diff options
author | Chris Buechler <cmb@pfsense.org> | 2008-04-13 22:59:43 +0000 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2008-04-13 22:59:43 +0000 |
commit | 488d874ebaf97add9c432916ef828741ce6766ef (patch) | |
tree | ebbb2d629a0954273c8e939b92a3d441f4fd5c6a /packages | |
parent | 719efc38ecc3c9b12730b58881b5c17ca269de20 (diff) | |
download | pfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.tar.gz pfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.tar.bz2 pfsense-packages-488d874ebaf97add9c432916ef828741ce6766ef.zip |
changes from Dimitri Rodis
Diffstat (limited to 'packages')
-rw-r--r-- | packages/freeradius.inc | 70 | ||||
-rw-r--r-- | packages/freeradius.xml | 72 | ||||
-rw-r--r-- | packages/freeradiussettings.xml | 54 |
3 files changed, 148 insertions, 48 deletions
diff --git a/packages/freeradius.inc b/packages/freeradius.inc index 3b173edf..53a1d695 100644 --- a/packages/freeradius.inc +++ b/packages/freeradius.inc @@ -41,6 +41,9 @@ function freeradius_settings_resync() { $iface = convert_friendly_interface_to_real_interface_name($iface); $iface_ip = find_interface_ip($iface); $port = ($settings['port'] != '' ? $settings['port'] : 0); + $radiuslogging = $settings['radiuslogging']; + $radiuslogbadpass = $settings['radiuslogbadpass']; + $radiusloggoodpass = $settings['radiusloggoodpass']; // FreeRADIUS's configuration is huge // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). @@ -71,9 +74,9 @@ allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no -log_auth = no -log_auth_badpass = no -log_auth_goodpass = no +log_auth = $radiuslogging +log_auth_badpass = $radiuslogbadpass +log_auth_goodpass = $radiusloggoodpass usercollide = no lower_user = no lower_pass = no @@ -442,33 +445,40 @@ function freeradius_users_resync() { $password = $user['password']; $multiconnet = $user['multiconnet']; $ip = $user['ip']; - $x=$user['expiration']; - $sessiontime=$user['sessiontime']; - $onlinetime=$user['onlinetime']; - $atrib=''; - $head="$username User-Password == ".'"'.$password.'" '; - if ($multiconnect <> '') - { - $head .=", Simultaneous-Use += $multiconnet"; - } - if ($x <> '') - { - $head .=", Expiration := ".'"'.$x.'"'; - } - if ($ip <> '') - { - $atrib .="\r\n\tFramed-IP-Address = $ip,"; - } - if ($sessiontime <> '') - { - $atrib .="\r\n\tSession-Timeout := $sessiontime,"; - } - if ($onlinetime <> '') - { - $head .=", Login-Time := ". '"' . $onlinetime .'"'; - } - - $conf .= <<<EOD + $userexpiration=$user['expiration']; + $sessiontime=$user['sessiontime']; + $onlinetime=$user['onlinetime']; + $vlanid=$user['vlanid']; + $additionaloptions=$user['additionaloptions']; + $atrib=''; + $head="$username User-Password == ".'"'.$password.'"'; + if ($multiconnect <> '') { + $head .=", Simultaneous-Use += $multiconnet"; + } + if ($x <> '') { + $head .=", Expiration := ".'"'.$userexpiration.'"'; + } + if ($onlinetime <> '') { + $head .=", Login-Time := ". '"' . $onlinetime .'"'; + } + if ($ip <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tFramed-IP-Address = $ip"; + } + if ($sessiontime <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tSession-Timeout := $sessiontime"; + } + if ($vlanid <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; + } + if ($additionaloptions <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\t$additionaloptions"; + } + + $conf .= <<<EOD $head $atrib diff --git a/packages/freeradius.xml b/packages/freeradius.xml index 514ebfba..8f214787 100644 --- a/packages/freeradius.xml +++ b/packages/freeradius.xml @@ -83,11 +83,15 @@ <fielddescr>Username</fielddescr> <fieldname>username</fieldname> </columnitem> - <columnitem> - <fielddescr>IP address</fielddescr> - <fieldname>ip</fieldname> - </columnitem> - <columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <columnitem> + <fielddescr>IP address</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> <fielddescr>Multiple Connection</fielddescr> <fieldname>multiconnet</fieldname> </columnitem> @@ -100,10 +104,14 @@ <fieldname>sessiontime</fieldname> </columnitem> <columnitem> - <fielddescr>Online time</fielddescr> - <fieldname>onlinetime</fieldname> - </columnitem> - </adddeleteeditpagefields> + <fielddescr>Online time</fielddescr> + <fieldname>onlinetime</fieldname> + </columnitem> + <columnitem> + <fielddescr>VLAN ID</fielddescr> + <fieldname>vlanid</fieldname> + </columnitem> + </adddeleteeditpagefields> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> @@ -136,7 +144,7 @@ </field> <field> <fieldname>ip</fieldname> - <fielddescr>Ip address</fielddescr> + <fielddescr>IP address</fielddescr> <description>If you want this user to be assigned a specific IP address from radius, enter the IP address here. Continuous IP address is available with "+" suffix(example:192.168.1.5+. It may help for assigning the different IP address to multiple simultaneous connections). IMPORTANT, you MUST ener an IP address here if you checked @@ -188,14 +196,44 @@ Here are a few sample time strings with an explanation of what they mean. This means any day. Since no time is specified, it means any time on any day. </description> <type>input</type> - </field> - <field> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> </field> - </fields> + <field> + <fieldname>description</fieldname> + <fielddescr>Description</fielddescr> + <description>You may enter a description here for your reference (not parsed).</description> + <type>input</type> + </field> + <field> + <fieldname>vlanid</fieldname> + <fielddescr>VLAN ID</fielddescr> + <description><![CDATA[ + Enter the VLAN ID (integer from 1-4095) OR the VLAN name that this user/device should be assigned. In general, this parameter is used in conjunction with switches and access points that support mac-based authentication.<br><br> + + This setting can be used for switches/wireless access points that support the following radius parameters:<br> + Tunnel-Type = VLAN<br> + Tunnel-Medium-Type = IEEE-802<br> + Tunnel-Private-Group-ID = "insert vlan identifier here"<br><br> + + This was implemented and tested with HP Procurve Switches (3500yl, and 2626). HP Procurve switches support using either the VLAN ID or the VLAN name, while other switches will only work using the VLAN ID. + ]]> + </description> + <type>input</type> + </field> + <field> + <fieldname>additionaloptions</fieldname> + <fielddescr>Additional RADIUS Options</fielddescr> + <description> + <![CDATA[ + Experts only.<br> + You may append extra custom RADIUS options to this user account (separated by commas).<br> + IMPORTANT: If you don't format this field correctly, FreeRADIUS may not properly start because the users file will contain a syntax error. + ]]> + </description> + <type>textarea</type> + <rows>10</rows> + <cols>75</cols> + </field> + </fields> <custom_delete_php_command> freeradius_users_resync(); </custom_delete_php_command> diff --git a/packages/freeradiussettings.xml b/packages/freeradiussettings.xml index 8e3cf812..0eb9d9d4 100644 --- a/packages/freeradiussettings.xml +++ b/packages/freeradiussettings.xml @@ -78,8 +78,60 @@ <fieldname>port</fieldname> <description>Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1892.</description> <type>input</type> + <default_value>1892</default_value> </field> - </fields> + <field> + <fielddescr>Radius Logging</fielddescr> + <fieldname>radiuslogging</fieldname> + <description>Enable radius logging to /var/log/radius.log?</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + <field> + <fielddescr>Log bad authentication attempts?</fielddescr> + <fieldname>radiuslogbadpass</fieldname> + <description>Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + <field> + <fielddescr>Log good authentication attempts?</fielddescr> + <fieldname>radiusloggoodpass</fieldname> + <description>Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + </fields> <custom_delete_php_command> freeradius_settings_resync(); </custom_delete_php_command> |