aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorChris Buechler <cmb@pfsense.org>2011-12-15 15:34:33 -0800
committerChris Buechler <cmb@pfsense.org>2011-12-15 15:34:33 -0800
commit7e5cb1e9951f7afab0404506e61e0acf63e62709 (patch)
tree9673cdc5d647f2c5ceed76487544d39cc5bb4d6c /config
parentffe2cb052808987185d0824417d5e7e9b713b146 (diff)
parent95043599360ba4d677243414ba9331f6fa56c238 (diff)
downloadpfsense-packages-7e5cb1e9951f7afab0404506e61e0acf63e62709.tar.gz
pfsense-packages-7e5cb1e9951f7afab0404506e61e0acf63e62709.tar.bz2
pfsense-packages-7e5cb1e9951f7afab0404506e61e0acf63e62709.zip
Merge pull request #132 from Nachtfalkeaw/master
adapt freeradius 1.x syntax to freeradius2 and fixed broken "users" file
Diffstat (limited to 'config')
-rwxr-xr-xconfig/freeradius2/freeradius.inc461
1 files changed, 80 insertions, 381 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 2a83911c..29ca98f8 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -9,7 +9,10 @@ function freeradius_deinstall_command() {
exec("rm -rf /usr/local/etc/raddb/");
exec("rm -rf /var/log/raddb/");
exec("rm -rf /var/log/radacct/");
+ exec("rm -rf /var/run/radiusd/");
exec("rm -f /var/log/radius.log");
+ exec("rm -f /var/log/radutmp");
+ exec("rm -f /var/log/radwtmp");
}
function freeradius_install_command() {
@@ -67,8 +70,6 @@ function freeradius_settings_resync() {
$varsettingsmaxspareservers = $varsettings['varsettingsmaxspareservers'];
$varsettingsmaxqueuesize = $varsettings['varsettingsmaxqueuesize'];
$varsettingsmaxrequestsperserver = $varsettings['varsettingsmaxrequestsperserver'];
-
-
$conf = <<<EOD
prefix = /usr/local
@@ -83,6 +84,8 @@ confdir = \${raddbdir}
run_dir = \${localstatedir}/run
libdir = \${exec_prefix}/lib/freeradius-2.1.12
pidfile = \${run_dir}/radiusd.pid
+db_dir = \${raddbdir}
+name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius
@@ -104,7 +107,6 @@ hostname_lookups = $varsettingshostnamelookups
allow_core_dumps = $varsettingsallowcoredumps
regular_expressions = $varsettingsregularexpressions
extended_expressions = $varsettingsextendedexpressions
-proxy_requests = yes
EOD;
@@ -115,13 +117,15 @@ $arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config'];
$varinterfaceport = $item['varinterfaceport'];
$varinterfacetype = $item['varinterfacetype'];
$varinterfaceipversion = $item['varinterfaceipversion'];
- $description = $item['description'];
$conf .= <<<EOD
listen {
type = $varinterfacetype
$varinterfaceipversion = $varinterfaceip
port = $varinterfaceport
+ ### the following two lines are only neccessary for interface type detail
+ filename = ${radacctdir}/detail
+ load_factor = 10
}
EOD;
@@ -145,11 +149,12 @@ checkrad = \${sbindir}/checkrad
security {
max_attributes = $varsettingsmaxattributes
reject_delay = $varsettingsrejectdelay
- status_server = no ### Needs additional config in raddb/sites-available/status
+ status_server = no ### Needs additional config in raddb/sites-available/status
}
-\$INCLUDE \${confdir}/proxy.conf
-\$INCLUDE \${confdir}/clients.conf
+proxy_requests = yes
+\$INCLUDE proxy.conf
+\$INCLUDE clients.conf
thread pool {
start_servers = $varsettingsstartservers
max_servers = $varsettingsmaxservers
@@ -159,340 +164,35 @@ thread pool {
max_requests_per_server = $varsettingsmaxrequestsperserver
}
-
-#snmp = no
-#\$INCLUDE \${confdir}/snmp.conf
-
-
modules {
- pap {
- encryption_scheme = crypt
- }
-
- chap {
- authtype = CHAP
- }
-
- pam {
- pam_auth = radiusd
- }
-
- unix {
- cache = no
- cache_reload = 600
- radwtmp = \${logdir}/radwtmp
- }
-
- \$INCLUDE \${confdir}/eap.conf
-
- mschap {
- authtype = MS-CHAP
- #use_mppe = no
- #require_encryption = yes
- #require_strong = yes
- #with_ntdomain_hack = no
- #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
- }
-
- ldap {
- server = "ldap.your.domain"
- basedn = "o=My Org,c=UA"
- filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
- #base_filter = "(objectclass=radiusprofile)"
- start_tls = no
- #tls_cacertfile = /path/to/cacert.pem
