diff options
author | Alexander Wilke <nachtfalkeaw[@]web.de> | 2012-01-29 21:15:39 +0100 |
---|---|---|
committer | Alexander Wilke <nachtfalkeaw[@]web.de> | 2012-01-29 21:15:39 +0100 |
commit | a2b11330ee9ae8be632f59126ca8b4674ea792fd (patch) | |
tree | 62a273cee70d827c3ee6787bcd28401f06d2a7b7 /config/freeradius2 | |
parent | 98f4d42ff96d69d2108dbeed64e347dffb31dc0c (diff) | |
download | pfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.tar.gz pfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.tar.bz2 pfsense-packages-a2b11330ee9ae8be632f59126ca8b4674ea792fd.zip |
option to disable weak EAP types
Diffstat (limited to 'config/freeradius2')
-rw-r--r-- | config/freeradius2/freeradius.inc | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index fb7945b9..91a9d7f2 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -751,6 +751,14 @@ function freeradius_eapconf_resync() { $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; + // Disable weak EAP types like MD5, GTC, LEAP + if ($eapconf['vareapconfdisableweakeaptypes'] == '') { + $vareapconfweakeaptypes = "md5 {" . "\n\t\t}" . "\n\t\tleap {" . "\n\t\t}" . "\n\t\tgtc {" . "\n\t\t\t#challenge = " . '"Password: "' . "\n\t\t\tauth_type = PAP" . "\n\t\t}"; + } + else { + $vareapconfweakeaptypes = '### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###'; + } + // Variables: EAP $vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5'); $vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60'); @@ -871,9 +879,13 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $vareapconfcafile = 'ca_cert.pem'; // generate new DH and RANDOM file - log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs"); - exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); - exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + // We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files + if (!file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) { + log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs"); + exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + exec("touch /usr/local/etc/raddb/certs/pfsense_cert_mgr"); + } } // This is for freeradius cert manager @@ -909,16 +921,9 @@ else { cisco_accounting_username_bug = $vareapconfciscoaccountingusernamebug max_sessions = $vareapconfmaxsessions - md5 { - } - leap { - } - gtc { - #challenge = "Password: " - auth_type = PAP - } - - + $vareapconfweakeaptypes + + ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = \${confdir}/certs @@ -2343,11 +2348,16 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { freeradius_servercertcnf_resync(); freeradius_clientcertcnf_resync(); + // this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created + if (file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) { + unlink("/usr/local/etc/raddb/certs/pfsense_cert_mgr"); + } + // generate new DH and RANDOM file log_error("freeRADIUS: Creating new DH and random file in /usr/local/etc/raddb/certs"); exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); - + log_error("freeRADIUS: Creating new CA, Server and Client certs in /usr/local/etc/raddb/certs"); // make bootstrap executable and run to create certs based on .cnf files exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); |