A working version of the FreeRADIUS package (this one writes the configuration to the right files ;)).

1 files changed, 438 insertions, 0 deletions

diff --git a/packages/freeradius.inc b/packages/freeradius.inc
new file mode 100644
index 00000000..cdc7a422
--- /dev/null
+++ b/packages/freeradius.inc
@@ -0,0 +1,438 @@
+<?php
+require_once('config.inc');
+require_once('service-utils.inc');
+
+define('RADDB', '/usr/local/etc/raddb');
+
+function freeradius_install_command() {
+	global $config;
+
+	$handle = opendir(RADDB);
+	while (false != ($file = readdir($handle))) {
+		if (false != ($pos = strpos($file, '.sample'))) {
+			$newfile = substr($file, 0, $pos);
+			if (copy(RADDB . "/$file", RADDB . "/$newfile"))
+				unlink(RADDB . "/$file");
+		}
+	}
+	closedir($handle);
+
+	freeradius_settings_resync();
+
+	$rcfile = array();
+	$rcfile['file'] = 'radiusd.sh';
+	$rcfile['start'] = 'radiusd -s &';
+	$rcfile['stop'] = 'killall radiusd';
+	write_rcfile($rcfile);
+	start_service("freeradius");
+}
+
+function freeradius_settings_resync() {
+	global $config;
+
+	$settings = $config['installedpackages']['freeradiussettings']['config'][0];
+
+	$iface = ($settings['interface'] ? $settings['interface'] : 'LAN');
+	$iface = convert_friendly_interface_to_real_interface_name($iface);
+	$iface_ip = find_interface_ip($iface);
+	$port = ($settings['port'] != '' ? $settings['port'] : 0);
+
+	// FreeRADIUS's configuration is huge
+	// This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here).
+	$conf = <<<EOD
+prefix = /usr/local
+exec_prefix = \${prefix}
+sysconfdir = \${prefix}/etc
+localstatedir = /var
+sbindir = \${exec_prefix}/sbin
+logdir = /var/log
+raddbdir = \${sysconfdir}/raddb
+radacctdir = \${logdir}/radacct
+confdir = \${raddbdir}
+run_dir = \${localstatedir}/run/radiusd
+log_file = \${logdir}/radius.log
+libdir = \${exec_prefix}/lib
+pidfile = \${run_dir}/radiusd.pid
+#user = nobody
+#group = nobody
+max_request_time = 30
+delete_blocked_requests = no
+cleanup_delay = 5
+max_requests = 1024
+bind_address = $iface_ip
+port = $port
+hostname_lookups = no
+allow_core_dumps = no
+regular_expressions	= yes
+extended_expressions	= yes
+log_stripped_names = no
+log_auth = no
+log_auth_badpass = no
+log_auth_goodpass = no
+usercollide = no
+lower_user = no
+lower_pass = no
+nospace_user = no
+nospace_pass = no
+checkrad = \${sbindir}/checkrad
+ 
+security {
+	max_attributes = 200
+	reject_delay = 1
+	status_server = no
+}
+ 
+proxy_requests = yes
+\$INCLUDE  \${confdir}/proxy.conf
+ 
+\$INCLUDE  \${confdir}/clients.conf
+ 
+snmp = no
+\$INCLUDE  \${confdir}/snmp.conf
+ 
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+}
+ 
+modules {
+	pap {
+		encryption_scheme = crypt
+	}
+ 
+	chap {
+		authtype = CHAP
+	}
+ 
+	pam {
+		pam_auth = radiusd
+	}
+ 
+	unix {
+		cache = no
+		cache_reload = 600
+		radwtmp = \${logdir}/radwtmp
+	}
+ 
+	\$INCLUDE \${confdir}/eap.conf
+ 
+	mschap {
+		authtype = MS-CHAP
+		#use_mppe = no
+		#require_encryption = yes
+		#require_strong = yes
+		#with_ntdomain_hack = no
+		#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+	}
+ 
+	ldap {
+		server = "ldap.your.domain"
+		basedn = "o=My Org,c=UA"
+		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
+		#base_filter = "(objectclass=radiusprofile)"
+		start_tls = no
+		#tls_cacertfile = /path/to/cacert.pem
+		#tls_cacertdir = /path/to/ca/dir/
+		#tls_certfile = /path/to/radius.crt
+		#tls_keyfile = /path/to/radius.key
+		#tls_randfile = /path/to/rnd
+		#tls_require_cert = "demand"
+		access_attr = "dialupAccess"
+		dictionary_mapping = \${raddbdir}/ldap.attrmap
+		ldap_connections_number = 5
+		#groupname_attribute = cn
+		#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
+		#groupmembership_attribute = radiusGroupName
+		timeout = 4
+		timelimit = 3
+		net_timeout = 1
+		#compare_check_items = yes
+		#do_xlat = yes
+		#access_attr_used_for_allow = yes
+	}
+ 
+	realm IPASS {
+		format = prefix
+		delimiter = "/"
+		ignore_default = no
+		ignore_null = no
+	}
+ 
+	realm suffix {
+		format = suffix
+		delimiter = "@"
+		ignore_default = no
+		ignore_null = no
+	}
+ 
+	realm realmpercent {
+		format = suffix
