	string
+ATTRIBUTE	Acct-Link-Count		51	integer
+ATTRIBUTE	Acct-Input-Gigawords	52	integer
+ATTRIBUTE	Acct-Output-Gigawords	53	integer
+ATTRIBUTE	Event-Timestamp		55	integer
+ATTRIBUTE	CHAP-Challenge		60	string
+ATTRIBUTE	NAS-Port-Type		61	integer
+ATTRIBUTE	Port-Limit		62	integer
+ATTRIBUTE	Login-LAT-Port		63	integer
+ATTRIBUTE	Connect-Info		77	string
+ATTRIBUTE	Acct-Interim-Interval	85	integer
+
+#
+#	RFC3162 IPv6 attributes
+#
+ATTRIBUTE	NAS-IPv6-Address	95	string
+ATTRIBUTE	Framed-Interface-Id	96	string
+ATTRIBUTE	Framed-IPv6-Prefix	97	ipv6prefix
+ATTRIBUTE	Login-IPv6-Host		98	string
+ATTRIBUTE	Framed-IPv6-Route	99	string
+ATTRIBUTE	Framed-IPv6-Pool	100	string
+ATTRIBUTE	Delegated-IPv6-Prefix	123	ipv6prefix
+
+#
+#	RFC6911 IPv6 attributes
+#
+ATTRIBUTE	Framed-IPv6-Address	168	ipv6addr
+ATTRIBUTE	DNS-Server-IPv6-Address	169	ipv6addr
+ATTRIBUTE	Route-IPv6-Information	170	ipv6prefix
+
+#
+#	Experimental Non Protocol Attributes used by Cistron-Radiusd
+#
+ATTRIBUTE	Huntgroup-Name		221	string
+ATTRIBUTE	User-Category		1029	string
+ATTRIBUTE	Group-Name		1030	string
+ATTRIBUTE	Simultaneous-Use	1034	integer
+ATTRIBUTE	Strip-User-Name		1035	integer
+ATTRIBUTE	Fall-Through		1036	integer
+ATTRIBUTE	Add-Port-To-IP-Address	1037	integer
+ATTRIBUTE	Exec-Program		1038	string
+ATTRIBUTE	Exec-Program-Wait	1039	string
+ATTRIBUTE	Hint			1040	string
+
+#
+#	Non-Protocol Attributes
+#	These attributes are used internally by the server
+#
+ATTRIBUTE	Expiration		  21	date
+ATTRIBUTE	Auth-Type		1000	integer
+ATTRIBUTE	Menu			1001	string
+ATTRIBUTE	Termination-Menu	1002	string
+ATTRIBUTE	Prefix			1003	string
+ATTRIBUTE	Suffix			1004	string
+ATTRIBUTE	Group			1005	string
+ATTRIBUTE	Crypt-Password		1006	string
+ATTRIBUTE	Connect-Rate		1007	integer
+
+#
+#	Integer Translations
+#
+
+#	User Types
+
+VALUE		Service-Type		Login-User		1
+VALUE		Service-Type		Framed-User		2
+VALUE		Service-Type		Callback-Login-User	3
+VALUE		Service-Type		Callback-Framed-User	4
+VALUE		Service-Type		Outbound-User		5
+VALUE		Service-Type		Administrative-User	6
+VALUE		Service-Type		NAS-Prompt-User		7
+VALUE		Service-Type		Authenticate-Only	8
+VALUE		Service-Type		Callback-NAS-Prompt	9
+VALUE		Service-Type		Call-Check		10
+VALUE		Service-Type		Callback-Administrative	11
+
+#	Framed Protocols
+
+VALUE		Framed-Protocol		PPP			1
+VALUE		Framed-Protocol		SLIP			2
+VALUE		Framed-Protocol		ARAP			3
+VALUE		Framed-Protocol		GANDALF-SLMLP		4
+VALUE		Framed-Protocol		XYLOGICS-IPX-SLIP	5
+VALUE		Framed-Protocol		X75			6
+
+#	Framed Routing Values
+
+VALUE		Framed-Routing		None			0
+VALUE		Framed-Routing		Broadcast		1
+VALUE		Framed-Routing		Listen			2
+VALUE		Framed-Routing		Broadcast-Listen	3
+
+#	Framed Compression Types
+
+VALUE		Framed-Compression	None			0
+VALUE		Framed-Compression	Van-Jacobson-TCP-IP	1
+VALUE		Framed-Compression	IPX-Header		2
+VALUE		Framed-Compression	Stac-LZS		3
+
+#	Login Services
+
+VALUE		Login-Service		Telnet			0
+VALUE		Login-Service		Rlogin			1
+VALUE		Login-Service		TCP-Clear		2
+VALUE		Login-Service		PortMaster		3
+VALUE		Login-Service		LAT			4
+VALUE		Login-Service		X.25-PAD		5
+VALUE		Login-Service		X.25-T3POS		6
+VALUE		Login-Service		TCP-Clear-Quiet		8
+
+#	Status Types
+
+VALUE		Acct-Status-Type	Start			1
+VALUE		Acct-Status-Type	Stop			2
+VALUE		Acct-Status-Type	Alive			3
+VALUE		Acct-Status-Type	Accounting-On		7
+VALUE		Acct-Status-Type	Accounting-Off		8
+
+#	Authentication Types
+
+VALUE		Acct-Authentic		RADIUS			1
+VALUE		Acct-Authentic		Local			2
+VALUE		Acct-Authentic		Remote			3
+
+#	Termination Options
+
+VALUE		Termination-Action	Default			0
