diff options
author | Chris Buechler <cmb@pfsense.org> | 2011-12-28 14:04:47 -0800 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2011-12-28 14:04:47 -0800 |
commit | 5516aa102df93816dff4bab5a9ddd67a72710c00 (patch) | |
tree | 4477c3bdd851a718c645df7f7e32f4d54a15959e /config/freeradius2/freeradius.inc | |
parent | 54cc1ac21a9e89a496800bb521ca7d485929cc95 (diff) | |
parent | fda35a3ca21e8a41d88b3e04416d889555b1492a (diff) | |
download | pfsense-packages-5516aa102df93816dff4bab5a9ddd67a72710c00.tar.gz pfsense-packages-5516aa102df93816dff4bab5a9ddd67a72710c00.tar.bz2 pfsense-packages-5516aa102df93816dff4bab5a9ddd67a72710c00.zip |
Merge pull request #160 from Nachtfalkeaw/master
freeradius2 updates
Diffstat (limited to 'config/freeradius2/freeradius.inc')
-rwxr-xr-x | config/freeradius2/freeradius.inc | 277 |
1 files changed, 180 insertions, 97 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 9409553b..c4edf183 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -49,20 +49,20 @@ function freeradius_settings_resync() { $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; // Variables: General configuration - $varsettingsmaxrequesttime = ($varsettings['varsettingsmaxrequesttime']?$varsettings['varsettingsmaxrequesttime']:'1024'); - $varsettingscleanupdelay = ($varsettings['varsettingscleanupdelay']?$varsettings['varsettingscleanupdelay']:'30'); - $varsettingsmaxrequests = ($varsettings['varsettingsmaxrequests']?$varsettings['varsettingsmaxrequests']:'5'); - $varsettingslogdir = ($varsettings['varsettingslogdir']?$varsettings['varsettingslogdir']:'no'); - $varsettingsstrippednames = ($varsettings['varsettingsstrippednames']?$varsettings['varsettingsstrippednames']:'no'); + $varsettingsmaxrequests = ($varsettings['varsettingsmaxrequests']?$varsettings['varsettingsmaxrequests']:'1024'); + $varsettingsmaxrequesttime = ($varsettings['varsettingsmaxrequesttime']?$varsettings['varsettingsmaxrequesttime']:'30'); + $varsettingscleanupdelay = ($varsettings['varsettingscleanupdelay']?$varsettings['varsettingscleanupdelay']:'5'); + $varsettingshostnamelookups = ($varsettings['varsettingshostnamelookups']?$varsettings['varsettingshostnamelookups']:'no'); + $varsettingsallowcoredumps = ($varsettings['varsettingsallowcoredumps']?$varsettings['varsettingsallowcoredumps']:'no'); + $varsettingsregularexpressions = ($varsettings['varsettingsregularexpressions']?$varsettings['varsettingsregularexpressions']:'yes'); + $varsettingsextendedexpressions = ($varsettings['varsettingsextendedexpressions']?$varsettings['varsettingsextendedexpressions']:'yes'); // Variables: Logging options + $varsettingslogdir = ($varsettings['varsettingslogdir']?$varsettings['varsettingslogdir']:'syslog'); $varsettingsauth = ($varsettings['varsettingsauth']?$varsettings['varsettingsauth']:'yes'); - $varsettingsauthbadpass = ($varsettings['varsettingsauthbadpass']?$varsettings['varsettingsauthbadpass']:'yes'); - $varsettingsauthgoodpass = ($varsettings['varsettingsauthgoodpass']?$varsettings['varsettingsauthgoodpass']:'files'); - $varsettingshostnamelookups = ($varsettings['varsettingshostnamelookups']?$varsettings['varsettingshostnamelookups']:'no'); - $varsettingsallowcoredumps = ($varsettings['varsettingsallowcoredumps']?$varsettings['varsettingsallowcoredumps']:'no'); - $varsettingsregularexpressions = ($varsettings['varsettingsregularexpressions']?$varsettings['varsettingsregularexpressions']:'no'); - $varsettingsextendedexpressions = ($varsettings['varsettingsextendedexpressions']?$varsettings['varsettingsextendedexpressions']:'no'); + $varsettingsauthbadpass = ($varsettings['varsettingsauthbadpass']?$varsettings['varsettingsauthbadpass']:'no'); + $varsettingsauthgoodpass = ($varsettings['varsettingsauthgoodpass']?$varsettings['varsettingsauthgoodpass']:'no'); + $varsettingsstrippednames = ($varsettings['varsettingsstrippednames']?$varsettings['varsettingsstrippednames']:'no'); // Variables: Security $varsettingsmaxattributes = ($varsettings['varsettingsmaxattributes']?$varsettings['varsettingsmaxattributes']:'200'); @@ -76,12 +76,24 @@ function freeradius_settings_resync() { $varsettingsmaxqueuesize = ($varsettings['varsettingsmaxqueuesize']?$varsettings['varsettingsmaxqueuesize']:'65536'); $varsettingsmaxrequestsperserver = ($varsettings['varsettingsmaxrequestsperserver']?$varsettings['varsettingsmaxrequestsperserver']:'0'); - // These lines are uncommented in fuction "freeradius_settings_resync" to INCLUDE / enable eap.conf + // For more details look at "freeradius_sqlconf_resync" $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; - $varsqlconfenable = ($sqlconf['varsqlconfenable']?$sqlconf['varsqlconfenable']:'#\$INCLUDE sql.conf'); - $varsqlconfenablecounter = ($sqlconf['varsqlconfenablecounter']?$sqlconf['varsqlconfenablecounter']:'#\$INCLUDE sql/mysql/counter.conf'); - + $varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable'); + + // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf + if ($sqlconf['varsqlconfincludeenable'] == 'Enable') { + $varsqlconfinclude = '\$INCLUDE sql.conf'; + $varsqlconfincludecounter = '\$INCLUDE sql/mysql/counter.conf'; + $varsqlconfinstantiate = 'sql'; + } + + if ($sqlconf['varsqlconfincludeenable'] == 'Disable') { + $varsqlconfinclude = '#\$INCLUDE sql.conf'; + $varsqlconfincludecounter = '#\$INCLUDE sql/mysql/counter.conf'; + $varsqlconfinstantiate = '#sql'; + } + $conf = <<<EOD prefix = /usr/local @@ -214,19 +226,12 @@ thread pool { modules { \$INCLUDE \${confdir}/modules/ \$INCLUDE eap.conf + ### Dis-/Enable sql.conf INCLUDE + $varsqlconfinclude - ### Original line - ### Enable sql.conf INCLUDE - ###\$INCLUDE sql.conf - $varsqlconfenable - - - ### Original line - ### Enable sql/mysql/counter.conf INCLUDE - #\$INCLUDE sql/mysql/counter.conf - $varsqlconfenablecounter - - + ### Dis-/Enable sql/mysql/counter.conf INCLUDE + $varsqlconfincludecounter + #\$INCLUDE sqlippool.conf } @@ -237,10 +242,8 @@ instantiate { #daily expiration logintime - #redundant redundant_sql { - # sql1 - # sql2 - #} + ### Dis-/Enable sql instatiate + $varsqlconfinstantiate } \$INCLUDE policy.conf \$INCLUDE sites-enabled/ @@ -258,61 +261,96 @@ function freeradius_users_resync() { global $config; $conf = ''; -$users = $config['installedpackages']['freeradius']['config']; -if (is_array($users) && !empty($users)) { -foreach ($users as $user) { -$username = $user['username']; -$password = $user['password']; -$multiconnect = $user['multiconnect']; -$ip = $user['ip']; -$subnetmask = $user['subnetmask']; -$gateway = $user['gateway']; -$userexpiration=$user['expiration']; -$sessiontime=$user['sessiontime']; -$onlinetime=$user['onlinetime']; -$vlanid=$user['vlanid']; -$additionaloptions=$user['additionaloptions']; -$atrib=''; -$head="$username Cleartext-Password := ".'"'.$password.'"'; - if ($multiconnect <> '') { - $head .=", Simultaneous-Use := $multiconnect"; - } - if ($userexpiration <> '') { - $head .=", Expiration := ".'"'.$userexpiration.'"'; - } - if ($subnetmask<> '') { - $head .=", Framed-IP-Netmask = $subnetmask"; - } - if ($gateway<> '') { - $head .=", Framed-Route = $gateway"; - } - if ($onlinetime <> '') { - $head .=", Login-Time := ". '"' . $onlinetime .'"'; - } - if ($ip <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tFramed-IP-Address = $ip"; - } - if ($sessiontime <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tSession-Timeout := $sessiontime"; - } - if ($vlanid <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; - } - if ($additionaloptions <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\t$additionaloptions"; - } - - $conf .= <<<EOD -$head -$atrib +// Empty variables + +$arrusers = $config['installedpackages']['freeradius']['config']; + +if (is_array($arrusers) && !empty($arrusers)) { + foreach ($arrusers as $users) { + + // Variables for users file defined parameters + $varusersusername = $users['varusersusername']; + $varuserspassword = $users['varuserspassword']; + $varuserssimultaneousconnect = ($users['varuserssimultaneousconnect']?$users['varuserssimultaneousconnect']:'1'); + $varusersframedipaddress = $users['varusersframedipaddress']; + $varusersframedipnetmask = $users['varusersframedipnetmask']; + $varusersframedroute = $users['varusersframedroute']; + $varusersexpiration=$users['varusersexpiration']; + $varuserssessiontimeout=$users['varuserssessiontimeout']; + $varuserslogintime=$users['varuserslogintime']; + $varusersvlanid=$users['varusersvlanid']; + + // Clear variables for next user foreach additional options + $varuserstopadditionaloptions = ''; + $varusersadditionaloptionstop = ''; + + + if(!empty($users['varuserstopadditionaloptions'])) { + $varuserstopadditionaloptions = explode("|", ($users['varuserstopadditionaloptions'])); + foreach ($varuserstopadditionaloptions as $toptmp) { + $varusersadditionaloptionstop .= $toptmp . "\n"; + } + } + + // Clear variables for next user foreach additional options + $varusersbottomadditionaloptions = ''; + $varusersadditionaloptionsbottom = ''; + + if(!empty($users['varusersbottomadditionaloptions'])) { + $varusersbottomadditionaloptions = explode("|", ($users['varusersbottomadditionaloptions'])); + $varusersadditionaloptionsbottom .= ''; + foreach ($varusersbottomadditionaloptions as $bottomtmp) { + $varusersadditionaloptionsbottom .= $bottomtmp . "\n\t"; + } + } + + + + // Empty variable + $varusersmainoptions = ''; + + // Add the user attributes to each user. + $varusersmainoptions = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"'; + + if ($varuserssimultaneousconnect != '') { + $varusersmainoptions .= "\n\tSimultaneous-Use := $varuserssimultaneousconnect"; + } + if ($varusersexpiration != '') { + $varusersmainoptions .= ",\n\tExpiration := " . '"' . $varusersexpiration . '"'; + } + if ($varuserslogintime != '') { + $varusersmainoptions .= ",\n\tLogin-Time := " . '"' . $varuserslogintime . '"'; + } + if ($varuserssessiontimeout != '') { + $varusersmainoptions .= ",\n\tSession-Timeout := $varuserssessiontimeout"; + } + if ($varusersframedipaddress != '') { + $varusersmainoptions .= ",\n\tFramed-IP-Address = $varusersframedipaddress"; + } + if ($varusersframedipnetmask != '') { + $varusersmainoptions .= ",\n\tFramed-IP-Netmask = $varusersframedipnetmask"; + } + if ($varusersframedroute != '') { + $varusersmainoptions .= ",\n\tFramed-Route = " . '"' . $varusersframedroute . '"'; + } + if ($varusersvlanid != '') { + $varusersmainoptions .= ",\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"'; + } + if ($varusersadditionaloptionsbottom != '') { + $varusersmainoptions .= ",\n\t$varusersadditionaloptionsbottom"; + } + // Cosmetic fix - This is just to make a blank new line after each user entry + $varusersmainoptions .= "\n\n"; + + + $conf .