- #tls_cacertdir = /path/to/ca/dir/
- #tls_certfile = /path/to/radius.crt
- #tls_keyfile = /path/to/radius.key
- #tls_randfile = /path/to/rnd
- #tls_require_cert = "demand"
- access_attr = "dialupAccess"
- dictionary_mapping = \${raddbdir}/ldap.attrmap
- ldap_connections_number = 5
- #groupname_attribute = cn
- #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
- #groupmembership_attribute = radiusGroupName
- timeout = 4
- timelimit = 3
- net_timeout = 1
- #compare_check_items = yes
- #do_xlat = yes
- #access_attr_used_for_allow = yes
- }
-
- realm IPASS {
- format = prefix
- delimiter = "/"
- ignore_default = no
- ignore_null = no
- }
-
- realm suffix {
- format = suffix
- delimiter = "@"
- ignore_default = no
- ignore_null = no
- }
-
- realm realmpercent {
- format = suffix
- delimiter = "%"
- ignore_default = no
- ignore_null = no
- }
-
- realm ntdomain {
- format = prefix
- ### There is "\\\" in freeradius.inc file and output is "\\" in radiusd.conf
- delimiter = "\\\"
- ignore_default = no
- ignore_null = no
- }
-
- checkval {
- item-name = Calling-Station-Id
- check-name = Calling-Station-Id
- data-type = string
- #notfound-reject = no
- }
-
- preprocess {
- huntgroups = \${confdir}/huntgroups
- hints = \${confdir}/hints
- with_ascend_hack = no
- ascend_channels_per_line = 23
- with_ntdomain_hack = no
- with_specialix_jetstream_hack = no
- with_cisco_vsa_hack = no
- }
-
- files {
- usersfile = \${confdir}/users
- acctusersfile = \${confdir}/acct_users
- preproxy_usersfile = \${confdir}/preproxy_users
- compat = no
- }
-
- detail {
- detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
- detailperm = 0600
- }
-
- acct_unique {
- key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
- }
-
- \$INCLUDE \${confdir}/sql.conf
-
- radutmp {
- filename = \${logdir}/radutmp
- username = %{User-Name}
- case_sensitive = yes
- check_with_nas = yes
- perm = 0600
- callerid = "yes"
- }
-
- radutmp sradutmp {
- filename = \${logdir}/sradutmp
- perm = 0644
- callerid = "no"
- }
-
- attr_filter {
- attrsfile = \${confdir}/attrs
- }
-
- counter daily {
- filename = \${raddbdir}/db.daily
- key = User-Name
- count-attribute = Acct-Session-Time
- reset = daily
- counter-name = Daily-Session-Time
- check-name = Max-Daily-Session
- allowed-servicetype = Framed-User
- cache-size = 5000
- }
-
- counter weekly {
- filename = \${raddbdir}/db.weekly
- key = User-Name
- count-attribute = Acct-Session-Time
- reset = weekly
- counter-name = Weekly-Session-Time
- check-name = Max-Weekly-Session
- cache-size = 5000
- }
-
- counter monthly {
- filename = \${raddbdir}/db.monthly
- key = User-Name
- count-attribute = Acct-Session-Time
- reset = monthly
- counter-name = Monthly-Session-Time
- check-name = Max-Monthly-Session
- cache-size = 5000
- }
-
- counter forever {
- filename = \${raddbdir}/db.forever
- key = User-Name
- count-attribute = Acct-Session-Time
- reset = never
- counter-name = Forever-Session-Time
- check-name = Max-Forever-Session
- cache-size = 5000
- }
-
- always fail {
- rcode = fail
- }
- always reject {
- rcode = reject
- }
- always ok {
- rcode = ok
- simulcount = 0
- mpp = no
- }
-
- expr {
- }
-
- digest {
- }
-
- exec {
- wait = yes
- input_pairs = request
- }
-
- exec echo {
- wait = yes
- program = "/bin/echo %{User-Name}"
- input_pairs = request
- output_pairs = reply
- #packet_type = Access-Accept
- }
-
- ippool main_pool {
- range-start = 192.168.1.1
- range-stop = 192.168.3.254
- netmask = 255.255.255.0
- cache-size = 800
- session-db = \${raddbdir}/db.ippool
- ip-index = \${raddbdir}/db.ipindex
- override = no
- maximum-timeout = 0
- }
+ \$INCLUDE \${confdir}/modules/
+ \$INCLUDE eap.conf
+ #\$INCLUDE sql.conf
+ #\$INCLUDE sql/mysql/counter.conf
+ #\$INCLUDE sqlippool.conf
}
-
+
instantiate {
+
exec
expr
- daily
- weekly
- monthly
- forever
-}
-
-authorize {
- preprocess
- #auth_log
- #attr_filter
- chap
- mschap
- #digest
- #IPASS
- suffix
- #ntdomain
- eap
- files
- #sql
- #etc_smbpasswd