+		delimiter = "%"
+		ignore_default = no
+		ignore_null = no
+	}
+ 
+	realm ntdomain {
+		format = prefix
+		delimiter = "\\"
+		ignore_default = no
+		ignore_null = no
+	}
+ 
+	checkval {
+		item-name = Calling-Station-Id
+		check-name = Calling-Station-Id
+		data-type = string
+		#notfound-reject = no
+	}
+ 
+	preprocess {
+		huntgroups = \${confdir}/huntgroups
+		hints = \${confdir}/hints
+		with_ascend_hack = no
+		ascend_channels_per_line = 23
+		with_ntdomain_hack = no
+		with_specialix_jetstream_hack = no
+		with_cisco_vsa_hack = no
+	}
+ 
+	files {
+		usersfile = \${confdir}/users
+		acctusersfile = \${confdir}/acct_users
+		preproxy_usersfile = \${confdir}/preproxy_users
+		compat = no
+	}
+ 
+	detail {
+		detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
+		detailperm = 0600
+	}
+ 
+	acct_unique {
+		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
+	}
+ 
+	\$INCLUDE  \${confdir}/sql.conf
+ 
+	radutmp {
+		filename = \${logdir}/radutmp
+		username = %{User-Name}
+		case_sensitive = yes
+		check_with_nas = yes
+		perm = 0600
+		callerid = "yes"
+	}
+ 
+	radutmp sradutmp {
+		filename = \${logdir}/sradutmp
+		perm = 0644
+		callerid = "no"
+	}
+ 
+	attr_filter {
+		attrsfile = \${confdir}/attrs
+	}
+ 
+	counter daily {
+		filename = \${raddbdir}/db.daily
+		key = User-Name
+		count-attribute = Acct-Session-Time
+		reset = daily
+		counter-name = Daily-Session-Time
+		check-name = Max-Daily-Session
+		allowed-servicetype = Framed-User
+		cache-size = 5000
+	}
+ 
+	always fail {
+		rcode = fail
+	}
+	always reject {
+		rcode = reject
+	}
+	always ok {
+		rcode = ok
+		simulcount = 0
+		mpp = no
+	}
+ 
+	expr {
+	}
+ 
+	digest {
+	}
+ 
+	exec {
+		wait = yes
+		input_pairs = request
+	}
+ 
+	exec echo {
+		wait = yes
+		program = "/bin/echo %{User-Name}"
+		input_pairs = request
+		output_pairs = reply
+		#packet_type = Access-Accept
+	}
+ 
+	ippool main_pool {
+		range-start = 192.168.1.1
+		range-stop = 192.168.3.254
+		netmask = 255.255.255.0
+		cache-size = 800
+		session-db = \${raddbdir}/db.ippool
+		ip-index = \${raddbdir}/db.ipindex
+		override = no
+		maximum-timeout = 0
+	}
+}
+ 
+instantiate {
+	exec
+	expr
+	#daily
+}
+ 
+authorize {
+	preprocess
+	#auth_log
+	#attr_filter
+	chap
+	mschap
+	#digest
+	#IPASS
+	suffix
+	#ntdomain
+	eap
+	files
+	#sql
+	#etc_smbpasswd
+	#ldap
+	#daily
+	#checkval
+}
+ 
+authenticate {
+	Auth-Type PAP {
+		pap
+	}
+	Auth-Type CHAP {
+		chap
+	}
+	Auth-Type MS-CHAP {
+		mschap
+	}
+	#digest
+	#pam
+	unix
+	#Auth-Type LDAP {
+	#	ldap
+	#}
+	eap
+}
+ 
+preacct {
+	preprocess
+	acct_unique
+	#IPASS
+	suffix
+	#ntdomain
+	files
+}
+ 
+accounting {
+	detail
+	#daily
+	unix
+	radutmp
+	#sradutmp
+	#main_pool
+	#sql
+	#pgsql-voip
+}
+ 
+session {
+	radutmp
+	#sql
+}
+ 
+post-auth {
+	#main_pool
+	#reply_log
+	#sql
+	#ldap
+	#Post-Auth-Type REJECT {
+	#	insert-module-name-here
+	#}
+}
+ 
+pre-proxy {
+	#attr_rewrite
+	#files
+	#pre_proxy_log
+}
+ 
+post-proxy {
+	#post_proxy_log
+	#attr_rewrite
+	#attr_filter
+	eap
+}
+
+EOD;
+	file_put_contents(RADDB . '/radiusd.conf', $conf);
+	restart_service("freeradius");
+}
+
+function freeradius_users_resync() {
+	global $config;
+
+	$conf = '';
+	$users = $config['installedpackages']['freeradius']['config'];
+	if (is_array($users)) {
+		foreach ($users as $user)
+			$conf .= "{$user['username']}\tUser-Password == \"{$user['password']}\"\n";
+	}
+	$filename = RADDB . '/users';
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+
+	restart_service('freeradius');
+}
+
+function freeradius_clients_resync() {
+	global $config;
+
+	$conf = '';
+	$clients = $config['installedpackages']['freeradiusclients']['config'];
+	if (is_array($clients) && !empty($clients)) {
+		foreach ($clients as $item) {
+			$client = $item['client'];
+			$secret = $item['sharedsecret'];
+			$shortname = $item['shortname'];
+			$conf .= <<<EOD
+client $client {
+	secret = $secret
+	shortname = $shortname
+}
+
+EOD;
+		}
+	}
+	else {
+		$conf .= <<<EOD
+client 127.0.0.1 {
+	secret = pfsense
+	shortname = localhost
+}
+
+EOD;
+	}
+
+	file_put_contents(RADDB . '/clients.conf', $conf);
+	restart_service("freeradius");
+}
+?>