= <<<EOD +$varusersadditionaloptionstop +$varusersmainoptions EOD; -} -} + } //end foreach +} // end if + $filename = RADDB . '/users'; conf_mount_rw(); file_put_contents($filename, $conf); @@ -463,6 +501,9 @@ if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { $vareapconfprivatekeyfile = 'server_key.pem'; $vareapconfcertificatefile = 'server_cert.pem'; $vareapconfcafile = 'ca_cert.pem'; + // generate new DH and RANDOM file + exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); } // This is for freeradius cert manager @@ -624,11 +665,7 @@ function freeradius_sqlconf_resync() { $varsqlconfreadclients = ($sqlconf['varsqlconfreadclients']?$sqlconf['varsqlconfreadclients']:'yes'); $varsqlconfnastable = ($sqlconf['varsqlconfnastable']?$sqlconf['varsqlconfnastable']:'nas'); - // These lines are uncommented in fuction "freeradius_settings_resync" to INCLUDE / enable eap.conf - // $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; - // $varsqlconfenable = ($sqlconf['varsqlconfenable']?$sqlconf['varsqlconfenable']:'#\$INCLUDE sql.conf'); - // $varsqlconfenablecounter = ($sqlconf['varsqlconfenablecounter']?$sqlconf['varsqlconfenablecounter']:'#\$INCLUDE sql/mysql/counter.conf'); - + // For more information look at "freeradius_settings_resync" $conf .= <<<EOD @@ -676,6 +713,55 @@ function freeradius_serverdefault_resync() { global $config; $conf = ''; + // Get Variables from freeradiussqlconf.xml + $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; + $varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable'); + $varsqlconfenableaccounting = ($sqlconf['varsqlconfenableaccounting']?$sqlconf['varsqlconfenableaccounting']:'Disable'); + $varsqlconfenablesession = ($sqlconf['varsqlconfenablesession']?$sqlconf['varsqlconfenablesession']:'Disable'); + $varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable'); + + + // Disable all sql sections if sql is global disabled + // if ($sqlconf['varsqlconfincludeenable'] == 'Disable') { + // $varsqlconfauthorize = '#sql'; + // $varsqlconfaccounting = '#sql'; + // $varsqlconfsession = 'radutmp'; + // $varsqlconfpostauth = '#sql'; + // } + + // authorize section + if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) { + $varsqlconfauthorize = 'sql'; + } + else { + $varsqlconfauthorize = '#sql'; + } + + // accounting section + if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) { + $varsqlconfaccounting = 'sql'; + } + else { + $varsqlconfaccounting = '#sql'; + } + + // session section + if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) { + $varsqlconfsession = 'sql'; + } + else { + $varsqlconfsession = 'radutmp'; + } + + // post-auth section + if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) { + $varsqlconfpostauth = 'sql'; + } + else { + $varsqlconfpostauth = '#sql'; + } + + $conf .= <<<EOD ###################################################################### @@ -854,7 +940,7 @@ authorize { # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf -# sql + $varsqlconfauthorize # # If you are using /etc/smbpasswd, and are also doing @@ -1083,7 +1169,7 @@ accounting { # Log traffic to an SQL database. # # See "Accounting queries" in sql.conf -# sql + $varsqlconfaccounting # # If you receive stop packets with zero session length, @@ -1127,11 +1213,8 @@ accounting { # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { - radutmp - - # - # See "Simultaneous Use Checking Queries" in sql.conf -# sql + ### choose radutmp or sql + $varsqlconfsession } @@ -1152,7 +1235,7 @@ post-auth { # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf -# sql + $varsqlconfpostauth # # Instead of sending the query to the SQL server, |