aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2
diff options
context:
space:
mode:
authorJim P <jim@pingle.org>2012-01-07 05:26:11 -0800
committerJim P <jim@pingle.org>2012-01-07 05:26:11 -0800
commitcb6548794c1c18f95b73c0e56063ff3c53fc3a68 (patch)
tree4b1fc78c740aea33f5b27bca9308ab8a8a8dd100 /config/freeradius2
parent1d88cea6c36d69dcd5f292c61360997459d60585 (diff)
parente0a8a416de9e2ba4500f9342af47364205a8ff15 (diff)
downloadpfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.tar.gz
pfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.tar.bz2
pfsense-packages-cb6548794c1c18f95b73c0e56063ff3c53fc3a68.zip
Merge pull request #184 from Nachtfalkeaw/master
freeradius2 updates pkg v1.4.5
Diffstat (limited to 'config/freeradius2')
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradius.inc458
-rw-r--r--config/freeradius2/freeradius.xml4
-rw-r--r--config/freeradius2/freeradius_view_config.php4
-rw-r--r--config/freeradius2/freeradiusauthorizedmacs.xml201
-rw-r--r--config/freeradius2/freeradiuscerts.xml4
-rw-r--r--config/freeradius2/freeradiusclients.xml4
-rw-r--r--config/freeradius2/freeradiuseapconf.xml4
-rw-r--r--config/freeradius2/freeradiusinterfaces.xml4
-rw-r--r--config/freeradius2/freeradiusmodulesldap.xml4
-rw-r--r--config/freeradius2/freeradiussettings.xml17
-rw-r--r--config/freeradius2/freeradiussqlconf.xml4
-rw-r--r--config/freeradius2/freeradiussync.xml6
12 files changed, 686 insertions, 28 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 6c64a615..98ac837f 100755..100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -70,10 +70,22 @@ function freeradius_install_command() {
}
}
+ closedir($handle);
+
exec("chown -R root:wheel /usr/local/etc/raddb");
exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12");
- closedir($handle);
+ // creating a backup file of the original policy.conf no matter if user checked this or not
+ if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) {
+ log_error("FreeRADIUS: Creating backup of the original file to {$filepolicyconfbackup}");
+ copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup");
+ }
+
+ // creating a backup file of the original /modules/files no matter if user checked this or not
+ if (!file_exists("/usr/local/etc/raddb/files.backup")) {
+ log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}");
+ copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup");
+ }
$rcfile = array();
$rcfile['file'] = 'radiusd.sh';
@@ -82,7 +94,7 @@ function freeradius_install_command() {
conf_mount_rw();
write_rcfile($rcfile);
conf_mount_ro();
- start_service("radiusd");
+ restart_service("radiusd");
}
function freeradius_settings_resync() {
@@ -123,7 +135,6 @@ function freeradius_settings_resync() {
$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
$varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable');
-
// Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf
if ($sqlconf['varsqlconfincludeenable'] == 'Enable') {
$varsqlconfinclude = '$INCLUDE sql.conf';
@@ -301,6 +312,7 @@ EOD;
conf_mount_ro();
// "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius.
+ freeradius_plainmacauth_resync();
freeradius_serverdefault_resync();
freeradius_modulescounter_resync();
freeradius_modulesmschap_resync();
@@ -435,6 +447,39 @@ EOD;
restart_service('freeradius');
}
+
+function freeradius_authorizedmacs_resync() {
+global $config;
+
+$conf = '';
+
+$arrmacs = $config['installedpackages']['freeradiusauthorizedmacs']['config'];
+
+if (is_array($arrmacs) && !empty($arrmacs)) {
+ foreach ($arrmacs as $macs) {
+
+ // Variables for macs file defined parameters
+ $varmacaddress = $macs['varmacaddress'];
+ $varmacaddress = "\n$varmacaddress";
+
+ $conf .= <<<EOD
+$varmacaddress
+EOD;
+ } //end foreach
+} // end if
+
+ $filename = RADDB . '/authorized_macs';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+ freeradius_sync_on_changes();
+ restart_service('freeradius');
+}
+
+
+
function freeradius_clients_resync() {
global $config;
@@ -852,6 +897,48 @@ function freeradius_serverdefault_resync() {
$varsqlconfpostauth = '#sql';
}
+ // Changing authorize section for plain mac auth
+ // Variables: If not using 802.1x, mac address must be known
+ $varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
+
+ // If unchecked we need the normal EAP section.
+ If (!$varsettings['varsettingsenablemacauth']) {
+ $varplainmacauthenable = '';
+ $varplainmacauthenable .= "eap {";
+ $varplainmacauthenable .= "\n\tok = return";
+ $varplainmacauthenable .= "\n\t}";
+
+ $varplainmacpreacctenable = '';
+ $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####';
+ }
+ // If checked we need to check if it is plain mac or eap
+ else {
+ $varplainmacauthenable = '';
+ $varplainmacauthenable .= "# if cleaning up the Calling-Station-Id...";
+ $varplainmacauthenable .= "\n\trewrite_calling_station_id";
+ $varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth";
+ $varplainmacauthenable .= "\n\tif (!EAP-Message) {";
+ $varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file";
+ $varplainmacauthenable .= "\n\t\tauthorized_macs";
+ $varplainmacauthenable .= "\n\t\tif (!ok) {";
+ $varplainmacauthenable .= "\n\t\t\treject";
+ $varplainmacauthenable .= "\n\t\t}";
+ $varplainmacauthenable .= "\n\t\telse {";
+ $varplainmacauthenable .= "\n\t\t\t# accept";
+ $varplainmacauthenable .= "\n\t\t\tupdate control {";
+ $varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept";
+ $varplainmacauthenable .= "\n\t\t\t}";
+ $varplainmacauthenable .= "\n\t\t}";
+ $varplainmacauthenable .= "\n\t}";
+ $varplainmacauthenable .= "\n\telse {";
+ $varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g.";
+ $varplainmacauthenable .= "\n\t\teap";
+ $varplainmacauthenable .= "\n\t}";
+
+ $varplainmacpreacctenable = '';
+ $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####';
+ $varplainmacpreacctenable .= "\n\trewrite_calling_station_id";
+ }
$conf .= <<<EOD
@@ -943,7 +1030,28 @@ authorize {
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
-
+
+ #
+ # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+ # authentication.
+ #
+ # It also sets the EAP-Type attribute in the request
+ # attribute list to the EAP type from the packet.
+ #
+ # As of 2.0, the EAP module returns "ok" in the authorize stage
+ # for TTLS and PEAP. In 1.x, it never returned "ok" here, so
+ # this change is compatible with older configurations.
+ #
+ # The example below uses module failover to avoid querying all
+ # of the following modules if the EAP module returns "ok".
+ # Therefore, your LDAP and/or SQL servers will not be queried
+ # for the many packets that go back and forth to set up TTLS
+ # or PEAP. The load on those servers will therefore be reduced.
+ #
+
+ $varplainmacauthenable
+
+
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
@@ -994,27 +1102,6 @@ authorize {
ntdomain
#
- # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
- # authentication.
- #
- # It also sets the EAP-Type attribute in the request
- # attribute list to the EAP type from the packet.
- #
- # As of 2.0, the EAP module returns "ok" in the authorize stage
- # for TTLS and PEAP. In 1.x, it never returned "ok" here, so
- # this change is compatible with older configurations.
- #
- # The example below uses module failover to avoid querying all
- # of the following modules if the EAP module returns "ok".
- # Therefore, your LDAP and/or SQL servers will not be queried
- # for the many packets that go back and forth to set up TTLS
- # or PEAP. The load on those servers will therefore be reduced.
- #
- eap {
- ok = return
- }
-
- #
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
@@ -1190,7 +1277,9 @@ authenticate {
#
preacct {
preprocess
-
+
+ $varplainmacpreacctenable
+
#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
@@ -2000,6 +2089,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password) {
function freeradius_all_after_XMLRPC_resync() {
freeradius_users_resync();
+ freeradius_sync_on_changes();
freeradius_clients_resync();
log_error("freeRADIUS has finished XMLRPC process. It should be OK. For more information look at the host which started sync.");
@@ -2560,4 +2650,320 @@ EOD;
}
+function freeradius_plainmacauth_resync() {
+ global $config;
+ $conf = '';
+
+ // Variables: If not using 802.1x, mac address must be known
+ $varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
+
+ // defining variables with filename path
+ $filepolicyconf = '/usr/local/etc/raddb/policy.conf';
+ $filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup';
+ $filemodulesfiles = '/usr/local/etc/raddb/modules/files';
+ $filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup';
+
+ // If unchecked then plain mac auth is disabled and backups of the original files will be restored
+ if (!$varsettings['varsettingsenablemacauth']) {
+ log_error("FreeRADIUS: Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}");
+ copy($filepolicyconfbackup, $filepolicyconf);
+ copy($filemodulesfilesbackup, $filemodulesfiles);
+ }
+ // If checked then plain mac auth is enabled
+ else {
+ freeradius_modulesfiles_resync();
+ freeradius_policyconf_resync();
+ }
+}
+
+function freeradius_modulesfiles_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+# -*- text -*-
+#
+# \$Id\$
+
+# Livingston-style 'users' file
+#
+files {
+ # The default key attribute to use for matches. The content
+ # of this attribute is used to match the "name" of the
+ # entry.
