aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius.inc
diff options
context:
space:
mode:
authorBill Marquette <bill.marquette@gmail.com>2009-02-06 19:18:00 -0600
committerBill Marquette <bill.marquette@gmail.com>2009-02-06 19:18:00 -0600
commit55eddd7accf2c5f9b0f52b22a010c4c4b7c130d1 (patch)
treeba4783bab1dd65f1ceef2dfac9fdbd515531d18b /config/freeradius.inc
parent67780cc9d469288742aea5bc378c29a54edd5ec5 (diff)
downloadpfsense-packages-55eddd7accf2c5f9b0f52b22a010c4c4b7c130d1.tar.gz
pfsense-packages-55eddd7accf2c5f9b0f52b22a010c4c4b7c130d1.tar.bz2
pfsense-packages-55eddd7accf2c5f9b0f52b22a010c4c4b7c130d1.zip
mv packages to config dir to match web layout
Diffstat (limited to 'config/freeradius.inc')
-rw-r--r--config/freeradius.inc527
1 files changed, 527 insertions, 0 deletions
diff --git a/config/freeradius.inc b/config/freeradius.inc
new file mode 100644
index 00000000..53a1d695
--- /dev/null
+++ b/config/freeradius.inc
@@ -0,0 +1,527 @@
+<?php
+require_once('config.inc');
+require_once('service-utils.inc');
+
+define('RADDB', '/usr/local/etc/raddb');
+
+function freeradius_deinstall_command() {
+ exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`");
+ exec("cd /var/db/pkg && pkg_delete `ls | grep libltdl`");
+}
+
+function freeradius_install_command() {
+ global $config;
+
+ $handle = opendir(RADDB);
+ while (false != ($file = readdir($handle))) {
+ if (false != ($pos = strpos($file, '.sample'))) {
+ $newfile = substr($file, 0, $pos);
+ if (copy(RADDB . "/$file", RADDB . "/$newfile"))
+ unlink(RADDB . "/$file");
+ }
+ }
+ closedir($handle);
+
+ freeradius_settings_resync();
+
+ $rcfile = array();
+ $rcfile['file'] = 'radiusd.sh';
+ $rcfile['start'] = 'radiusd -s &';
+ $rcfile['stop'] = 'killall radiusd';
+ write_rcfile($rcfile);
+ start_service("freeradius");
+}
+
+function freeradius_settings_resync() {
+ global $config;
+
+ $settings = $config['installedpackages']['freeradiussettings']['config'][0];
+
+ $iface = ($settings['interface'] ? $settings['interface'] : 'LAN');
+ $iface = convert_friendly_interface_to_real_interface_name($iface);
+ $iface_ip = find_interface_ip($iface);
+ $port = ($settings['port'] != '' ? $settings['port'] : 0);
+ $radiuslogging = $settings['radiuslogging'];
+ $radiuslogbadpass = $settings['radiuslogbadpass'];
+ $radiusloggoodpass = $settings['radiusloggoodpass'];
+
+ // FreeRADIUS's configuration is huge
+ // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here).
+ $conf = <<<EOD
+prefix = /usr/local
+exec_prefix = \${prefix}
+sysconfdir = \${prefix}/etc
+localstatedir = /var
+sbindir = \${exec_prefix}/sbin
+logdir = /var/log
+raddbdir = \${sysconfdir}/raddb
+radacctdir = \${logdir}/radacct
+confdir = \${raddbdir}
+run_dir = \${localstatedir}/run/radiusd
+log_file = \${logdir}/radius.log
+libdir = \${exec_prefix}/lib
+pidfile = \${run_dir}/radiusd.pid
+#user = nobody
+#group = nobody
+max_request_time = 30
+delete_blocked_requests = no
+cleanup_delay = 5
+max_requests = 1024
+bind_address = $iface_ip
+port = $port
+hostname_lookups = no
+allow_core_dumps = no
+regular_expressions = yes
+extended_expressions = yes
+log_stripped_names = no
+log_auth = $radiuslogging
+log_auth_badpass = $radiuslogbadpass
+log_auth_goodpass = $radiusloggoodpass
+usercollide = no
+lower_user = no
+lower_pass = no
+nospace_user = no
+nospace_pass = no
+checkrad = \${sbindir}/checkrad
+
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = no
+}
+
+proxy_requests = yes
+\$INCLUDE \${confdir}/proxy.conf
+
+\$INCLUDE \${confdir}/clients.conf
+
+snmp = no
+\$INCLUDE \${confdir}/snmp.conf
+