- #ldap
- daily
- weekly
- monthly
- forever
- #checkval
-}
-
-authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- #digest
- #pam
- unix
- #Auth-Type LDAP {
- # ldap
+ #daily
+ expiration
+ logintime
+ #redundant redundant_sql {
+ # sql1
+ # sql2
#}
- eap
-}
-
-preacct {
- preprocess
- acct_unique
- #IPASS
- suffix
- #ntdomain
- files
-}
-
-accounting {
- detail
- daily
- weekly
- monthly
- forever
- unix
- radutmp
- #sradutmp
- #main_pool
- #sql
- #pgsql-voip
-}
-
-session {
- radutmp
- #sql
-}
-
-post-auth {
- #main_pool
- #reply_log
- #sql
- #ldap
- #Post-Auth-Type REJECT {
- # insert-module-name-here
- #}
-}
-
-pre-proxy {
- #attr_rewrite
- #files
- #pre_proxy_log
-}
-
-post-proxy {
- #post_proxy_log
- #attr_rewrite
- #attr_filter
- eap
}
+\$INCLUDE policy.conf
+\$INCLUDE sites-enabled/
+
EOD;
conf_mount_rw();
file_put_contents(RADDB . '/radiusd.conf', $conf);
- conf_mount_ro();
+ conf_mount_ro();
restart_service("freeradius");
}
@@ -502,65 +202,64 @@ global $config;
$conf = '';
$users = $config['installedpackages']['freeradius']['config'];
if (is_array($users)) {
- foreach ($users as $user) {
- $username = $user['username'];
- $password = $user['password'];
- $multiconnect = $user['multiconnect'];
- $ip = $user['ip'];
- $subnetmask = $user['subnetmask'];
- $gateway = $user['gateway'];
- $userexpiration=$user['expiration'];
- $sessiontime=$user['sessiontime'];
- $onlinetime=$user['onlinetime'];
- $vlanid=$user['vlanid'];
- $additionaloptions=$user['additionaloptions'];
- $atrib='';
- $head="$username User-Password == ".'"'.$password.'"';
- if ($multiconnect <> '') {
- $head .=", Simultaneous-Use := $multiconnect";
- }
- if ($userexpiration <> '') {
- $head .=", Expiration := ".'"'.$userexpiration.'"';
- }
- if ($subnetmask<> '') {
- $head .=", Framed-IP-Netmask = $subnetmask";
- }
- if ($gateway<> '') {
- $head .=", Framed-Route = $gateway";
- }
- if ($onlinetime <> '') {
- $head .=", Login-Time := ". '"' . $onlinetime .'"';
- }
- if ($ip <> '') {
- if ($atrib <> '') { $atrib .=","; }
- $atrib .="\r\n\tFramed-IP-Address = $ip";
- }
- if ($sessiontime <> '') {
- if ($atrib <> '') { $atrib .=","; }
- $atrib .="\r\n\tSession-Timeout := $sessiontime";
- }
- if ($vlanid <> '') {
- if ($atrib <> '') { $atrib .=","; }
- $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\"";
- }
- if ($additionaloptions <> '') {
- if ($atrib <> '') { $atrib .=","; }
- $atrib .="\r\n\t$additionaloptions";
- }
-
- $conf .= <<<EOD
- $head
- $atrib
+foreach ($users as $user) {
+$username = $user['username'];
+$password = $user['password'];
+$multiconnect = $user['multiconnect'];
+$ip = $user['ip'];
+$subnetmask = $user['subnetmask'];
+$gateway = $user['gateway'];
+$userexpiration=$user['expiration'];
+$sessiontime=$user['sessiontime'];
+$onlinetime=$user['onlinetime'];
+$vlanid=$user['vlanid'];
+$additionaloptions=$user['additionaloptions'];
+$atrib='';
+$head="$username Cleartext-Password := ".'"'.$password.'"';
+ if ($multiconnect <> '') {
+ $head .=", Simultaneous-Use := $multiconnect";
+ }
+ if ($userexpiration <> '') {
+ $head .=", Expiration := ".'"'.$userexpiration.'"';
+ }
+ if ($subnetmask<> '') {
+ $head .=", Framed-IP-Netmask = $subnetmask";
+ }
+ if ($gateway<> '') {
+ $head .=", Framed-Route = $gateway";
+ }
+ if ($onlinetime <> '') {
+ $head .=", Login-Time := ". '"' . $onlinetime .'"';
+ }
+ if ($ip <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tFramed-IP-Address = $ip";
+ }
+ if ($sessiontime <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tSession-Timeout := $sessiontime";
+ }
+ if ($vlanid <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\"";
+ }
+ if ($additionaloptions <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\t$additionaloptions";
+ }
+
+ $conf .= <<<EOD
+$head
+$atrib
EOD;
- }
}
-
+}
$filename = RADDB . '/users';
conf_mount_rw();
file_put_contents($filename, $conf);
chmod($filename, 0600);
- conf_mount_ro();
+ conf_mount_ro();
restart_service('freeradius');
}