Commit 4741af1d authored by Linus Nordberg's avatar Linus Nordberg

Change the default value for config option FTicksMac.

parent 8f984439
...@@ -17,55 +17,61 @@ fticks_configure(struct options *options, ...@@ -17,55 +17,61 @@ fticks_configure(struct options *options,
const char *reporting = (const char *) *reportingp; const char *reporting = (const char *) *reportingp;
const char *mac = (const char *) *macp; const char *mac = (const char *) *macp;
if (reporting == NULL) /* Set defaults. */
goto out; options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
if (strcasecmp(reporting, "None") == 0) options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
else if (strcasecmp(reporting, "Basic") == 0) if (reporting != NULL) {
options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; if (strcasecmp(reporting, "None") == 0)
else if (strcasecmp(reporting, "Full") == 0) options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; else if (strcasecmp(reporting, "Basic") == 0)
else { options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", else if (strcasecmp(reporting, "Full") == 0)
reporting); options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
r = 1; else {
goto out; debugx(1, DBG_ERR,
"config error: invalid FTicksReporting value: %s",
reporting);
r = 1;
}
} }
if (mac == NULL) if (mac != NULL) {
goto out; if (strcasecmp(mac, "Static") == 0)
if (strcasecmp(mac, "Static") == 0) options->fticks_mac = RSP_FTICKS_MAC_STATIC;
options->fticks_mac = RSP_FTICKS_MAC_STATIC; else if (strcasecmp(mac, "Original") == 0)
else if (strcasecmp(mac, "Original") == 0) options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; else if (strcasecmp(mac, "VendorHashed") == 0)
else if (strcasecmp(mac, "VendorHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; else if (strcasecmp(mac, "VendorKeyHashed") == 0)
else if (strcasecmp(mac, "VendorKeyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; else if (strcasecmp(mac, "FullyHashed") == 0)
else if (strcasecmp(mac, "FullyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; else if (strcasecmp(mac, "FullyKeyHashed") == 0)
else if (strcasecmp(mac, "FullyKeyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; else {
else { debugx(1, DBG_ERR,
debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); "config error: invalid FTicksMAC value: %s", mac);
r = 1; r = 1;
goto out; }
} }
if (*keyp == NULL if (*keyp != NULL) {
&& (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED options->fticks_key = *keyp;
|| options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED
&& options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED)
debugx(1, DBG_WARN, "config warning: FTicksKey not used");
}
else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE
&& (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
|| options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
debugx(1, DBG_ERR, debugx(1, DBG_ERR,
"config error: FTicksMAC %s requires an FTicksKey", mac); "config error: FTicksMAC values VendorKeyHashed and "
options->fticks_mac = RSP_FTICKS_MAC_STATIC; "FullyKeyHashed require an FTicksKey");
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
r = 1; r = 1;
goto out;
} }
if (*keyp != NULL)
options->fticks_key = *keyp;
out:
if (*reportingp != NULL) { if (*reportingp != NULL) {
free(*reportingp); free(*reportingp);
*reportingp = NULL; *reportingp = NULL;
......
...@@ -39,12 +39,13 @@ ...@@ -39,12 +39,13 @@
# fticksVISCOUNTRY option. # fticksVISCOUNTRY option.
# You can optionally specify FTicksMAC in order to determine if and # You can optionally specify FTicksMAC in order to determine if and
# how Calling-Station-Id is logged. # how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for # Static -- Use a static string as a placeholder for
# Calling-Station-Id. This is the default. # Calling-Station-Id.
# Original -- Log Calling-Station-Id as-is. # Original -- Log Calling-Station-Id as-is.
# VendorHashed -- Keep first three segments as-is, hash the rest. # VendorHashed -- Keep first three segments as-is, hash the rest.
# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. # VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This
# is the default.
# FullyHashed -- Hash the entire string. # FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. # FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
......
