aboutsummaryrefslogtreecommitdiffstats
path: root/packages
diff options
context:
space:
mode:
authorChris Buechler <cmb@pfsense.org>2008-04-13 22:59:43 +0000
committerChris Buechler <cmb@pfsense.org>2008-04-13 22:59:43 +0000
commit488d874ebaf97add9c432916ef828741ce6766ef (patch)
treeebbb2d629a0954273c8e939b92a3d441f4fd5c6a /packages
parent719efc38ecc3c9b12730b58881b5c17ca269de20 (diff)
downloadpfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.tar.gz
pfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.tar.bz2
pfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.zip
changes from Dimitri Rodis
Diffstat (limited to 'packages')
-rw-r--r--packages/freeradius.inc70
-rw-r--r--packages/freeradius.xml72
-rw-r--r--packages/freeradiussettings.xml54
3 files changed, 148 insertions, 48 deletions
diff --git a/packages/freeradius.inc b/packages/freeradius.inc
index 3b173edf..53a1d695 100644
--- a/packages/freeradius.inc
+++ b/packages/freeradius.inc
@@ -41,6 +41,9 @@ function freeradius_settings_resync() {
$iface = convert_friendly_interface_to_real_interface_name($iface);
$iface_ip = find_interface_ip($iface);
$port = ($settings['port'] != '' ? $settings['port'] : 0);
+ $radiuslogging = $settings['radiuslogging'];
+ $radiuslogbadpass = $settings['radiuslogbadpass'];
+ $radiusloggoodpass = $settings['radiusloggoodpass'];
// FreeRADIUS's configuration is huge
// This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here).
@@ -71,9 +74,9 @@ allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
-log_auth = no
-log_auth_badpass = no
-log_auth_goodpass = no
+log_auth = $radiuslogging
+log_auth_badpass = $radiuslogbadpass
+log_auth_goodpass = $radiusloggoodpass
usercollide = no
lower_user = no
lower_pass = no
@@ -442,33 +445,40 @@ function freeradius_users_resync() {
$password = $user['password'];
$multiconnet = $user['multiconnet'];
$ip = $user['ip'];
- $x=$user['expiration'];
- $sessiontime=$user['sessiontime'];
- $onlinetime=$user['onlinetime'];
- $atrib='';
- $head="$username User-Password == ".'"'.$password.'" ';
- if ($multiconnect <> '')
- {
- $head .=", Simultaneous-Use += $multiconnet";
- }
- if ($x <> '')
- {
- $head .=", Expiration := ".'"'.$x.'"';
- }
- if ($ip <> '')
- {
- $atrib .="\r\n\tFramed-IP-Address = $ip,";
- }
- if ($sessiontime <> '')
- {
- $atrib .="\r\n\tSession-Timeout := $sessiontime,";
- }
- if ($onlinetime <> '')
- {
- $head .=", Login-Time := ". '"' . $onlinetime .'"';
- }
-
- $conf .= <<<EOD
+ $userexpiration=$user['expiration'];
+ $sessiontime=$user['sessiontime'];
+ $onlinetime=$user['onlinetime'];
+ $vlanid=$user['vlanid'];
+ $additionaloptions=$user['additionaloptions'];
+ $atrib='';
+ $head="$username User-Password == ".'"'.$password.'"';
+ if ($multiconnect <> '') {
+ $head .=", Simultaneous-Use += $multiconnet";
+ }
+ if ($x <> '') {
+ $head .=", Expiration := ".'"'.$userexpiration.'"';
+ }
+ if ($onlinetime <> '') {
+ $head .=", Login-Time := ". '"' . $onlinetime .'"';
+ }
+ if ($ip <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tFramed-IP-Address = $ip";
+ }
+ if ($sessiontime <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tSession-Timeout := $sessiontime";
+ }
+ if ($vlanid <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\"";
+ }
+ if ($additionaloptions <> '') {
+ if ($atrib <> '') { $atrib .=","; }
+ $atrib .="\r\n\t$additionaloptions";
+ }
+
+ $conf .= <<<EOD
$head
$atrib
diff --git a/packages/freeradius.xml b/packages/freeradius.xml
index 514ebfba..8f214787 100644
--- a/packages/freeradius.xml
+++ b/packages/freeradius.xml
@@ -83,11 +83,15 @@
<fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
</columnitem>
- <columnitem>
- <fielddescr>IP address</fielddescr>
- <fieldname>ip</fieldname>
- </columnitem>
- <columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>IP address</fielddescr>
+ <fieldname>ip</fieldname>
+ </columnitem>
+ <columnitem>
<fielddescr>Multiple Connection</fielddescr>
<fieldname>multiconnet</fieldname>
</columnitem>
@@ -100,10 +104,14 @@
<fieldname>sessiontime</fieldname>
</columnitem>
<columnitem>
- <fielddescr>Online time</fielddescr>
- <fieldname>onlinetime</fieldname>
- </columnitem>
- </adddeleteeditpagefields>
+ <fielddescr>Online time</fielddescr>
+ <fieldname>onlinetime</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>VLAN ID</fielddescr>
+ <fieldname>vlanid</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<chmod>077</chmod>
@@ -136,7 +144,7 @@
</field>
<field>
<fieldname>ip</fieldname>
- <fielddescr>Ip address</fielddescr>
+ <fielddescr>IP address</fielddescr>
<description>If you want this user to be assigned a specific IP address from radius, enter the IP
address here. Continuous IP address is available with "+" suffix(example:192.168.1.5+. It may help for assigning the
different IP address to multiple simultaneous connections). IMPORTANT, you MUST ener an IP address here if you checked
@@ -188,14 +196,44 @@ Here are a few sample time strings with an explanation of what they mean.
