diff options
author | Chris Buechler <cmb@pfsense.org> | 2012-01-01 20:41:05 -0800 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2012-01-01 20:41:05 -0800 |
commit | efda45c843dcf50b54a9ec8bf1d30b6be9cc8fec (patch) | |
tree | 45caf6b3ba18c7a4c9c13134abe933be111ef9b6 /config | |
parent | 940d30b1cdac33e7bbe082cc94e7a808470e8349 (diff) | |
parent | 4d59da46ecf55861609b5949660a46809e794042 (diff) | |
download | pfsense-packages-efda45c843dcf50b54a9ec8bf1d30b6be9cc8fec.tar.gz pfsense-packages-efda45c843dcf50b54a9ec8bf1d30b6be9cc8fec.tar.bz2 pfsense-packages-efda45c843dcf50b54a9ec8bf1d30b6be9cc8fec.zip |
Merge pull request #165 from Nachtfalkeaw/master
freeradius2 updates pkg v1.4.1
Diffstat (limited to 'config')
-rwxr-xr-x | config/freeradius2/freeradius.inc | 349 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradius.xml | 1 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradius_view_config.php | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiuscerts.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiusclients.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiuseapconf.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiusinterfaces.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiussettings.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiussqlconf.xml | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/freeradius2/freeradiussync.xml | 0 |
10 files changed, 320 insertions, 30 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 6b1cfb9d..52456822 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -281,7 +281,10 @@ instantiate { exec expr - #daily + daily + weekly + monthly + forever expiration logintime ### Dis-/Enable sql instatiate @@ -299,6 +302,9 @@ EOD; // "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius. freeradius_serverdefault_resync(); + freeradius_modulescounter_resync(); + freeradius_modulesmschap_resync(); + freeradius_modulesrealm_resync(); restart_service("freeradius"); } @@ -348,45 +354,57 @@ if (is_array($arrusers) && !empty($arrusers)) { } // Empty variable - $varusersmainoptions = ''; + $varuserscheckitem = ''; + $varusersreplyitem = ''; // Add the user attributes to each user. - $varusersmainoptions = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"'; + $varuserscheckitem = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"'; + // Add additional CHECK-ITEMS here. Different formatting in "users" file needed. if ($varuserssimultaneousconnect != '') { - $varusersmainoptions .= "\n\tSimultaneous-Use := $varuserssimultaneousconnect"; + $varuserscheckitem .= ", Simultaneous-Use := " . '"' . $varuserssimultaneousconnect . '"'; } if ($varusersexpiration != '') { - $varusersmainoptions .= ",\n\tExpiration := " . '"' . $varusersexpiration . '"'; + $varuserscheckitem .= ", Expiration := " . '"' . $varusersexpiration . '"'; } if ($varuserslogintime != '') { - $varusersmainoptions .= ",\n\tLogin-Time := " . '"' . $varuserslogintime . '"'; + $varuserscheckitem .= ", Login-Time := " . '"' . $varuserslogintime . '"'; } - if ($varuserssessiontimeout != '') { - $varusersmainoptions .= ",\n\tSession-Timeout := $varuserssessiontimeout"; - } + + // Add additional REPLY-ITEMS here. Different formatting in "users" file needed. if ($varusersframedipaddress != '') { - $varusersmainoptions .= ",\n\tFramed-IP-Address = $varusersframedipaddress"; + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tFramed-IP-Address = $varusersframedipaddress"; } if ($varusersframedipnetmask != '') { - $varusersmainoptions .= ",\n\tFramed-IP-Netmask = $varusersframedipnetmask"; + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tFramed-IP-Netmask = $varusersframedipnetmask"; } if ($varusersframedroute != '') { - $varusersmainoptions .= ",\n\tFramed-Route = " . '"' . $varusersframedroute . '"'; + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tFramed-Route = " . '"' . $varusersframedroute . '"'; + } + if ($varuserssessiontimeout != '') { + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tSession-Timeout := $varuserssessiontimeout"; } if ($varusersvlanid != '') { - $varusersmainoptions .= ",\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"'; + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"'; } if ($varusersadditionaloptionsbottom != '') { - $varusersmainoptions .= ",\n\t$varusersadditionaloptionsbottom"; + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\t$varusersadditionaloptionsbottom"; } - // Cosmetic fix - This is just to make a blank new line after each user entry - $varusersmainoptions .= "\n\n"; + + // Cosmetic fix - This is just to make a blank new line after each user entry + $varusersreplyitem .= "\n\n"; $conf .