...@@ -176,13 +176,17 @@ blocktype name { ...@@ -176,13 +176,17 @@ blocktype name {
The FTicksReporting option is used to enable F-Ticks The FTicksReporting option is used to enable F-Ticks
logging and can be set to <literal>None</literal>, logging and can be set to <literal>None</literal>,
<literal>Basic</literal> or <literal>Full</literal>. Its <literal>Basic</literal> or <literal>Full</literal>. Its
default value is <literal>None</literal>. default value is <literal>None</literal>. If
FTicksReporting is set to anything other than
<literal>None</literal>, note that the default value for
FTicksMAC is <literal>VendorKeyHashed</literal> which
needs FTicksKey to be set.
</para> </para>
<para> <para>
See <literal>radsecproxy.conf-example</literal> for See <literal>radsecproxy.conf-example</literal> for
details. Note that radsecproxy has to be configured with details. Note that radsecproxy has to be configured with
support for F-Ticks (<literal>--enable-fticks</literal>) F-Ticks support (<literal>--enable-fticks</literal>) for
for this option to have any effect. this option to have any effect.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -192,23 +196,31 @@ blocktype name { ...@@ -192,23 +196,31 @@ blocktype name {
<listitem> <listitem>
<para> <para>
The FTicksMAC option can be used to control if and how The FTicksMAC option can be used to control if and how
Calling-Station-Id is being logged. It can be set to one Calling-Station-Id (the users Ethernet MAC address) is
of <literal>Static</literal>, being logged. It can be set to one of
<literal>Original</literal>, <literal>Static</literal>, <literal>Original</literal>,
<literal>VendorHashed</literal>, <literal>VendorHashed</literal>,
<literal>VendorKeyHashed</literal>, <literal>VendorKeyHashed</literal>,
<literal>FullyHashed</literal> or <literal>FullyHashed</literal> or
<literal>FullyKeyHashed</literal>. <literal>FullyKeyHashed</literal>.
</para> </para>
<para> <para>
The default value for FTicksMAC is <literal>Static</literal>. The default value for FTicksMAC is
Before chosing any of <literal>Original</literal> <literal>VendorKeyHashed</literal>. This means that
FTicksKey has to be set.
<para>
Before chosing any of <literal>Original</literal>,
<literal>FullyHashed</literal> or
<literal>VendorHashed</literal>, consider the implications
for user privacy when MAC addresses are collected. How
will the logs be stored, transferred and accessed?
</para>
</para> </para>
<para> <para>
See <literal>radsecproxy.conf-example</literal> for See <literal>radsecproxy.conf-example</literal> for
details. Note that radsecproxy has to be configured with details. Note that radsecproxy has to be configured with
support for F-Ticks (<literal>--enable-fticks</literal>) F-Ticks support (<literal>--enable-fticks</literal>) for
for this option to have any effect. this option to have any effect.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -223,8 +235,8 @@ blocktype name { ...@@ -223,8 +235,8 @@ blocktype name {
option. option.
</para> </para>
<para> <para>
Note that radsecproxy has to be configured with support Note that radsecproxy has to be configured with F-Ticks
for F-Ticks (<literal>--enable-fticks</literal>) for this support (<literal>--enable-fticks</literal>) for this
option to have any effect. option to have any effect.
</para> </para>
</listitem> </listitem>
......
...@@ -45,10 +45,10 @@ enum rsp_fticks_reporting_type { ...@@ -45,10 +45,10 @@ enum rsp_fticks_reporting_type {
}; };
enum rsp_fticks_mac_type { enum rsp_fticks_mac_type {
RSP_FTICKS_MAC_STATIC = 0, /* Default. */ RSP_FTICKS_MAC_STATIC = 0,
RSP_FTICKS_MAC_ORIGINAL, RSP_FTICKS_MAC_ORIGINAL,
RSP_FTICKS_MAC_VENDOR_HASHED, RSP_FTICKS_MAC_VENDOR_HASHED,
RSP_FTICKS_MAC_VENDOR_KEY_HASHED, RSP_FTICKS_MAC_VENDOR_KEY_HASHED, /* Default. */
RSP_FTICKS_MAC_FULLY_HASHED, RSP_FTICKS_MAC_FULLY_HASHED,
RSP_FTICKS_MAC_FULLY_KEY_HASHED RSP_FTICKS_MAC_FULLY_KEY_HASHED
}; };
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment