Merge branch 'master' into multi-server-tests

Author: marc-casavant

debian/freeradius-config.postinst

@@ -49,7 +49,7 @@ case "$1" in
         # install or an upgrade from before there were links; users may
         # want to remove them...
         if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.0.4+dfsg-4; then
-          for site in default inner-tunnel; do
+          for site in default inner-tunnel proxy; do
             if test ! -h /etc/freeradius/sites-enabled/$site && \
                test ! -e /etc/freeradius/sites-enabled/$site; then
               ln -s ../sites-available/$site /etc/freeradius/sites-enabled/$site

doc/antora/modules/developers/nav.adoc

@@ -15,6 +15,15 @@
 *** xref:sbuff.adoc[String buffers] (`sbuff` s)
 *** xref:sbuff-parsing.adoc[Parsing with string buffers]
 *** xref:sbuff-ng.adoc[Sbuff issues]
+** xref:rfc/index.adoc[Supported RFCs]
+*** xref:rfc/radius.adoc[RADIUS]
+**** xref:rfc/design.adoc[Creating new Attributes]
+**** xref:rfc/compliance.adoc[Compliance]
+**** xref:rfc/radius_attributes.adoc[RADIUS Attribute List]
+*** xref:rfc/dhcpv4.adoc[DHCPv4]
+*** xref:rfc/dhcpv6.adoc[DHCPv6]
+*** xref:rfc/dns.adoc[DNS]
+*** xref:rfc/tacacs.adoc[TACACS+]
 ** xref:guidelines.adoc[Documentation Guidelines]
 
 // Copyright (C) 2025 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.

doc/antora/modules/developers/pages/rfc/compliance.adoc

@@ -0,0 +1,58 @@
+= RFC Compliance
+
+RFC compliance is critical for ensuring that production systems are
+secure, interoperable, and scalable in modern environments.  Adhering
+to the IETF standards provides a common language for diverse
+networking hardware and software to communicate reliably.  The
+importance of RADIUS RFC compliance centers on four key areas:
+
+== Interoperability in Multi-Vendor Environments
+
+* De Facto Standard: RADIUS is the industry standard for centralizing
+  Authentication, Authorization, and Accounting (AAA). Compliance
+  ensures that a RADIUS server can communicate with network access
+  servers (NAS) like Wi-Fi access points, VPN gateways, and switches
+  from different manufacturers (e.g., Cisco, Aruba, Fortinet).
+
+* Consistent Behavior: RFCs provide documented, predictable behavior,
+  reducing unexpected issues when integrating new equipment into an
+  existing infrastructure.
+
+* Standardized Attributes: Standards like
+  https://datatracker.ietf.org/doc/html/rfc2865[RFC 2865] and
+  https://datatracker.ietf.org/doc/html/rfc2868[RFC 2868] define how
+  user attributes (e.g., VLAN assignments, tunnel protocols) are
+  formatted, ensuring they are correctly interpreted across the
+  network.
+
+== Security and Vulnerability Mitigation
+
+* Addressing Cryptographic Weaknesses: Legacy RADIUS (RFC 2865) relies
+  on MD5 hashing, which is now considered insecure. Recent critical
+  vulnerabilities like
+  https://www.inkbridgenetworks.com/blastradius[BlastRADIUS]
+  (identified in 2024) exploit these MD5 weaknesses to forge
+  authentication responses.
+
+* Protocol Evolution: Modern compliance often requires moving toward
+  newer standards like RadSec (RADIUS over TLS, RFC 6614), which
+  replaces unencrypted UDP transport with encrypted TLS. This protects
+  sensitive data, such as usernames and location information, from
+  eavesdropping and tampering.
+
+* Mandatory Integrity Checks: Updated standards mandate features like
+  the `Message-Authenticator` attribute to prevent packet forgery
+  attacks that were previously optional.
+
+== Scalability and Reliability
+
+* Centralised Management: Compliance allows organizations to manage
+  millions of users from a single point, making it suitable for large
+  ISPs and global enterprises.
+
+* Backward Compatibility: RFC-compliant systems are designed to evolve
+  while maintaining connections with older infrastructure, allowing
+  for gradual network upgrades without total system overhauls.
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/design.adoc

@@ -0,0 +1,40 @@
+= Designing and Using Attributes
+
+The standard RADIUS attributes are listed in the
+xref:rfc/radius_attributes.adoc[Attribute Definitions] page.
+
+When creating new RADIUS dictionaries or standards, you must follow
+the *RADIUS Design Guidelines* document
+(https://datatracker.ietf.org/doc/html/rfc6158[RFC 6158]), and the
+*Data Types in RADIUS* document
+(https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044]).
+
+Unfortunately, the RFCs are imperfect, and they have many issues and
+ambiguities. The *Common Remote Authentication Dial In User Service
+(RADIUS) Implementation Issues and Suggested Fixes* document
+(https://datatracker.ietf.org/doc/html/rfc5080[RFC 5080]), resolves
+some of these discrepencies.
+
+However, that document does not cover all the known issues with
+RADIUS. The RFCs are unclear in some areas, and does not always
+explicitly allowed or forbid behavior.  Developers should not assume
+something is allowed just because it is not prohibited.  Any new
+behavior that you invent is likely to conflict with After 20 years of
+RADIUS deployments.  We recommend that you follow the RFC
+specifications closely for the best results.  If you're unsure about
+the RFCs, follow existing best practices, or ask on the
+freeradius-users mailing list.
+
+Additional problems with the RADIUS standards and implementations are listed on the
+https://github.com/radext-wg/issues-and-fixes-2/wiki/[IETF RADEXT
+Wiki], and in the https://www.freeradius.org/rfc/issues.html[open
+issues] page.
+
+== More Information
+
+https://www.inkbridgenetworks.com/blog/blog-10/the-freeradius-auth-type-attribute-103[The FreeRADIUS Auth-Type attribute]
+
+https://www.inkbridgenetworks.com/blog/blog-10/radius-standards-compliance-from-rfc-to-wifi-alliance-135[RADIUS standards compliance: from RFC to WiFi Alliance]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/dhcpv4.adoc

@@ -0,0 +1,12 @@
+= DHCPv4 RFCs
+
+The following is a comprehensive set of tables that list all the
+related RFCs.  Depending on the section or feature that you are
+developing, will determine which documents you need to review.
+
+
+.Dynamic Host Control Protocol (DHCP)
+include::partial$dict_dhcpv4.adoc[]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/dhcpv6.adoc

@@ -0,0 +1,11 @@
+= DHCPv4 RFCs
+
+The following is a comprehensive set of tables that list all the
+related RFCs.  Depending on the section or feature that you are
+developing, will determine which documents you need to review.
+
+.Dynamic Host Control Protocol for IPv6 (DHCPv6)
+include::partial$dict_dhcpv6.adoc[]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/dns.adoc

@@ -0,0 +1,11 @@
+= DNS RFCs
+
+The following is a comprehensive set of tables that list all the
+related RFCs.  Depending on the section or feature that you are
+developing, will determine which documents you need to review.
+
+.Dynamic Name Service (DNS)
+include::partial$dict_dns.adoc[]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/index.adoc

@@ -0,0 +1,20 @@
+= Supported RFCs
+
+FreeRADIUS supports a large number of protocols, and therefore a large
+number of standards.  This pages documents the RFC compliance of the
+server, for each protocol.
+
+* xref:rfc/compliance.adoc[Comments on RFC Compliance]
+
+* xref:rfc/radius.adoc[RADIUS]
+** xref:rfc/radius_attributes.adoc[List of Attributes]
+** xref:rfc/design.adoc[Designing and creating new attributes]
+
+* xref:rfc/dns.adoc[DNS]
+
+* xref:rfc/dhcpv4.adoc[DHCPv4]
+
+* xref:rfc/dhcpv6.adoc[DHCPv4]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/radius.adoc

@@ -0,0 +1,92 @@
+= RADIUS RFCs
+
+The following is a comprehensive set of tables that list all the
+related RFCs.  Depending on the section or feature that you are
+developing, will determine which documents you need to review.
+
+.RADIUS
+include::partial$dict_dhcpv4.adoc[]
+
+NOTE: More authentication methods are supported, and this list has to be updated.
+
+.Authentication Methods
+[options=header, cols="20,~", autowidth]
+|====
+|RFC |Description
+
+|https://datatracker.ietf.org/doc/html/rfc1994[RFC 1994]
+|PPP Challenge Handshake Authentication Protocol (CHAP).
+
+|https://datatracker.ietf.org/doc/html/rfc2285[RFC 2284]
+|PPP Extensible Authentication Protocol (EAP)
+
+|https://datatracker.ietf.org/doc/html/rfc2759[RFC 2759]
+|Microsoft PPP CHAP Extensions, Version 2.
+
+|https://datatracker.ietf.org/doc/html/rfc3748[RFC 3748]
+|Extensible Authentication Protocol (EAP).
+
+|https://datatracker.ietf.org/doc/html/rfc5716[RFC 5716]
+|PPP EAP TLS Authentication Protocol.
+
+|https://datatracker.ietf.org/doc/html/rfc9190[RFC 9190]
+|EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3
+
+|====
+
+NOTE: More SNMP MIBS are supported, and this list has to be updated.
+
+.SNMP Related
+[options=header, cols="20,~",autowidth]
+|====
+
+|RFC |Description
+
+|https://datatracker.ietf.org/doc/html/rfc1227[RFC 1227]    | SNMP MUX Protocol and MIB.
+
+|https://datatracker.ietf.org/doc/html/rfc2169[RFC 2619]    | RADIUS Authentication Server MIB.
+
+|https://datatracker.ietf.org/doc/html/rfc2621[RFC 2621]    | RADIUS Accounting Server MIB.
+
+|====
+
+.Additional RADIUS related RFCs
+[options=header, cols="20,~",autowidth]
+|====
+| RFC |Description
+
+|https://datatracker.ietf.org/doc/html/rfc6677[RFC 6677] | Channel-Binding Support for Extensible Authentication Protocol (EAP) Methods
+
+|https://datatracker.ietf.org/doc/html/rfc7055[RFC 7055] | A GSS-API Mechanism or the Extensible Authentication Protocol
+
+|https://datatracker.ietf.org/doc/html/rfc7155[RFC 7155] | Diameter Network Access Server Application
+
+|https://datatracker.ietf.org/doc/html/rfc7499[RFC 7499] | Support of Fragmentation of RADIUS Packets
+
+|https://datatracker.ietf.org/doc/html/rfc7930[RFC 7930] | Larger Packets for RADIUS over TCP
+
+|https://datatracker.ietf.org/doc/rfc5080/[RFC 5080]     | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes (information)
+
+|https://datatracker.ietf.org/doc/rfc5997/[RFC 5997]     | Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol (information)
+
+|https://datatracker.ietf.org/doc/html/rfc6929[RFC 6929] | Remote Authentication Dial In User Service (RADIUS) Protocol Extensions
+
+|https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044] | Data Types in RADIUS
+
+
+|====
+
+.Unpublished drafts
+[options=header, cols="20,~",autowidth]
+|====
+|Document|Description
+
+|http://tools.ietf.org/wg/eap/draft-funk-eap-ttls-v1-01.txt[draft-funk-eap-ttls]
+|EAP Tunneled TLS Authentication Protocol Version 1 (EAP-TTLSv1).
+
+|http://www.freeradius.org/rfc/draft-schulzrinne-sipping-radius-accounting-00.txt[draft-schulzrinne-sipping-radius-accounting]
+|RADIUS accounting for SIP servers.
+|====
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.

doc/antora/modules/developers/pages/rfc/radius_attributes.adoc

@@ -0,0 +1,78 @@
+= RADIUS Attribute Definitions
+
+This page contains a list of RADIUS attribute definitions, with links
+to the relevant standards.
+
+It is critical that all vendors and administrators follow the RFC
+definitions of attributes.  Standardization enables devices from
+different manufacturers to communicate using shared protocols and
+frameworks.  RFC-compliant systems have consistent behaviour, which
+prevents interoperability issues that can cause problems in production
+networks.
+
+In addition to interoperability issues, FreeRADIUS depends on the data
+types which are defined in
+https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044].  Many modules
+in the server use specific RFC attributes, and rely on using their
+defined data types.  Changing the definitions of those attributes in
+the dictionaries _will_ cause problems.  Since the server needs a
+specific definition for these attributes, it will detect edits to the
+dictionaries, and refuse to start if the dictionary definitions for
+standard attributes have been modified.
+
+RADIUS also has a finite range (1-255) available for standard
+attributes.  Defining a custom attribute with a number already used by
+an RFC can cause a collision.  Vendors who need custom attributes
+*must* use
+https://datatracker.ietf.org/doc/html/rfc6929#section-4[Vendor-Specific]
+attributes.
+
+For local site policy, administrators can define local attributes in
+the xref:reference:raddb/dictionary.adoc[local dictionary].  These
+attributes should use the
+xref:reference:dictionary/define.adoc[DEFINE] keyword, which avoids
+all issues with assigning attribute numbers. Policies in `unlang` can
+also use xref:reference:unlang/local.adoc[local variables].  All of
+these local attributes are never sent over the network.
+
+== Attribute RFCs and Definitions
+
+The following tables list the RADIUS attributes which are defined in
+the RFCs.  Each attribute includes a brief explanation and a direct
+link to its definition in the RFCs.
+
+== A
+include::partial$a_attributelist.adoc[]
+== C
+include::partial$c_attributelist.adoc[]
+== D
+include::partial$d_attributelist.adoc[]
+== E
+include::partial$e_attributelist.adoc[]
+== F
+include::partial$f_attributelist.adoc[]
+== I
+include::partial$i_attributelist.adoc[]
+== K
+include::partial$k_attributelist.adoc[]
+== L
+include::partial$l_attributelist.adoc[]
+== M
+include::partial$m_attributelist.adoc[]
+== N
+include::partial$n_attributelist.adoc[]
+== P
+include::partial$p_attributelist.adoc[]
+== R
+include::partial$r_attributelist.adoc[]
+== S
+include::partial$s_attributelist.adoc[]
+== T
+include::partial$t_attributelist.adoc[]
+== U
+include::partial$u_attributelist.adoc[]
+== V
+include::partial$v_attributelist.adoc[]
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.