+ #key = "%{Stripped-User-Name:-%{User-Name}}"
+
+ usersfile = \${confdir}/users
+ acctusersfile = \${confdir}/acct_users
+ preproxy_usersfile = \${confdir}/preproxy_users
+
+ # If you want to use the old Cistron 'users' file
+ # with FreeRADIUS, you should change the next line
+ # to 'compat = cistron'. You can the copy your 'users'
+ # file from Cistron.
+ compat = no
+}
+
+# An example which defines a second instance of the "files" module.
+# This instance is named "second_files". In order for it to be used
+# in a virtual server, it needs to be listed as "second_files"
+# inside of the "authorize" section (or other section). If you just
+# list "files", that will refer to the configuration defined above.
+#
+
+# The two names here mean:
+# "files" - this is a configuration for the "rlm_files" module
+# "second_files" - this is a named configuration, which isn't
+# the default configuration.
+files authorized_macs {
+ # The default key attribute to use for matches. The content
+ # of this attribute is used to match the "name" of the
+ # entry.
+ key = "%{Calling-Station-ID}"
+
+ usersfile = \${confdir}/authorized_macs
+
+ # If you want to use the old Cistron 'users' file
+ # with FreeRADIUS, you should change the next line
+ # to 'compat = cistron'. You can the copy your 'users'
+ # file from Cistron.
+ compat = no
+}
+EOD;
+
+ $filename = RADDB . '/modules/files';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+}
+
+function freeradius_policyconf_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+# -*- text -*-
+##
+## policy.conf -- FreeRADIUS server configuration file.
+##
+## http://www.freeradius.org/
+## \$Id\$
+##
+
+#
+# Policies are virtual modules, similar to those defined in the
+# "instantate" section of radiusd.conf.
+#
+# Defining a policy here means that it can be referenced in multiple
+# places as a *name*, rather than as a series of conditions to match,
+# and actions to take.
+#
+# Policies are something like subroutines in a normal language, but
+# they cannot be called recursively. They MUST be defined in order.
+# If policy A calls policy B, then B MUST be defined before A.
+#
+policy {
+ #
+ # Forbid all EAP types.
+ #
+ forbid_eap {
+ if (EAP-Message) {
+ reject
+ }
+ }
+
+ #
+ # Forbid all non-EAP types outside of an EAP tunnel.
+ #
+ permit_only_eap {
+ if (!EAP-Message) {
+ # We MAY be inside of a TTLS tunnel.
+ # PEAP and EAP-FAST require EAP inside of
+ # the tunnel, so this check is OK.
+ # If so, then there MUST be an outer EAP message.
+ if (!"%{outer.request:EAP-Message}") {
+ reject
+ }
+ }
+ }
+
+ #
+ # Forbid all attempts to login via realms.
+ #
+ deny_realms {
+ if (User-Name =~ /@|\\\\/) {
+ reject
+ }
+ }
+
+ #
+ # If you want the server to pretend that it is dead,
+ # then use the "do_not_respond" policy.
+ #
+ do_not_respond {
+ update control {
+ Response-Packet-Type := Do-Not-Respond
+ }
+
+ handled
+ }
+
+ #
+ # Force some sanity on User-Name. This helps to avoid issues
+ # issues where the back-end database is "forgiving" about
+ # what constitutes a user name.
+ #
+ filter_username {
+ # spaces at the start: reject
+ if (User-Name =~ /^ /) {
+ reject
+ }
+
+ # spaces at the end: reject
+ if (User-Name =~ / \$\$/) {
+ reject
+ }
+
+ # Mixed case: reject
+ if (User-Name != "%{tolower:%{User-Name}}") {
+ reject
+ }
+ }
+
+
+ #
+ # The following policies are for the Chargeable-User-Identity
+ # (CUI) configuration.
