diff options
| author | Nacht Falke <nachtfalkeaw@web.de> | 2011-12-18 23:52:25 +0000 |
|---|---|---|
| committer | Nacht Falke <nachtfalkeaw@web.de> | 2011-12-18 23:52:25 +0000 |
| commit | 458b2787beb9bed358d1a9d72edcb8412d72f243 (patch) | |
| tree | 80a2c27e96c583f580969aa802cbd34ee01b2cc8 /config/freeradius2/freeradius.inc | |
| parent | 9d513194271fb06b49d1f29dde2d29edf17375b6 (diff) | |
| download | pfsense-packages-458b2787beb9bed358d1a9d72edcb8412d72f243.tar.gz pfsense-packages-458b2787beb9bed358d1a9d72edcb8412d72f243.tar.bz2 pfsense-packages-458b2787beb9bed358d1a9d72edcb8412d72f243.zip | |
Added additional .XML to configure eap.conf
Diffstat (limited to 'config/freeradius2/freeradius.inc')
| -rwxr-xr-x | config/freeradius2/freeradius.inc | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 518544c9..38625494 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -27,6 +27,9 @@ function freeradius_install_command() { } } + exec("chown -R root:wheel /usr/local/etc/raddb"); + exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); + closedir($handle); $rcfile = array(); @@ -322,4 +325,134 @@ EOD; conf_mount_ro(); restart_service("freeradius"); } + + + +function freeradius_eapconf_resync() { + global $config; + $conf = ''; + + $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; + + // Variables: EAP + $vareapconfdefaulteaptype = $eapconf['vareapconfdefaulteaptype']; + $vareapconftimerexpire = $eapconf['vareapconftimerexpire']; + $vareapconfignoreunknowneaptypes = $eapconf['vareapconfignoreunknowneaptypes']; + $vareapconfciscoaccountingusernamebug = $eapconf['vareapconfciscoaccountingusernamebug']; + $vareapconfmaxsessions = $eapconf['vareapconfmaxsessions']; + + // Variables: EAP-TLS and EAP-TLS with OCSP support + $vareapconfprivatekeypassword = $eapconf['vareapconfprivatekeypassword']; + $vareapconfprivatekeyfile = $eapconf['vareapconfprivatekeyfile']; + $vareapconfcertificatefile = $eapconf['vareapconfcertificatefile']; + $vareapconfcafile = $eapconf['vareapconfcafile']; + $vareapconfdhfile = $eapconf['vareapconfdhfile']; + $vareapconfrandomfile = $eapconf['vareapconfrandomfile']; + $vareapconfocspenable = $eapconf['vareapconfocspenable']; + $vareapconfocspoverridecerturl = $eapconf['vareapconfocspoverridecerturl']; + $vareapconfocspurl = $eapconf['vareapconfocspurl']; + + // Variables: EAP-TTLS + $vareapconfttlsdefaulteaptype = $eapconf['vareapconfttlsdefaulteaptype']; + $vareapconfttlscopyrequesttotunnel = $eapconf['vareapconfttlscopyrequesttotunnel']; + $vareapconfttlsusetunneledreply = $eapconf['vareapconfttlsusetunneledreply']; + + // Variables: EAP-PEAP with MSCHAPv2 + $vareapconfpeapdefaulteaptype = $eapconf['vareapconfpeapdefaulteaptype']; + $vareapconfpeapcopyrequesttotunnel = $eapconf['vareapconfpeapcopyrequesttotunnel']; + $vareapconfpeapusetunneledreply = $eapconf['vareapconfpeapusetunneledreply']; + + + $conf .= <<<EOD + + ### EAP + eap { + default_eap_type = $vareapconfdefaulteaptype + timer_expire = $vareapconftimerexpire + ignore_unknown_eap_types = $vareapconfignoreunknowneaptypes + cisco_accounting_username_bug = $vareapconfciscoaccountingusernamebug + max_sessions = $vareapconfmaxsessions + + md5 { + } + leap { + } + gtc { + #challenge = "Password: " + auth_type = PAP + } + + + ### EAP-TLS and EAP-TLS with OCSP support + tls { + certdir = \${confdir}/certs + cadir = \${confdir}/certs + private_key_password = $vareapconfprivatekeypassword + private_key_file = \${certdir}/$vareapconfprivatekeyfile + certificate_file = \${certdir}/$vareapconfcertificatefile + CA_file = \${cadir}/$vareapconfcafile + dh_file = \${certdir}/$vareapconfdhfile + random_file = \${certdir}/$vareapconfrandomfile + # fragment_size = 1024 + # include_length = yes + # check_crl = yes + CA_path = \${cadir} + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + # check_cert_cn = %{User-Name} + cipher_list = "DEFAULT" + make_cert_command = "\${certdir}/bootstrap" + ecdh_curve = "prime256v1" + cache { + enable = no + lifetime = 24 # hours + max_entries = 255 + } + verify { + # tmpdir = /tmp/radiusd + # client = "/path/to/openssl verify -CApath ${CA_path} %{TLS-Client-Cert-Filename}" + } + ocsp { + enable = $vareapconfocspenable + override_cert_url = $vareapconfocspoverridecerturl + url = "$vareapconfocspurl" + } + } ### end tls + + ### EAP-TTLS + ttls { + default_eap_type = $vareapconfttlsdefaulteaptype + copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel + use_tunneled_reply = $vareapconfttlsusetunneledreply + ### if disabled this will be processed by the virtual server called "default" + # virtual_server = "inner-tunnel" + # include_length = yes + } ### end ttls + + ### EAP-PEAP with MSCHAPv2 + peap { + default_eap_type = $vareapconfpeapdefaulteaptype + copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel + use_tunneled_reply = $vareapconfpeapusetunneledreply + # proxy_tunneled_request_as_eap = yes + ### if disabled this will be processed by the virtual server called "default" + # virtual_server = "inner-tunnel" + # soh = yes + # soh_virtual_server = "soh-server" + } + mschapv2 { + # send_error = no + } + } ### end eap + + +EOD; + + $filename = RADDB . '/eap.conf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + + restart_service('freeradius'); +} ?>
\ No newline at end of file |