diff options
author | Jim P <jim@pingle.org> | 2012-01-07 05:26:11 -0800 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2012-01-07 05:26:11 -0800 |
commit | cb6548794c1c18f95b73c0e56063ff3c53fc3a68 (patch) | |
tree | 4b1fc78c740aea33f5b27bca9308ab8a8a8dd100 /config/freeradius2 | |
parent | 1d88cea6c36d69dcd5f292c61360997459d60585 (diff) | |
parent | e0a8a416de9e2ba4500f9342af47364205a8ff15 (diff) | |
download | pfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.tar.gz pfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.tar.bz2 pfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.zip |
Merge pull request #184 from Nachtfalkeaw/master
freeradius2 updates pkg v1.4.5
Diffstat (limited to 'config/freeradius2')
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradius.inc | 458 | ||||
-rw-r--r-- | config/freeradius2/freeradius.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradius_view_config.php | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiusauthorizedmacs.xml | 201 | ||||
-rw-r--r-- | config/freeradius2/freeradiuscerts.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiusclients.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiusinterfaces.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiusmodulesldap.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiussettings.xml | 17 | ||||
-rw-r--r-- | config/freeradius2/freeradiussqlconf.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiussync.xml | 6 |
12 files changed, 686 insertions, 28 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 6c64a615..98ac837f 100755..100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -70,10 +70,22 @@ function freeradius_install_command() { } } + closedir($handle); + exec("chown -R root:wheel /usr/local/etc/raddb"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); - closedir($handle); + // creating a backup file of the original policy.conf no matter if user checked this or not + if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to {$filepolicyconfbackup}"); + copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup"); + } + + // creating a backup file of the original /modules/files no matter if user checked this or not + if (!file_exists("/usr/local/etc/raddb/files.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}"); + copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); + } $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; @@ -82,7 +94,7 @@ function freeradius_install_command() { conf_mount_rw(); write_rcfile($rcfile); conf_mount_ro(); - start_service("radiusd"); + restart_service("radiusd"); } function freeradius_settings_resync() { @@ -123,7 +135,6 @@ function freeradius_settings_resync() { $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable'); - // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf if ($sqlconf['varsqlconfincludeenable'] == 'Enable') { $varsqlconfinclude = '$INCLUDE sql.conf'; @@ -301,6 +312,7 @@ EOD; conf_mount_ro(); // "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius. + freeradius_plainmacauth_resync(); freeradius_serverdefault_resync(); freeradius_modulescounter_resync(); freeradius_modulesmschap_resync(); @@ -435,6 +447,39 @@ EOD; restart_service('freeradius'); } + +function freeradius_authorizedmacs_resync() { +global $config; + +$conf = ''; + +$arrmacs = $config['installedpackages']['freeradiusauthorizedmacs']['config']; + +if (is_array($arrmacs) && !empty($arrmacs)) { + foreach ($arrmacs as $macs) { + + // Variables for macs file defined parameters + $varmacaddress = $macs['varmacaddress']; + $varmacaddress = "\n$varmacaddress"; + + $conf .= <<<EOD +$varmacaddress +EOD; + } //end foreach +} // end if + + $filename = RADDB . '/authorized_macs'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + + freeradius_sync_on_changes(); + restart_service('freeradius'); +} + + + function freeradius_clients_resync() { global $config; @@ -852,6 +897,48 @@ function freeradius_serverdefault_resync() { $varsqlconfpostauth = '#sql'; } + // Changing authorize section for plain mac auth + // Variables: If not using 802.1x, mac address must be known + $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; + + // If unchecked we need the normal EAP section. + If (!$varsettings['varsettingsenablemacauth']) { + $varplainmacauthenable = ''; + $varplainmacauthenable .= "eap {"; + $varplainmacauthenable .= "\n\tok = return"; + $varplainmacauthenable .= "\n\t}"; + + $varplainmacpreacctenable = ''; + $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####'; + } + // If checked we need to check if it is plain mac or eap + else { + $varplainmacauthenable = ''; + $varplainmacauthenable .= "# if cleaning up the Calling-Station-Id..."; + $varplainmacauthenable .= "\n\trewrite_calling_station_id"; + $varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth"; + $varplainmacauthenable .= "\n\tif (!EAP-Message) {"; + $varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file"; + $varplainmacauthenable .= "\n\t\tauthorized_macs"; + $varplainmacauthenable .= "\n\t\tif (!ok) {"; + $varplainmacauthenable .= "\n\t\t\treject"; + $varplainmacauthenable .= "\n\t\t}"; + $varplainmacauthenable .= "\n\t\telse {"; + $varplainmacauthenable .= "\n\t\t\t# accept"; + $varplainmacauthenable .= "\n\t\t\tupdate control {"; + $varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept"; + $varplainmacauthenable .= "\n\t\t\t}"; + $varplainmacauthenable .= "\n\t\t}"; + $varplainmacauthenable .= "\n\t}"; + $varplainmacauthenable .= "\n\telse {"; + $varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g."; + $varplainmacauthenable .= "\n\t\teap"; + $varplainmacauthenable .= "\n\t}"; + + $varplainmacpreacctenable = ''; + $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####'; + $varplainmacpreacctenable .= "\n\trewrite_calling_station_id"; + } $conf .= <<<EOD @@ -943,7 +1030,28 @@ authorize { # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess - + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + + $varplainmacauthenable + + # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' @@ -994,27 +1102,6 @@ authorize { ntdomain # - # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP - # authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # As of 2.0, the EAP module returns "ok" in the authorize stage - # for TTLS and PEAP. In 1.x, it never returned "ok" here, so - # this change is compatible with older configurations. - # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. - # - eap { - ok = return - } - - # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the @@ -1190,7 +1277,9 @@ authenticate { # preacct { preprocess - + + $varplainmacpreacctenable + # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends @@ -2000,6 +2089,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password) { function freeradius_all_after_XMLRPC_resync() { freeradius_users_resync(); + freeradius_sync_on_changes(); freeradius_clients_resync(); log_error("freeRADIUS has finished XMLRPC process. It should be OK. For more information look at the host which started sync."); @@ -2560,4 +2650,320 @@ EOD; } +function freeradius_plainmacauth_resync() { + global $config; + $conf = ''; + + // Variables: If not using 802.1x, mac address must be known + $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; + + // defining variables with filename path + $filepolicyconf = '/usr/local/etc/raddb/policy.conf'; + $filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup'; + $filemodulesfiles = '/usr/local/etc/raddb/modules/files'; + $filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup'; + + // If unchecked then plain mac auth is disabled and backups of the original files will be restored + if (!$varsettings['varsettingsenablemacauth']) { + log_error("FreeRADIUS: Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}"); + copy($filepolicyconfbackup, $filepolicyconf); + copy($filemodulesfilesbackup, $filemodulesfiles); + } + // If checked then plain mac auth is enabled + else { + freeradius_modulesfiles_resync(); + freeradius_policyconf_resync(); + } +} + +function freeradius_modulesfiles_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +# +# \$Id\$ + +# Livingston-style 'users' file +# +files { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{Stripped-User-Name:-%{User-Name}}" + + usersfile = \${confdir}/users + acctusersfile = \${confdir}/acct_users + preproxy_usersfile = \${confdir}/preproxy_users + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no +} + +# An example which defines a second instance of the "files" module. +# This instance is named "second_files". In order for it to be used +# in a virtual server, it needs to be listed as "second_files" +# inside of the "authorize" section (or other section). If you just +# list "files", that will refer to the configuration defined above. +# + +# The two names here mean: +# "files" - this is a configuration for the "rlm_files" module +# "second_files" - this is a named configuration, which isn't +# the default configuration. +files authorized_macs { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + key = "%{Calling-Station-ID}" + + usersfile = \${confdir}/authorized_macs + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no +} +EOD; + + $filename = RADDB . '/modules/files'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_policyconf_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +## +## policy.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## \$Id\$ +## + +# +# Policies are virtual modules, similar to those defined in the +# "instantate" section of radiusd.conf. +# +# Defining a policy here means that it can be referenced in multiple +# places as a *name*, rather than as a series of conditions to match, +# and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +policy { + # + # Forbid all EAP types. + # + forbid_eap { + if (EAP-Message) { + reject + } + } + + # + # Forbid all non-EAP types outside of an EAP tunnel. + # + permit_only_eap { + if (!EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. + if (!"