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+modules {
+ pap {
+ encryption_scheme = crypt
+ }
+
+ chap {
+ authtype = CHAP
+ }
+
+ pam {
+ pam_auth = radiusd
+ }
+
+ unix {
+ cache = no
+ cache_reload = 600
+ radwtmp = \${logdir}/radwtmp
+ }
+
+ \$INCLUDE \${confdir}/eap.conf
+
+ mschap {
+ authtype = MS-CHAP
+ #use_mppe = no
+ #require_encryption = yes
+ #require_strong = yes
+ #with_ntdomain_hack = no
+ #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+ }
+
+ ldap {
+ server = "ldap.your.domain"
+ basedn = "o=My Org,c=UA"
+ filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
+ #base_filter = "(objectclass=radiusprofile)"
+ start_tls = no
+ #tls_cacertfile = /path/to/cacert.pem
+ #tls_cacertdir = /path/to/ca/dir/
+ #tls_certfile = /path/to/radius.crt
+ #tls_keyfile = /path/to/radius.key
+ #tls_randfile = /path/to/rnd
+ #tls_require_cert = "demand"
+ access_attr = "dialupAccess"
+ dictionary_mapping = \${raddbdir}/ldap.attrmap
+ ldap_connections_number = 5
+ #groupname_attribute = cn
+ #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
+ #groupmembership_attribute = radiusGroupName
+ timeout = 4
+ timelimit = 3
+ net_timeout = 1
+ #compare_check_items = yes
+ #do_xlat = yes
+ #access_attr_used_for_allow = yes
+ }
+
+ realm IPASS {
+ format = prefix
+ delimiter = "/"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm suffix {
+ format = suffix
+ delimiter = "@"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm realmpercent {
+ format = suffix
+ delimiter = "%"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm ntdomain {
+ format = prefix
+ delimiter = "\\"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ checkval {
+ item-name = Calling-Station-Id
+ check-name = Calling-Station-Id
+ data-type = string
+ #notfound-reject = no
+ }
+
+ preprocess {
+ huntgroups = \${confdir}/huntgroups
+ hints = \${confdir}/hints
+ with_ascend_hack = no
+ ascend_channels_per_line = 23
+ with_ntdomain_hack = no
+ with_specialix_jetstream_hack = no
+ with_cisco_vsa_hack = no
+ }
+
+ files {
+ usersfile = \${confdir}/users
+ acctusersfile = \${confdir}/acct_users
+ preproxy_usersfile = \${confdir}/preproxy_users
+ compat = no
+ }
+
+ detail {
+ detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
+ detailperm = 0600
+ }
+
+ acct_unique {
+ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
+ }
+
+ \$INCLUDE \${confdir}/sql.conf
+
+ radutmp {
+ filename = \${logdir}/radutmp
+ username = %{User-Name}
+ case_sensitive = yes
+ check_with_nas = yes
+ perm = 0600
+ callerid = "yes"
+ }
+
+ radutmp sradutmp {
+ filename = \${logdir}/sradutmp
+ perm = 0644
+ callerid = "no"
+ }
+
+ attr_filter {
+ attrsfile = \${confdir}/attrs
+ }
+
+ counter daily {
+ filename = \${raddbdir}/db.daily
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = daily
+ counter-name = Daily-Session-Time
+ check-name = Max-Daily-Session
+ allowed-servicetype = Framed-User
+ cache-size = 5000
+ }
+
+ counter weekly {
+ filename = \${raddbdir}/db.weekly
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = weekly
+ counter-name = Weekly-Session-Time
+ check-name = Max-Weekly-Session
+ cache-size = 5000
+ }
+
+ counter monthly {
+ filename = \${raddbdir}/db.monthly
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = monthly
+ counter-name = Monthly-Session-Time
+ check-name = Max-Monthly-Session
+ cache-size = 5000
+ }
+
+ counter forever {
+ filename = \${raddbdir}/db.forever
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = never
+ counter-name = Forever-Session-Time
+ check-name = Max-Forever-Session
+ cache-size = 5000
+ }
+
+ always fail {
+ rcode = fail
+ }
+ always reject {
+ rcode = reject
+ }
+ always ok {
+ rcode = ok
+ simulcount = 0
+ mpp = no
+ }
+
+ expr {
+ }
+
+ digest {
+ }
+
+ exec {
+ wait = yes
+ input_pairs = request
+ }
+
+ exec echo {
+ wait = yes
+ program = "/bin/echo %{User-Name}"
+ input_pairs = request
+ output_pairs = reply
+ #packet_type = Access-Accept
+ }
+
+ ippool main_pool {
+ range-start = 192.168.1.1
+ range-stop = 192.168.3.254
+ netmask = 255.255.255.0
+ cache-size = 800
+ session-db = \${raddbdir}/db.ippool
+ ip-index = \${raddbdir}/db.ipindex
+ override = no
+ maximum-timeout = 0
+ }
+}
+
+instantiate {
+ exec
+ expr
+ daily
+ weekly
+ monthly
+ forever
+}
+
+authorize {
+ preprocess
+ #auth_log
+ #attr_filter
+ chap
+ mschap
+ #digest
+ #IPASS
+ suffix
+ #ntdomain
+ eap
+ files
+ #sql
+ #etc_smbpasswd
+ #ldap
+ daily
+ weekly
+ monthly
+ forever
+ #checkval
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ #digest
+ #pam
+ unix
+ #Auth-Type LDAP {
+ # ldap
+ #}
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ #IPASS
+ suffix
+ #ntdomain
+ files
+}
+
+accounting {
+ detail
+ daily
+ weekly
+ monthly
+ forever
+ unix
+ radutmp
+ #sradutmp
+ #main_pool
+ #sql
+ #pgsql-voip
+}
+
+session {
+ radutmp
+ #sql
+}
+
+post-auth {
+ #main_pool
+ #reply_log
+ #sql
+ #ldap
+ #Post-Auth-Type REJECT {
+ # insert-module-name-here
+ #}
+}
+
+pre-proxy {
+ #attr_rewrite
+ #files
+ #pre_proxy_log
+}
+
+post-proxy {
+ #post_proxy_log
+ #attr_rewrite
+ #attr_filter
+ eap
+}
+
+EOD;
+ file_put_contents(RADDB . '/radiusd.conf', $conf);
+ restart_service("freeradius");
+}
+
+function freeradius_users_resync() {
+ global $config;
+
+ $conf = '';
+ $users = $config['installedpackages']['freeradius']['config'];
+ if (is_array($users)) {
+ foreach ($users as $user) {
+ $username = $user['username'];
+ $password = $user['password'];
+ $multiconnet = $user['multiconnet'];
+ $ip = $user['ip'];
+ $userexpiration=$user['expiration'];
+ $sessiontime=$user['sessiontime'];
+ $onlinetime=$user['onlinetime'];
+ $vlanid=$user['vlanid'];
+ $additionaloptions=$user['additionaloptions'];
+ $atrib='';
+ $head="$username User-Password == ".'"'.$password.'"';
+ if ($multiconnect <> '') {
+ $head .=", Simultaneous-Use += $multiconnet";
+ }
+ if ($x <> '') {
+ $head .=", Expiration := ".'"'.$userexpiration.'"';
+ }
+ if ($onlinetime <> '') {
+ $head .=", Login-Time := ". '"' . $onlinetime .'"';
+ }
+ if ($ip <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tFramed-IP-Address = $ip";
+ }
+ if ($sessiontime <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tSession-Timeout := $sessiontime";
+ }
+ if ($vlanid <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\"";
+ }
+ if ($additionaloptions <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\t$additionaloptions";
+ }
+
+ $conf .= <<<EOD
+$head
+ $atrib
+
+EOD;
+ }
+ }
+ $filename = RADDB . '/users';
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+
+ restart_service('freeradius');
+}
+
+function freeradius_clients_resync() {
+ global $config;
+
+ $conf = '';
+ $clients = $config['installedpackages']['freeradiusclients']['config'];
+ if (is_array($clients) && !empty($clients)) {
+ foreach ($clients as $item) {
+ $client = $item['client'];
+ $secret = $item['sharedsecret'];
+ $shortname = $item['shortname'];
+ $conf .= <<<EOD
+client $client {
+ secret = $secret
+ shortname = $shortname
+}
+
+EOD;
+ }
+ }
+ else {
+ $conf .= <<<EOD
+client 127.0.0.1 {
+ secret = pfsense
+ shortname = localhost
+}
+
+EOD;
+ }
+
+ file_put_contents(RADDB . '/clients.conf', $conf);
+ restart_service("freeradius");
+}
+?>