+ #
+
+ #
+ # The client indicates it can do CUI by sending a CUI attribute
+ # containing one zero byte
+ #
+ cui_authorize {
+ update request {
+ Chargeable-User-Identity:='\\\\000'
+ }
+ }
+
+ #
+ # Add a CUI attribute based on the User-Name, and a secret key
+ # known only to this server.
+ #
+ cui_postauth {
+ if (FreeRadius-Proxied-To == 127.0.0.1) {
+ if (outer.request:Chargeable-User-Identity) {
+ update outer.reply {
+ Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
+ }
+ }
+ }
+ else {
+ if (Chargeable-User-Identity) {
+ update reply {
+ Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
+ }
+ }
+ }
+ }
+
+ #
+ # If there is a CUI attribute in the reply, add it to the DB.
+ #
+ cui_updatedb {
+ if (reply:Chargeable-User-Identity) {
+ cui
+ }
+ }
+
+ #
+ # If we had stored a CUI for the User, add it to the request.
+ #
+ cui_accounting {
+ #
+ # If the CUI isn't in the packet, see if we can find it
+ # in the DB.
+ #
+ if (!Chargeable-User-Identity) {
+ update control {
+ Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
+ }
+ }
+
+ #
+ # If it exists now, then write out when we last saw
+ # this CUI.
+ #
+ if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
+ cui
+ }
+ }
+
+ #
+ # Normalize the MAC Addresses in the Calling/Called-Station-Id
+ #
+ mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
+
+ # Add "rewrite.called_station_id" in the "authorize" and "preacct"
+ # sections.
+ rewrite.called_station_id {
+ if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?\$/i) {
+ update request {
+ Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ }
+
+ # SSID component?
+ if ("%{8}") {
+ update request {
+ Called-Station-Id := "%{Called-Station-Id}:%{8}"
+ }
+ }
+ updated
+ }
+ else {
+ noop
+ }
+ }
+
+ # Add "rewrite.calling_station_id" in the "authorize" and "preacct"
+ # sections.
+ rewrite.calling_station_id {
+ if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}\$/i) {
+ update request {
+ Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ }
+ updated
+ }
+ else {
+ noop
+ }
+ }
+
+ ##### MODIFIED FOR http://wiki.freeradius.org/Mac-Auth#Mac-Auth+or+802.1x #####
+ # Add "rewrite_calling_station_id" in the "authorize" and "preacct"
+ # sections.
+ rewrite_calling_station_id {
+ if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
+ update request {
+ Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ }
+ }
+ else {
+ noop
+ }
+ }
+}
+
+EOD;
+
+ $filename = RADDB . '/policy.conf';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+}
+
?> \ No newline at end of file
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index f2cd3dcf..313495f2 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -68,6 +68,10 @@
<active/>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php
index 218a9abb..6bda5f3e 100644
--- a/config/freeradius2/freeradius_view_config.php
+++ b/config/freeradius2/freeradius_view_config.php
@@ -37,6 +37,7 @@ function get_file($file){
$files['sql']="/usr/local/etc/raddb/sql.conf";
$files['clients']="/usr/local/etc/raddb/clients.conf";
$files['users']="/usr/local/etc/raddb/users";
+ $files['macs']="/usr/local/etc/raddb/authorized_macs";
$files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default";
$files['ca']="/usr/local/etc/raddb/certs/ca.cnf";
$files['server']="/usr/local/etc/raddb/certs/server.cnf";
@@ -81,6 +82,7 @@ else{
<?php
$tab_array = array();
$tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=freeradius.xml");
+ $tab_array[] = array(gettext("MACs"), false, "/pkg.php?xml=freeradiusauthorizedmacs.xml");
$tab_array[] = array(gettext("NAS / Clients"), false, "/pkg.php?xml=freeradiusclients.xml");
$tab_array[] = array(gettext("Interfaces"), false, "/pkg.php?xml=freeradiusinterfaces.xml");
$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0");
@@ -109,6 +111,7 @@ else{
<input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf">&nbsp;
<input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf">&nbsp;
<input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users">&nbsp;
+ <input type="button" onClick="get_freeradius_file('macs');" id='btn_macs' value="macs">&nbsp;
<input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default">&nbsp;
<input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf">&nbsp;
<input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf">&nbsp;
@@ -150,6 +153,7 @@ else{
$('btn_sql').value="sql.conf";
$('btn_clients').value="clients.conf";
$('btn_users').value="users";
+ $('btn_macs').value="macs";
$('btn_virtual').value="virtual-server-default";
$('btn_ca').value="ca.cnf";
$('btn_server').value="server.cnf";
diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml
new file mode 100644
index 00000000..021f8772
--- /dev/null
+++ b/config/freeradius2/freeradiusauthorizedmacs.xml
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+<![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ freeradius.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+]]> </copyright>
