diff options
| author | Nachtfalke <nachtfalkeaw@web.de> | 2011-12-15 22:36:42 +0100 |
|---|---|---|
| committer | Nachtfalke <nachtfalkeaw@web.de> | 2011-12-15 22:36:42 +0100 |
| commit | 4c5babd353d2ffc9d2f9f4669693b94e2c519d6e (patch) | |
| tree | 98928a2df245b10588e8c06c39dcda202b9d4cf4 /config/freeradius2 | |
| parent | ffe2cb052808987185d0824417d5e7e9b713b146 (diff) | |
| download | pfsense-packages-4c5babd353d2ffc9d2f9f4669693b94e2c519d6e.tar.gz pfsense-packages-4c5babd353d2ffc9d2f9f4669693b94e2c519d6e.tar.bz2 pfsense-packages-4c5babd353d2ffc9d2f9f4669693b94e2c519d6e.zip | |
Changed path to modules from freeradius 1.x to freeradius 2.x standard.
Small changes in "users" file which breaks authentication type (Auth-Type).
Added additional code for interface type "detail"
Diffstat (limited to 'config/freeradius2')
| -rwxr-xr-x | config/freeradius2/freeradius.inc | 467 |
1 files changed, 82 insertions, 385 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 2a83911c..8a832b3b 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -9,7 +9,6 @@ function freeradius_deinstall_command() { exec("rm -rf /usr/local/etc/raddb/"); exec("rm -rf /var/log/raddb/"); exec("rm -rf /var/log/radacct/"); - exec("rm -f /var/log/radius.log"); } function freeradius_install_command() { @@ -83,6 +82,8 @@ confdir = \${raddbdir} run_dir = \${localstatedir}/run libdir = \${exec_prefix}/lib/freeradius-2.1.12 pidfile = \${run_dir}/radiusd.pid +db_dir = \${raddbdir} +name = radiusd #chroot = /path/to/chroot/directory #user = freeradius #group = freeradius @@ -104,7 +105,6 @@ hostname_lookups = $varsettingshostnamelookups allow_core_dumps = $varsettingsallowcoredumps regular_expressions = $varsettingsregularexpressions extended_expressions = $varsettingsextendedexpressions -proxy_requests = yes EOD; @@ -115,13 +115,15 @@ $arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config']; $varinterfaceport = $item['varinterfaceport']; $varinterfacetype = $item['varinterfacetype']; $varinterfaceipversion = $item['varinterfaceipversion']; - $description = $item['description']; $conf .= <<<EOD listen { type = $varinterfacetype $varinterfaceipversion = $varinterfaceip port = $varinterfaceport + ### the following two lines are only neccessary for interface type detail + filename = ${radacctdir}/detail + load_factor = 10 } EOD; @@ -145,11 +147,12 @@ checkrad = \${sbindir}/checkrad security { max_attributes = $varsettingsmaxattributes reject_delay = $varsettingsrejectdelay - status_server = no ### Needs additional config in raddb/sites-available/status + status_server = no ### Needs additional config in raddb/sites-available/status } -\$INCLUDE \${confdir}/proxy.conf -\$INCLUDE \${confdir}/clients.conf +proxy_requests = yes +\$INCLUDE proxy.conf +\$INCLUDE clients.conf thread pool { start_servers = $varsettingsstartservers max_servers = $varsettingsmaxservers @@ -159,338 +162,33 @@ thread pool { max_requests_per_server = $varsettingsmaxrequestsperserver } - -#snmp = no -#\$INCLUDE \${confdir}/snmp.conf - - modules { - pap { - encryption_scheme = crypt - } - - chap { - authtype = CHAP - } - - pam { - pam_auth = radiusd - } - - unix { - cache = no - cache_reload = 600 - radwtmp = \${logdir}/radwtmp - } - - \$INCLUDE \${confdir}/eap.conf - - mschap { - authtype = MS-CHAP - #use_mppe = no - #require_encryption = yes - #require_strong = yes - #with_ntdomain_hack = no - #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" - } - - ldap { - server = "ldap.your.domain" - basedn = "o=My Org,c=UA" - filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" - #base_filter = "(objectclass=radiusprofile)" - start_tls = no - #tls_cacertfile = /path/to/cacert.pem - #tls_cacertdir = /path/to/ca/dir/ - #tls_certfile = /path/to/radius.crt - #tls_keyfile = /path/to/radius.key - #tls_randfile = /path/to/rnd - #tls_require_cert = "demand" - access_attr = "dialupAccess" - dictionary_mapping = \${raddbdir}/ldap.attrmap - ldap_connections_number = 5 - #groupname_attribute = cn - #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" - #groupmembership_attribute = radiusGroupName - timeout = 4 - timelimit = 3 - net_timeout = 1 - #compare_check_items = yes - #do_xlat = yes - #access_attr_used_for_allow = yes - } - - realm IPASS { - format = prefix - delimiter = "/" - ignore_default = no - ignore_null = no - } - - realm suffix { - format = suffix - delimiter = "@" - ignore_default = no - ignore_null = no - } - - realm realmpercent { - format = suffix - delimiter = "%" - ignore_default = no - ignore_null = no - } - - realm ntdomain { - format = prefix - ### There is "\\\" in freeradius.inc file and output is "\\" in radiusd.conf - delimiter = "\\\" - ignore_default = no - ignore_null = no - } - - checkval { - item-name = Calling-Station-Id - check-name = Calling-Station-Id - data-type = string - #notfound-reject = no - } - - preprocess { - huntgroups = \${confdir}/huntgroups - hints = \${confdir}/hints - with_ascend_hack = no - ascend_channels_per_line = 23 - with_ntdomain_hack = no - with_specialix_jetstream_hack = no - with_cisco_vsa_hack = no - } - - files { - usersfile = \${confdir}/users - acctusersfile = \${confdir}/acct_users - preproxy_usersfile = \${confdir}/preproxy_users - compat = no - } - - detail { - detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d - detailperm = 0600 - } - - acct_unique { - key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" - } - - \$INCLUDE \${confdir}/sql.conf - - radutmp { - filename = \${logdir}/radutmp - username = %{User-Name} - case_sensitive = yes - check_with_nas = yes - perm = 0600 - callerid = "yes" - } - - radutmp sradutmp { - filename = \${logdir}/sradutmp - perm = 0644 - callerid = "no" - } - - attr_filter { - attrsfile = \${confdir}/attrs - } - - counter daily { - filename = \${raddbdir}/db.daily - key = User-Name - count-attribute = Acct-Session-Time - reset = daily - counter-name = Daily-Session-Time - check-name = Max-Daily-Session - allowed-servicetype = Framed-User - cache-size = 5000 - } - - counter weekly { - filename = \${raddbdir}/db.weekly - key = User-Name - count-attribute = Acct-Session-Time - reset = weekly - counter-name = Weekly-Session-Time - check-name = Max-Weekly-Session - cache-size = 5000 - } - - counter monthly { - filename = \${raddbdir}/db.monthly - key = User-Name - count-attribute = Acct-Session-Time - reset = monthly - counter-name = Monthly-Session-Time - check-name = Max-Monthly-Session - cache-size = 5000 - } - - counter forever { - filename = \${raddbdir}/db.forever - key = User-Name - count-attribute = Acct-Session-Time - reset = never - counter-name = Forever-Session-Time - check-name = Max-Forever-Session - cache-size = 5000 - } - - always fail { - rcode = fail - } - always reject { - rcode = reject - } - always ok { - rcode = ok - simulcount = 0 - mpp = no - } - - expr { - } - - digest { - } - - exec { - wait = yes - input_pairs = request - } - - exec echo { - wait = yes - program = "/bin/echo %{User-Name}" - input_pairs = request - output_pairs = reply - #packet_type = Access-Accept - } - - ippool main_pool { - range-start = 192.168.1.1 - range-stop = 192.168.3.254 - netmask = 255.255.255.0 - cache-size = 800 - session-db = \${raddbdir}/db.ippool - ip-index = \${raddbdir}/db.ipindex - override = no - maximum-timeout = 0 - } + \$INCLUDE \${confdir}/modules/ + \$INCLUDE eap.conf + #\$INCLUDE sql.conf + #\$INCLUDE sql/mysql/counter.conf + #\$INCLUDE sqlippool.conf } - + instantiate { + exec expr - daily - weekly - monthly - forever -} - -authorize { - preprocess - #auth_log - #attr_filter - chap - mschap - #digest - #IPASS - suffix - #ntdomain - eap - files - #sql - #etc_smbpasswd - #ldap - daily - weekly - monthly - forever - #checkval -} - -authenticate { - Auth-Type PAP { - pap - } - Auth-Type CHAP { - chap - } - Auth-Type MS-CHAP { - mschap - } - #digest - #pam - unix - #Auth-Type