+VALUE		Termination-Action	RADIUS-Request		1
+
+#	NAS Port Types, available in 3.3.1 and later
+
+VALUE		NAS-Port-Type		Async			0
+VALUE		NAS-Port-Type		Sync			1
+VALUE		NAS-Port-Type		ISDN			2
+VALUE		NAS-Port-Type		ISDN-V120		3
+VALUE		NAS-Port-Type		ISDN-V110		4
+VALUE		NAS-Port-Type		Virtual			5
+VALUE		NAS-Port-Type		PIAFS			6
+VALUE		NAS-Port-Type		HDLC-Clear-Channel	7
+VALUE		NAS-Port-Type		X.25			8
+VALUE		NAS-Port-Type		X.75			9
+VALUE		NAS-Port-Type		G.3-Fax			10
+VALUE		NAS-Port-Type		SDSL			11
+VALUE		NAS-Port-Type		ADSL-CAP		12
+VALUE		NAS-Port-Type		ADSL-DMT		13
+VALUE		NAS-Port-Type		IDSL			14
+VALUE		NAS-Port-Type		Ethernet		15
+
+#	Acct Terminate Causes, available in 3.3.2 and later
+
+VALUE           Acct-Terminate-Cause    User-Request            1
+VALUE           Acct-Terminate-Cause    Lost-Carrier            2
+VALUE           Acct-Terminate-Cause    Lost-Service            3
+VALUE           Acct-Terminate-Cause    Idle-Timeout            4
+VALUE           Acct-Terminate-Cause    Session-Timeout         5
+VALUE           Acct-Terminate-Cause    Admin-Reset             6
+VALUE           Acct-Terminate-Cause    Admin-Reboot            7
+VALUE           Acct-Terminate-Cause    Port-Error              8
+VALUE           Acct-Terminate-Cause    NAS-Error               9
+VALUE           Acct-Terminate-Cause    NAS-Request             10
+VALUE           Acct-Terminate-Cause    NAS-Reboot              11
+VALUE           Acct-Terminate-Cause    Port-Unneeded           12
+VALUE           Acct-Terminate-Cause    Port-Preempted          13
+VALUE           Acct-Terminate-Cause    Port-Suspended          14
+VALUE           Acct-Terminate-Cause    Service-Unavailable     15
+VALUE           Acct-Terminate-Cause    Callback                16
+VALUE           Acct-Terminate-Cause    User-Error              17
+VALUE           Acct-Terminate-Cause    Host-Request            18
+
+#
+#	Non-Protocol Integer Translations
+#
+
+VALUE		Auth-Type		Local			0
+VALUE		Auth-Type		System			1
+VALUE		Auth-Type		SecurID			2
+VALUE		Auth-Type		Crypt-Local		3
+VALUE		Auth-Type		Reject			4
+
+#
+#	Cistron extensions
+#
+VALUE		Auth-Type		Pam			253
+VALUE		Auth-Type		Accept			254
+
+#
+#	Experimental Non-Protocol Integer Translations for Cistron-Radiusd
+#
+VALUE		Fall-Through		No			0
+VALUE		Fall-Through		Yes			1
+VALUE		Add-Port-To-IP-Address	No			0
+VALUE		Add-Port-To-IP-Address	Yes			1
+
+#
+#	Configuration Values
+#	uncomment these two lines to turn account expiration on
+#
+
+#VALUE		Server-Config		Password-Expiration	30
+#VALUE		Server-Config		Password-Warning	5
+
+VENDOR Microsoft 311
+
+BEGIN-VENDOR Microsoft
+
+ATTRIBUTE	MS-Primary-DNS-Server 	28 	ipaddr
+ATTRIBUTE 	MS-Secondary-DNS-Server 29 	ipaddr
+
+END-VENDOR Microsoft

tests/radius-test-config

@@ -0,0 +1,151 @@
+#!/bin/sh
+#
+# Copyright (C) 2014 Red Hat
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ocserv; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir=${srcdir:-.}
+
+PORT_OCSERV=443
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+CONFIG="radius-config"
+IMAGE=ocserv-radius-test-config
+IMAGE_NAME=test_ocserv_radius_config
+TMP=$IMAGE_NAME.tmp
+. ./docker-common.sh
+
+$DOCKER run -P --privileged=true -p 22 -p $PORT_OCSERV:$PORT_OCSERV/udp --tty=false -d --name $IMAGE_NAME $IMAGE
+if test $? != 0;then
+	echo "Cannot run docker image"
+	exit 1
+fi
+
+echo "ocserv image was run"
+#wait for ocserv to server
+sleep 5
+
+IP=`$DOCKER inspect $IMAGE_NAME | grep IPAddress | cut -d '"' -f 4`
+if test -z "$IP";then
+	echo "Detected IP is null!"