%{outer.request:EAP-Message}") { + reject + } + } + } + + # + # Forbid all attempts to login via realms. + # + deny_realms { + if (User-Name =~ /@|\\\\/) { + reject + } + } + + # + # If you want the server to pretend that it is dead, + # then use the "do_not_respond" policy. + # + do_not_respond { + update control { + Response-Packet-Type := Do-Not-Respond + } + + handled + } + + # + # Force some sanity on User-Name. This helps to avoid issues + # issues where the back-end database is "forgiving" about + # what constitutes a user name. + # + filter_username { + # spaces at the start: reject + if (User-Name =~ /^ /) { + reject + } + + # spaces at the end: reject + if (User-Name =~ / \$\$/) { + reject + } + + # Mixed case: reject + if (User-Name != "%{tolower:%{User-Name}}") { + reject + } + } + + + # + # The following policies are for the Chargeable-User-Identity + # (CUI) configuration. + # + + # + # The client indicates it can do CUI by sending a CUI attribute + # containing one zero byte + # + cui_authorize { + update request { + Chargeable-User-Identity:='\\\\000' + } + } + + # + # Add a CUI attribute based on the User-Name, and a secret key + # known only to this server. + # + cui_postauth { + if (FreeRadius-Proxied-To == 127.0.0.1) { + if (outer.request:Chargeable-User-Identity) { + update outer.reply { + Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + else { + if (Chargeable-User-Identity) { + update reply { + Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + } + + # + # If there is a CUI attribute in the reply, add it to the DB. + # + cui_updatedb { + if (reply:Chargeable-User-Identity) { + cui + } + } + + # + # If we had stored a CUI for the User, add it to the request. + # + cui_accounting { + # + # If the CUI isn't in the packet, see if we can find it + # in the DB. + # + if (!Chargeable-User-Identity) { + update control { + Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" + } + } + + # + # If it exists now, then write out when we last saw + # this CUI. + # + if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { + cui + } + } + + # + # Normalize the MAC Addresses in the Calling/Called-Station-Id + # + mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) + + # Add "rewrite.called_station_id" in the "authorize" and "preacct" + # sections. + rewrite.called_station_id { + if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?\$/i) { + update request { + Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + + # SSID component? + if ("%{8}") { + update request { + Called-Station-Id := "%{Called-Station-Id}:%{8}" + } + } + updated + } + else { + noop + } + } + + # Add "rewrite.calling_station_id" in the "authorize" and "preacct" + # sections. + rewrite.calling_station_id { + if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}\$/i) { + update request { + Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + updated + } + else { + noop + } + } + + ##### MODIFIED FOR http://wiki.freeradius.org/Mac-Auth#Mac-Auth+or+802.1x ##### + # Add "rewrite_calling_station_id" in the "authorize" and "preacct" + # sections. + rewrite_calling_station_id { + if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ + update request { + Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + } + else { + noop + } + } +} + +EOD; + + $filename = RADDB . '/policy.conf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + ?>
\ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index f2cd3dcf..313495f2 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -68,6 +68,10 @@ <active/> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 218a9abb..6bda5f3e 100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -37,6 +37,7 @@ function get_file($file){ $files['sql']="/usr/local/etc/raddb/sql.conf"; $files['clients']="/usr/local/etc/raddb/clients.conf"; $files['users']="/usr/local/etc/raddb/users"; + $files['macs']="/usr/local/etc/raddb/authorized_macs"; $files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default"; $files['ca']="/usr/local/etc/raddb/certs/ca.cnf"; $files['server']="/usr/local/etc/raddb/certs/server.cnf"; @@ -81,6 +82,7 @@ else{ <?php $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=freeradius.xml"); + $tab_array[] = array(gettext("MACs"), false, "/pkg.php?xml=freeradiusauthorizedmacs.xml"); $tab_array[] = array(gettext("NAS / Clients"), false, "/pkg.php?xml=freeradiusclients.xml"); $tab_array[] = array(gettext("Interfaces"), false, "/pkg.php?xml=freeradiusinterfaces.xml"); $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0"); @@ -109,6 +111,7 @@ else{ <input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf"> <input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf"> <input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users"> + <input type="button" onClick="get_freeradius_file('macs');" id='btn_macs' value="macs"> <input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default"> <input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf"> <input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf"> @@ -150,6 +153,7 @@ else{ $('btn_sql').value="sql.conf"; $('btn_clients').value="clients.conf"; $('btn_users').value="users"; + $('btn_macs').value="macs"; $('btn_virtual').value="virtual-server-default"; $('btn_ca').value="ca.cnf"; $('btn_server').value="server.cnf"; diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml new file mode 100644 index 00000000..021f8772 --- /dev/null +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -0,0 +1,201 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + freeradius.