LDAP { - # ldap + #daily + expiration + logintime + #redundant redundant_sql { + # sql1 + # sql2 #} - eap -} - -preacct { - preprocess - acct_unique - #IPASS - suffix - #ntdomain - files -} - -accounting { - detail - daily - weekly - monthly - forever - unix - radutmp - #sradutmp - #main_pool - #sql - #pgsql-voip -} - -session { - radutmp - #sql -} - -post-auth { - #main_pool - #reply_log - #sql - #ldap - #Post-Auth-Type REJECT { - # insert-module-name-here - #} -} - -pre-proxy { - #attr_rewrite - #files - #pre_proxy_log -} - -post-proxy { - #post_proxy_log - #attr_rewrite - #attr_filter - eap } +\$INCLUDE policy.conf +\$INCLUDE sites-enabled/ + EOD; - conf_mount_rw(); + conf_mount_rw(); file_put_contents(RADDB . '/radiusd.conf', $conf); conf_mount_ro(); restart_service("freeradius"); @@ -502,67 +200,66 @@ global $config; $conf = ''; $users = $config['installedpackages']['freeradius']['config']; if (is_array($users)) { - foreach ($users as $user) { - $username = $user['username']; - $password = $user['password']; - $multiconnect = $user['multiconnect']; - $ip = $user['ip']; - $subnetmask = $user['subnetmask']; - $gateway = $user['gateway']; - $userexpiration=$user['expiration']; - $sessiontime=$user['sessiontime']; - $onlinetime=$user['onlinetime']; - $vlanid=$user['vlanid']; - $additionaloptions=$user['additionaloptions']; - $atrib=''; - $head="$username User-Password == ".'"'.$password.'"'; - if ($multiconnect <> '') { - $head .=", Simultaneous-Use := $multiconnect"; - } - if ($userexpiration <> '') { - $head .=", Expiration := ".'"'.$userexpiration.'"'; - } - if ($subnetmask<> '') { - $head .=", Framed-IP-Netmask = $subnetmask"; - } - if ($gateway<> '') { - $head .=", Framed-Route = $gateway"; - } - if ($onlinetime <> '') { - $head .=", Login-Time := ". '"' . $onlinetime .'"'; - } - if ($ip <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tFramed-IP-Address = $ip"; - } - if ($sessiontime <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tSession-Timeout := $sessiontime"; - } - if ($vlanid <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; - } - if ($additionaloptions <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\t$additionaloptions"; - } - - $conf .= <<<EOD - $head - $atrib +foreach ($users as $user) { +$username = $user['username']; +$password = $user['password']; +$multiconnect = $user['multiconnect']; +$ip = $user['ip']; + $subnetmask = $user['subnetmask']; + $gateway = $user['gateway']; +$userexpiration=$user['expiration']; +$sessiontime=$user['sessiontime']; +$onlinetime=$user['onlinetime']; +$vlanid=$user['vlanid']; +$additionaloptions=$user['additionaloptions']; +$atrib=''; +$head="$username Cleartext-Password := ".'"'.$password.'"'; + if ($multiconnect <> '') { + $head .=", Simultaneous-Use := $multiconnect"; + } + if ($userexpiration <> '') { + $head .=", Expiration := ".'"'.$userexpiration.'"'; + } + if ($subnetmask<> '') { + $head .=", Framed-IP-Netmask = $subnetmask"; + } + if ($gateway<> '') { + $head .=", Framed-Route = $gateway"; + } + if ($onlinetime <> '') { + $head .=", Login-Time := ". '"' . $onlinetime .'"'; + } + if ($ip <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tFramed-IP-Address = $ip"; + } + if ($sessiontime <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tSession-Timeout := $sessiontime"; + } + if ($vlanid <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; + } + if ($additionaloptions <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\t$additionaloptions"; + } + + $conf .= <<<EOD +$head +$atrib EOD; - } } +} +$filename = RADDB . '/users'; + conf_mount_rw(); +file_put_contents($filename, $conf); +chmod($filename, 0600); + conf_mount_ro(); - $filename = RADDB . '/users'; - conf_mount_rw(); - file_put_contents($filename, $conf); - chmod($filename, 0600); - conf_mount_ro(); - - restart_service('freeradius'); +restart_service('freeradius'); } function freeradius_clients_resync() { |