This means any day. Since no time is specified, it means any time on any day. </description>
<type>input</type>
- </field>
- <field>
- <fieldname>description</fieldname>
- <fielddescr>Description</fielddescr>
- <description>You may enter a description here for your reference (not parsed).</description>
- <type>input</type>
</field>
- </fields>
+ <field>
+ <fieldname>description</fieldname>
+ <fielddescr>Description</fielddescr>
+ <description>You may enter a description here for your reference (not parsed).</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>vlanid</fieldname>
+ <fielddescr>VLAN ID</fielddescr>
+ <description><![CDATA[
+ Enter the VLAN ID (integer from 1-4095) OR the VLAN name that this user/device should be assigned. In general, this parameter is used in conjunction with switches and access points that support mac-based authentication.<br><br>
+
+ This setting can be used for switches/wireless access points that support the following radius parameters:<br>
+ Tunnel-Type = VLAN<br>
+ Tunnel-Medium-Type = IEEE-802<br>
+ Tunnel-Private-Group-ID = "insert vlan identifier here"<br><br>
+
+ This was implemented and tested with HP Procurve Switches (3500yl, and 2626). HP Procurve switches support using either the VLAN ID or the VLAN name, while other switches will only work using the VLAN ID.
+ ]]>
+ </description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>additionaloptions</fieldname>
+ <fielddescr>Additional RADIUS Options</fielddescr>
+ <description>
+ <![CDATA[
+ Experts only.<br>
+ You may append extra custom RADIUS options to this user account (separated by commas).<br>
+ IMPORTANT: If you don't format this field correctly, FreeRADIUS may not properly start because the users file will contain a syntax error.
+ ]]>
+ </description>
+ <type>textarea</type>
+ <rows>10</rows>
+ <cols>75</cols>
+ </field>
+ </fields>
<custom_delete_php_command>
freeradius_users_resync();
</custom_delete_php_command>
diff --git a/packages/freeradiussettings.xml b/packages/freeradiussettings.xml
index 8e3cf812..0eb9d9d4 100644
--- a/packages/freeradiussettings.xml
+++ b/packages/freeradiussettings.xml
@@ -78,8 +78,60 @@
<fieldname>port</fieldname>
<description>Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1892.</description>
<type>input</type>
+ <default_value>1892</default_value>
</field>
- </fields>
+ <field>
+ <fielddescr>Radius Logging</fielddescr>
+ <fieldname>radiuslogging</fieldname>
+ <description>Enable radius logging to /var/log/radius.log?</description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option>
+ <name>no</name>
+ <value>no</value>
+ </option>
+ <option>
+ <name>yes</name>
+ <value>yes</value>
+ </option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Log bad authentication attempts?</fielddescr>
+ <fieldname>radiuslogbadpass</fieldname>
+ <description>Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option>
+ <name>no</name>
+ <value>no</value>
+ </option>
+ <option>
+ <name>yes</name>
+ <value>yes</value>
+ </option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Log good authentication attempts?</fielddescr>
+ <fieldname>radiusloggoodpass</fieldname>
+ <description>Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option>
+ <name>no</name>
+ <value>no</value>
+ </option>
+ <option>
+ <name>yes</name>
+ <value>yes</value>
+ </option>
+ </options>
+ </field>
+ </fields>
<custom_delete_php_command>
freeradius_settings_resync();
</custom_delete_php_command>