+	stop
+fi
+echo "Detected IP: $IP"
+
+if test ! -z "$QUIT_ON_INIT";then
+	exit 0
+fi
+
+echo "Trying with correct password"
+printf "test\n" >pass-radius$TMP
+$OPENCONNECT $IP:$PORT_OCSERV -u testtime --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-radius$TMP &
+PID=$!
+
+rm -f pass-radius$TMP
+
+#wait for openconnect
+sleep 5
+
+# The client IP depends on the username so it shouldn't change.
+ping -w 5 192.168.66.1
+if test $? != 0;then
+	kill $PID
+	echo "Cannot ping ocserv"
+	stop
+fi
+
+#check whether the routes have been applied
+rm -f known-hosts$TMP
+echo -e '#!'"/bin/sh\n" >echo-admin$TMP
+echo -e "echo yes" >>echo-admin$TMP
+echo -e "\n" >>echo-admin$TMP
+chmod 755 echo-admin$TMP
+export SSH_ASKPASS="./echo-admin$TMP"
+setsid ssh -T -F config$TMP root@192.168.66.1 occtl show users
+
+echo -e '#!'"/bin/sh\n" >echo-admin$TMP
+echo -e "echo root" >>echo-admin$TMP
+echo -e "\n" >>echo-admin$TMP
+chmod 755 echo-admin$TMP
+export SSH_ASKPASS="./echo-admin$TMP"
+setsid ssh -T -F config$TMP root@192.168.66.1 occtl show user testtime >out$TMP 2>&1
+cat out$TMP
+
+grep '192.168.155.0/255.255.255.0' out$TMP
+if test $? != 0;then
+	cat out$TMP
+	kill $PID
+	echo "routes have not been applied"
+	stop
+fi
+
+rm -f out$TMP
+rm -f known-hosts$TMP
+rm -f echo-admin$TMP
+
+echo "Waiting for accounting report"
+
+sleep 60
+
+
+TMPDIR=radius-$TMP
+mkdir -p $TMPDIR
+#check whether /tmp/disconnect/ok was created
+
+FILE=`$DOCKER exec $IMAGE_NAME ls /var/log/radius/radacct/127.0.0.1/`
+#echo $DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/127.0.0.1/$FILE"
+#$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/127.0.0.1/$FILE"
+
+OCTETS=`$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/127.0.0.1/$FILE"|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g'`
+if test -z "$OCTETS" || test "$OCTETS" = 0;then
+	$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/127.0.0.1/$FILE"
+	echo "Interim update showed no data!"
+	stop
+fi
+
+#wait until sec-mod has cleaned up its entries
+echo "Waiting for disconnection report"
+sleep 60
+
+rm -f out$TMP
+$DOCKER exec $IMAGE_NAME cat "/var/log/radius/radacct/127.0.0.1/$FILE" >out$TMP
+
+DISC=`cat out$TMP|grep "Acct-Status-Type = Start"|tail -1`
+if test -z "$DISC";then
+	cat out$TMP
+	echo "No connect status was detected!"
+	stop
+fi
+
+DISC=`cat out$TMP|grep "Acct-Terminate-Cause = Session-Timeout"|tail -1`
+if test -z "$DISC";then
+	cat out$TMP
+	kill -INT $PID
+	echo "No disconnect was detected!"
+	stop
+fi
+
+$DOCKER stop $IMAGE_NAME
+$DOCKER rm $IMAGE_NAME
+
+rm -f out$TMP
+
+exit $ret