Merge pull request #186 from Nachtfalkeaw/master

freeradius2 updates pkg v1.4.6

5 files changed, 43 insertions, 50 deletions

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index baac37ae..59cb2ce5 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -86,6 +86,10 @@ function freeradius_install_command() {
 		log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}");
 		copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup");
 	}
+	
+	// Disable virtual-server we do not need by default
+	unlink("/usr/local/etc/raddb/sites-enabled/control-socket");
+	unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel");
 
 	$rcfile = array();
 	$rcfile['file'] = 'radiusd.sh';
@@ -902,41 +906,32 @@ function freeradius_serverdefault_resync() {
 	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
 	
 	// If unchecked we need the normal EAP section.
-	If (!$varsettings['varsettingsenablemacauth']) {
+	if (!$varsettings['varsettingsenablemacauth']) {
 		$varplainmacauthenable = '';
 		$varplainmacauthenable .= "eap {";
 		$varplainmacauthenable .= "\n\tok = return";
 		$varplainmacauthenable .= "\n\t}";
-		
+
 		$varplainmacpreacctenable = '';
 		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####';
 	}
 	// If checked we need to check if it is plain mac or eap
 	else {
 		$varplainmacauthenable = '';
-		$varplainmacauthenable .= "# if cleaning up the Calling-Station-Id...";
+		$varplainmacauthenable .= "\t### FIRST check MAC address in authorized_macs and if that fails proceed with other checks below in else-section ###";
+		$varplainmacauthenable .= "\n\t# if cleaning up the Calling-Station-Id...";
 		$varplainmacauthenable .= "\n\trewrite_calling_station_id";
-		$varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth";
-		$varplainmacauthenable .= "\n\tif (!EAP-Message) {";
-		$varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file";
-		$varplainmacauthenable .= "\n\t\tauthorized_macs";
-		$varplainmacauthenable .= "\n\t\tif (!ok) {";
-		$varplainmacauthenable .= "\n\t\t\treject";
-		$varplainmacauthenable .= "\n\t\t}";
-		$varplainmacauthenable .= "\n\t\telse {";
-		$varplainmacauthenable .= "\n\t\t\t# accept";
+		$varplainmacauthenable .= "\n\t# now check against the authorized_macs file";
+		$varplainmacauthenable .= "\n\tauthorized_macs";
+		$varplainmacauthenable .= "\n\tif (ok) {";
 		$varplainmacauthenable .= "\n\t\t\tupdate control {";
-		$varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept";
-		$varplainmacauthenable .= "\n\t\t\t}";
+		$varplainmacauthenable .= "\n\t\t\tAuth-Type := Accept";
 		$varplainmacauthenable .= "\n\t\t}";
 		$varplainmacauthenable .= "\n\t}";
-		$varplainmacauthenable .= "\n\telse {";
-		$varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g.";
-		$varplainmacauthenable .= "\n\t\teap";
-		$varplainmacauthenable .= "\n\t}";
-		
+		$varplainmacauthenable .= "\n\t### Here we have to place all other authorize modules which should be check when MAC fails ###";
+
 		$varplainmacpreacctenable = '';
-		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####';
+		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH ENABLED #####';
 		$varplainmacpreacctenable .= "\n\trewrite_calling_station_id";
 	}
 	
@@ -1032,27 +1027,6 @@ authorize {
 	preprocess
 	
 	#
-	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
-	#  authentication.
-	#
-	#  It also sets the EAP-Type attribute in the request
-	#  attribute list to the EAP type from the packet.
-	#
-	#  As of 2.0, the EAP module returns "ok" in the authorize stage
-	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
-	#  this change is compatible with older configurations.
-	#
-	#  The example below uses module failover to avoid querying all
-	#  of the following modules if the EAP module returns "ok".
-	#  Therefore, your LDAP and/or SQL servers will not be queried
-	#  for the many packets that go back and forth to set up TTLS
-	#  or PEAP.  The load on those servers will therefore be reduced.
-	#
-	
-	$varplainmacauthenable
-	
-		
-	#
 	#  If you want to have a log of authentication requests,
 	#  un-comment the following line, and the 'detail auth_log'
 	#  section, above.
@@ -1098,9 +1072,30 @@ authorize {
 	#  Otherwise, when the first style of realm doesn't match,
 	#  the other styles won't be checked.
 	#
+	
 	suffix
 	ntdomain
-
+	
+	#
+	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+	#  authentication.
+	#
+	#  It also sets the EAP-Type attribute in the request
+	#  attribute list to the EAP type from the packet.
+	#
+	#  As of 2.0, the EAP module returns "ok" in the authorize stage
+	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
+	#  this change is compatible with older configurations.
+	#
+	#  The example below uses module failover to avoid querying all
+	#  of the following modules if the EAP module returns "ok".
+	#  Therefore, your LDAP and/or SQL servers will not be queried
+	#  for the many packets that go back and forth to set up TTLS
+	#  or PEAP.  The load on those servers will therefore be reduced.
+	#
+	
+	$varplainmacauthenable
+	
 	#
 	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
 	#  using the system API's to get the password.  If you want
@@ -1157,7 +1152,7 @@ authorize {
 	#  get a chance to set Auth-Type for themselves.
 	#
 	pap
-
+	
 	#
 	#  If "status_server = yes", then Status-Server messages are passed
 	#  through the following section, and ONLY the following section.
@@ -2951,7 +2946,7 @@ policy {
                 }
         }
         else {
-                noop
+            noop
 		}
 	}
 }
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index e1c6c9f2..2b31996a 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -346,10 +346,9 @@
 		freeradius_install_command();
 		freeradius_clients_resync();
 		freeradius_users_resync();
+		freeradius_authorizedmacs_resync();
 		freeradius_eapconf_resync();
 		freeradius_sqlconf_resync();
-		exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket");
-		exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel");
 	</custom_php_install_command>
 	<custom_php_deinstall_command>
 		freeradius_deinstall_command();
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 611db03f..ea7366fc 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -104,8 +104,7 @@
 		<field>
 			<fielddescr>Enable Plain MAC Auth</fielddescr>
 			<fieldname>varsettingsenablemacauth</fieldname>
-			<description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br>
-								Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description>
+			<description><![CDATA[This enables plain MAC auth. The Calling-Station-Id in an Access-Request is first checked against an authorized_macs list before all other authorization methods.	If your NAS is not able to convert the MAC in a 802.1X format then you could enable this. If you do not need this leave this disabled. (Default: unchecked)]]></description>
 			<type>checkbox</type>
 		</field>
 		<field>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index cb68e9c4..df8beb40 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -805,7 +805,7 @@
 				Do not use together with freeradius package. Both are using the same XML files.]]></descr>
 		<pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink>
 		<category>System</category>
-		<version>2.1.12 pkg v1.4.5</version>
+		<version>2.1.12 pkg v1.4.6</version>
 		<status>BETA</status>
 		<required_version>2.0</required_version>
 		<maintainer>nachtfalkeaw@web.de</maintainer>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 10a5f2f2..fb0ce32d 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -852,7 +852,7 @@
 				Do not use together with freeradius package. Both are using the same XML files.]]></descr>
 		<pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink>
 		<category>System</category>
-		<version>2.1.12 pkg v1.4.5</version>
+		<version>2.1.12 pkg v1.4.6</version>
 		<status>BETA</status>
 		<required_version>2.0</required_version>
 		<maintainer>nachtfalkeaw@web.de</maintainer>