+ <description><![CDATA[Describe your package here]]></description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>freeradiusauthorizedmacs</name>
+ <version>2.1.12</version>
+ <title>FreeRADIUS: MACs</title>
+ <include_file>/usr/local/pkg/freeradius.inc</include_file>
+ <menu>
+ <name>FreeRADIUS</name>
+ <tooltiptext>Modify FreeRADIUS macs, clients, and settings.</tooltiptext>
+ <section>Services</section>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </menu>
+ <service>
+ <name>radiusd</name>
+ <rcfile>radiusd.sh</rcfile>
+ <executable>radiusd</executable>
+ <description><![CDATA[FreeRADIUS Server]]></description>
+ </service>
+
+ <tabs>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=freeradius.xml</url>
+ </tab>
+ <tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>NAS / Clients</text>
+ <url>/pkg.php?xml=freeradiusclients.xml</url>
+ </tab>
+ <tab>
+ <text>Interfaces</text>
+ <url>/pkg.php?xml=freeradiusinterfaces.xml</url>
+ </tab>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>SQL</text>
+ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Certificates</text>
+ <url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>View config</text>
+ <url>/freeradius_view_config.php</url>
+ </tab>
+ <tab>
+ <text>XMLRPC Sync</text>
+ <url>/pkg_edit.php?xml=freeradiussync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusclients.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussync.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item>
+ </additional_files_needed>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>MAC Address</fielddescr>
+ <fieldname>varmacaddress</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <name>GENERAL CONFIGURATION</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>MAC Address</fielddescr>
+ <fieldname>varmacaddress</fieldname>
+ <description><![CDATA[Enther the MAC Address of the host. Format is: 00-11-22-33-44-55]]></description>
+ <type>input</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description><![CDATA[Enter any description for this MAC you like.]]></description>
+ <type>input</type>
+ </field>
+ </fields>
+ <custom_delete_php_command>
+ freeradius_authorizedmacs_resync();
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ freeradius_authorizedmacs_resync();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 1393dea8..e3f6365d 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -55,6 +55,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 57ad1b7d..be066937 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -54,6 +54,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
<active/>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index b319f198..309066f0 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -55,6 +55,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index f15e998f..fd51f800 100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -54,6 +54,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
index 317054d2..06a990e7 100644
--- a/config/freeradius2/freeradiusmodulesldap.xml
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -55,6 +55,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 8115945a..611db03f 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -55,6 +55,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
@@ -94,6 +98,17 @@
</tabs>
<fields>
<field>
+ <name>PLAIN MAC AUTHORIZATION</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable Plain MAC Auth</fielddescr>
+ <fieldname>varsettingsenablemacauth</fieldname>
+ <description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br>
+ Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
<name>GENERAL CONFIGURATION</name>
<type>listtopic</type>
</field>
@@ -284,7 +299,7 @@
<description><![CDATA[You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)]]></description>
<type>input</type>
<default_value>0</default_value>
- </field>
+ </field>
</fields>
<custom_delete_php_command>
freeradius_settings_resync();
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index 538ad45d..a5bc4d2e 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -55,6 +55,10 @@
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml
index 66a2701f..27f4fe80 100644
--- a/config/freeradius2/freeradiussync.xml
+++ b/config/freeradius2/freeradiussync.xml
@@ -68,6 +68,10 @@ POSSIBILITY OF SUCH DAMAGE.
<url>/pkg.php?xml=freeradius.xml</url>
</tab>
<tab>
+ <text>MACs</text>
+ <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+ </tab>
+ <tab>
<text>NAS / Clients</text>
<url>/pkg.php?xml=freeradiusclients.xml</url>
</tab>
@@ -114,7 +118,7 @@ POSSIBILITY OF SUCH DAMAGE.
<fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr>
<fieldname>varsyncenablexmlrpc</fieldname>
<description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br>
- <b>Important:</b> Only <b>Users</b> and <b>NAS / Clients</b> will be synced.]]></description>
+ <b>Important:</b> Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.]]></description>
<type>checkbox</type>
</field>
<field>