aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2
diff options
context:
space:
mode:
authorAlexander Wilke <nachtfalkeaw[@]web.de>2012-01-29 21:15:39 +0100
committerAlexander Wilke <nachtfalkeaw[@]web.de>2012-01-29 21:15:39 +0100
commita2b11330ee9ae8be632f59126ca8b4674ea792fd (patch)
tree62a273cee70d827c3ee6787bcd28401f06d2a7b7 /config/freeradius2
parent98f4d42ff96d69d2108dbeed64e347dffb31dc0c (diff)
downloadpfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.tar.gz
pfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.tar.bz2
pfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.zip
option to disable weak EAP types
Diffstat (limited to 'config/freeradius2')
-rw-r--r--config/freeradius2/freeradius.inc38
1 files changed, 24 insertions, 14 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index fb7945b9..91a9d7f2 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -751,6 +751,14 @@ function freeradius_eapconf_resync() {
$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
+ // Disable weak EAP types like MD5, GTC, LEAP
+ if ($eapconf['vareapconfdisableweakeaptypes'] == '') {
+ $vareapconfweakeaptypes = "md5 {" . "\n\t\t}" . "\n\t\tleap {" . "\n\t\t}" . "\n\t\tgtc {" . "\n\t\t\t#challenge = " . '"Password: "' . "\n\t\t\tauth_type = PAP" . "\n\t\t}";
+ }
+ else {
+ $vareapconfweakeaptypes = '### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###';
+ }
+
// Variables: EAP
$vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5');
$vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60');
@@ -871,9 +879,13 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
$vareapconfcafile = 'ca_cert.pem';
// generate new DH and RANDOM file
- log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs");
- exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
- exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
+ // We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files
+ if (!file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) {
+ log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs");
+ exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
+ exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
+ exec("touch /usr/local/etc/raddb/certs/pfsense_cert_mgr");
+ }
}
// This is for freeradius cert manager
@@ -909,16 +921,9 @@ else {
cisco_accounting_username_bug = $vareapconfciscoaccountingusernamebug
max_sessions = $vareapconfmaxsessions
- md5 {
- }
- leap {
- }
- gtc {
- #challenge = "Password: "
- auth_type = PAP
- }
-
-
+ $vareapconfweakeaptypes
+
+
### EAP-TLS and EAP-TLS with OCSP support
tls {
certdir = \${confdir}/certs
@@ -2343,11 +2348,16 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
freeradius_servercertcnf_resync();
freeradius_clientcertcnf_resync();
+ // this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created
+ if (file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) {
+ unlink("/usr/local/etc/raddb/certs/pfsense_cert_mgr");
+ }
+
// generate new DH and RANDOM file
log_error("freeRADIUS: Creating new DH and random file in /usr/local/etc/raddb/certs");
exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
-
+
log_error("freeRADIUS: Creating new CA, Server and Client certs in /usr/local/etc/raddb/certs");
// make bootstrap executable and run to create certs based on .cnf files
exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");