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +]]> </copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>freeradiusauthorizedmacs</name> + <version>2.1.12</version> + <title>FreeRADIUS: MACs</title> + <include_file>/usr/local/pkg/freeradius.inc</include_file> + <menu> + <name>FreeRADIUS</name> + <tooltiptext>Modify FreeRADIUS macs, clients, and settings.</tooltiptext> + <section>Services</section> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </menu> + <service> + <name>radiusd</name> + <rcfile>radiusd.sh</rcfile> + <executable>radiusd</executable> + <description><![CDATA[FreeRADIUS Server]]></description> + </service> + + <tabs> + <tab> + <text>Users</text> + <url>/pkg.php?xml=freeradius.xml</url> + </tab> + <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + <active/> + </tab> + <tab> + <text>NAS / Clients</text> + <url>/pkg.php?xml=freeradiusclients.xml</url> + </tab> + <tab> + <text>Interfaces</text> + <url>/pkg.php?xml=freeradiusinterfaces.xml</url> + </tab> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> + </tab> + <tab> + <text>EAP</text> + <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> + </tab> + <tab> + <text>SQL</text> + <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> + </tab> + <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> + <tab> + <text>View config</text> + <url>/freeradius_view_config.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> + </tab> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusclients.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item> + </additional_files_needed> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>MAC Address</fielddescr> + <fieldname>varmacaddress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>GENERAL CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>MAC Address</fielddescr> + <fieldname>varmacaddress</fieldname> + <description><![CDATA[Enther the MAC Address of the host. Format is: 00-11-22-33-44-55]]></description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Enter any description for this MAC you like.]]></description> + <type>input</type> + </field> + </fields> + <custom_delete_php_command> + freeradius_authorizedmacs_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_authorizedmacs_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 1393dea8..e3f6365d 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 57ad1b7d..be066937 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -54,6 +54,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> <active/> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index b319f198..309066f0 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index f15e998f..fd51f800 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -54,6 +54,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index 317054d2..06a990e7 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 8115945a..611db03f 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -94,6 +98,17 @@ </tabs> <fields> <field> + <name>PLAIN MAC AUTHORIZATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Plain MAC Auth</fielddescr> + <fieldname>varsettingsenablemacauth</fieldname> + <description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br> + Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description> + <type>checkbox</type> + </field> + <field> <name>GENERAL CONFIGURATION</name> <type>listtopic</type> </field> @@ -284,7 +299,7 @@ <description><![CDATA[You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)]]></description> <type>input</type> <default_value>0</default_value> - </field> + </field> </fields> <custom_delete_php_command> freeradius_settings_resync(); diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index 538ad45d..a5bc4d2e 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 66a2701f..27f4fe80 100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -68,6 +68,10 @@ POSSIBILITY OF SUCH DAMAGE. <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -114,7 +118,7 @@ POSSIBILITY OF SUCH DAMAGE. <fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - <b>Important:</b> Only <b>Users</b> and <b>NAS / Clients</b> will be synced.]]></description> + <b>Important:</b> Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.]]></description> <type>checkbox</type> </field> <field> |