= <<<EOD $varusersadditionaloptionstop -$varusersmainoptions +$varuserscheckitem + $varusersreplyitem EOD; } //end foreach } // end if @@ -610,8 +628,6 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { default_eap_type = $vareapconfttlsdefaulteaptype copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel use_tunneled_reply = $vareapconfttlsusetunneledreply - ### if disabled this will be processed by the virtual server called "default" - # virtual_server = "inner-tunnel" # include_length = yes } ### end ttls @@ -621,10 +637,8 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel use_tunneled_reply = $vareapconfpeapusetunneledreply # proxy_tunneled_request_as_eap = yes - ### if disabled this will be processed by the virtual server called "default" - # virtual_server = "inner-tunnel" - # soh = yes - # soh_virtual_server = "soh-server" + soh = yes + soh_virtual_server = "soh" } mschapv2 { # send_error = no @@ -929,7 +943,7 @@ authorize { # the other styles won't be checked. # suffix -# ntdomain + ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP @@ -984,11 +998,14 @@ authorize { # # Enforce daily limits on time spent logged in. -# daily + daily + weekly + monthly + forever # # Use the checkval module -# checkval + checkval expiration logintime @@ -1160,7 +1177,7 @@ preacct { # home server as authentication requests. # IPASS suffix -# ntdomain + ntdomain # # Read the 'acct_users' file @@ -1176,7 +1193,10 @@ accounting { # Note that accounting requests which are proxied # are also logged in the detail file. detail -# daily + daily + weekly + monthly + forever # Update the wtmp file # @@ -1375,7 +1395,7 @@ pre-proxy { # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy + attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the @@ -1399,7 +1419,7 @@ post-proxy { # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy + attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP @@ -1941,4 +1961,273 @@ function freeradius_all_after_XMLRPC_resync() { exec("/usr/local/etc/rc.d/radiusd onerestart"); } +function freeradius_modulescounter_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +# +# $Id$ + +# counter module: +# This module takes an attribute (count-attribute). +# It also takes a key, and creates a counter for each unique +# key. The count is incremented when accounting packets are +# received by the server. The value of the increment depends +# on the attribute type. +# If the attribute is Acct-Session-Time or of an integer type we add +# the value of the attribute. If it is anything else we increase the +# counter by one. +# +# The 'reset' parameter defines when the counters are all reset to +# zero. It can be hourly, daily, weekly, monthly or never. +# +# hourly: Reset on 00:00 of every hour +# daily: Reset on 00:00:00 every day +# weekly: Reset on 00:00:00 on sunday +# monthly: Reset on 00:00:00 of the first day of each month +# +# It can also be user defined. It should be of the form: +# num[hdwm] where: +# h: hours, d: days, w: weeks, m: months +# If the letter is ommited days will be assumed. In example: +# reset = 10h (reset every 10 hours) +# reset = 12 (reset every 12 days) +# +# +# The check-name attribute defines an attribute which will be +# registered by the counter module and can be used to set the +# maximum allowed value for the counter after which the user +# is rejected. +# Something like: +# +# DEFAULT Max-Daily-Session := 36000 +# Fall-Through = 1 +# +# You should add the counter module in the instantiate +# section so that it registers check-name before the files +# module reads the users file. +# +# If check-name is set and the user is to be rejected then we +# send back a Reply-Message and we log a Failure-Message in +# the radius.log +# +# If the count attribute is Acct-Session-Time then on each +# login we send back the remaining online time as a +# Session-Timeout attribute ELSE and if the reply-name is +# set, we send back that attribute. The reply-name attribute +# MUST be of an integer type. +# +# The counter-name can also be used instead of using the check-name +# like below: +# +# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject +# Reply-Message = "You've used up more than one hour today" +# +# The allowed-servicetype attribute can be used to only take +# into account specific sessions. For example if a user first +# logs in through a login menu and then selects ppp there will +# be two sessions. One for Login-User and one for Framed-User +# service type. We only need to take into account the second one. +# +# The module should be added in the instantiate, authorize and +# accounting sections. Make sure that in the authorize +# section it comes after any module which sets the +# 'check-name' attribute. +# +counter daily { + filename = \${raddbdir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + reply-name = Session-Timeout + cache-size = 5000 +} + +counter weekly { + filename = \${raddbdir}/db.weekly + key = User-Name + count-attribute = Acct-Session-Time + reset = weekly + counter-name = Weekly-Session-Time + check-name = Max-Weekly-Session + reply-name = Session-Timeout + cache-size = 5000 +} + +counter monthly { + filename = \${raddbdir}/db.monthly + key = User-Name + count-attribute = Acct-Session-Time + reset = monthly + counter-name = Monthly-Session-Time + check-name = Max-Monthly-Session + reply-name = Session-Timeout + cache-size = 5000 +} + +counter forever { + filename = \${raddbdir}/db.forever + key = User-Name + count-attribute = Acct-Session-Time + reset = never + counter-name = Forever-Session-Time + check-name = Max-Forever-Session + reply-name = Session-Timeout + cache-size = 5000 +} + +EOD; + + $filename = RADDB . '/modules/counter'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_modulesmschap_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +# +# $Id$ + +# Microsoft CHAP authentication +# +# This module supports MS-CHAP and MS-CHAPv2 authentication. +# It also enforces the SMB-Account-Ctrl attribute. +# +mschap { + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + + # if use_mppe is not set to no mschap will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # +# use_mppe = no + + # if mppe is enabled require_encryption makes + # encryption moderate + # +# require_encryption = yes + + # require_strong always requires 128 bit key + # encryption + # +# require_strong = yes + + # Windows sends us a username in the form of + # DOMAIN\user, but sends the challenge response + # based on only the user portion. This hack + # corrects for that incorrect behavior. + # + with_ntdomain_hack = yes + + # The module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # If ntlm_auth is configured below, then the mschap + # module will call ntlm_auth for every MS-CHAP + # authentication request. If there is a cleartext + # or NT hashed password available, you can set + # "MS-CHAP-Use-NTLM-Auth := No" in the control items, + # and the mschap module will do the authentication itself, + # without calling ntlm_auth. + # + # Be VERY careful when editing the following line! + # + # You can also try setting the user name as: + # + # ... --username=%{mschap:User-Name} ... + # + # In that case, the mschap module will look at the User-Name + # attribute, and do prefix/suffix checks in order to obtain + # the "best" user name for the request. + # +# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} -- +nt-response=%{%{mschap:NT-Response}:-00}" + + # For Apple Server, when running on the same machine as + # Open Directory. It has no effect on other systems. + # +# use_open_directory = yes + + # On failure, set (or not) the MS-CHAP error code saying + # "retries allowed". +# allow_retry = yes + + # An optional retry message. +# retry_msg = "Re-enter (or reset) the password" +} + +EOD; + + $filename = RADDB . '/modules/mschap'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_modulesrealm_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# 'realm/username' +# Using this entry, IPASS users have their realm set to "IPASS". +realm IPASS { + format = prefix + delimiter = "/" + ignore_null = yes + ignore_default = no +} +# 'username@realm' +realm suffix { + format = suffix + delimiter = "@" + ignore_null = yes + ignore_default = no +} +# 'username%realm' +realm realmpercent { + format = suffix + delimiter = "%" + ignore_null = yes + ignore_default = no +} +# 'domain\user' +realm ntdomain { + format = prefix + ### 3 backslash in .inc will be 2 backslash in file and after starting radiusd just only one + delimiter = "\\\" + ignore_null = yes + ignore_default = no +} +EOD; + + $filename = RADDB . '/modules/realm'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + ?>
\ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 9ebefe47..627506a7 100644..100755 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -319,6 +319,7 @@ freeradius_sqlconf_resync(); exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); + exec("ln -s /usr/local/etc/raddb/sites-available/soh /usr/local/etc/raddb/sites-enabled/"); </custom_php_install_command> <custom_php_deinstall_command> freeradius_deinstall_command(); diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 14e37455..14e37455 100644..100755 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 34ab5a03..34ab5a03 100644..100755 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 61afd4f5..61afd4f5 100644..100755 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 759c6065..759c6065 100644..100755 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index 3819908e..3819908e 100644..100755 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 34999917..34999917 100644..100755 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index bce593fe..bce593fe 100644..100755 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 4a15c8d2..4a15c8d2 100644..100755 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml |