diff options
-rw-r--r-- | packages/freeradius.inc | 438 | ||||
-rw-r--r-- | packages/freeradius.xml | 105 | ||||
-rw-r--r-- | packages/freeradiusclients.xml | 48 | ||||
-rw-r--r-- | packages/freeradiussettings.xml | 46 |
4 files changed, 503 insertions, 134 deletions
diff --git a/packages/freeradius.inc b/packages/freeradius.inc new file mode 100644 index 00000000..cdc7a422 --- /dev/null +++ b/packages/freeradius.inc @@ -0,0 +1,438 @@ +<?php +require_once('config.inc'); +require_once('service-utils.inc'); + +define('RADDB', '/usr/local/etc/raddb'); + +function freeradius_install_command() { + global $config; + + $handle = opendir(RADDB); + while (false != ($file = readdir($handle))) { + if (false != ($pos = strpos($file, '.sample'))) { + $newfile = substr($file, 0, $pos); + if (copy(RADDB . "/$file", RADDB . "/$newfile")) + unlink(RADDB . "/$file"); + } + } + closedir($handle); + + freeradius_settings_resync(); + + $rcfile = array(); + $rcfile['file'] = 'radiusd.sh'; + $rcfile['start'] = 'radiusd -s &'; + $rcfile['stop'] = 'killall radiusd'; + write_rcfile($rcfile); + start_service("freeradius"); +} + +function freeradius_settings_resync() { + global $config; + + $settings = $config['installedpackages']['freeradiussettings']['config'][0]; + + $iface = ($settings['interface'] ? $settings['interface'] : 'LAN'); + $iface = convert_friendly_interface_to_real_interface_name($iface); + $iface_ip = find_interface_ip($iface); + $port = ($settings['port'] != '' ? $settings['port'] : 0); + + // FreeRADIUS's configuration is huge + // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). + $conf = <<<EOD +prefix = /usr/local +exec_prefix = \${prefix} +sysconfdir = \${prefix}/etc +localstatedir = /var +sbindir = \${exec_prefix}/sbin +logdir = /var/log +raddbdir = \${sysconfdir}/raddb +radacctdir = \${logdir}/radacct +confdir = \${raddbdir} +run_dir = \${localstatedir}/run/radiusd +log_file = \${logdir}/radius.log +libdir = \${exec_prefix}/lib +pidfile = \${run_dir}/radiusd.pid +#user = nobody +#group = nobody +max_request_time = 30 +delete_blocked_requests = no +cleanup_delay = 5 +max_requests = 1024 +bind_address = $iface_ip +port = $port +hostname_lookups = no +allow_core_dumps = no +regular_expressions = yes +extended_expressions = yes +log_stripped_names = no +log_auth = no +log_auth_badpass = no +log_auth_goodpass = no +usercollide = no +lower_user = no +lower_pass = no +nospace_user = no +nospace_pass = no +checkrad = \${sbindir}/checkrad + +security { + max_attributes = 200 + reject_delay = 1 + status_server = no +} + +proxy_requests = yes +\$INCLUDE \${confdir}/proxy.conf + +\$INCLUDE \${confdir}/clients.conf + +snmp = no +\$INCLUDE \${confdir}/snmp.conf + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +modules { + pap { + encryption_scheme = crypt + } + + chap { + authtype = CHAP + } + + pam { + pam_auth = radiusd + } + + unix { + cache = no + cache_reload = 600 + radwtmp = \${logdir}/radwtmp + } + + \$INCLUDE \${confdir}/eap.conf + + mschap { + authtype = MS-CHAP + #use_mppe = no + #require_encryption = yes + #require_strong = yes + #with_ntdomain_hack = no + #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" + } + + ldap { + server = "ldap.your.domain" + basedn = "o=My Org,c=UA" + filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" + #base_filter = "(objectclass=radiusprofile)" + start_tls = no + #tls_cacertfile = /path/to/cacert.pem + #tls_cacertdir = /path/to/ca/dir/ + #tls_certfile = /path/to/radius.crt + #tls_keyfile = /path/to/radius.key + #tls_randfile = /path/to/rnd + #tls_require_cert = "demand" + access_attr = "dialupAccess" + dictionary_mapping = \${raddbdir}/ldap.attrmap + ldap_connections_number = 5 + #groupname_attribute = cn + #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" + #groupmembership_attribute = radiusGroupName + timeout = 4 + timelimit = 3 + net_timeout = 1 + #compare_check_items = yes + #do_xlat = yes + #access_attr_used_for_allow = yes + } + + realm IPASS { + format = prefix + delimiter = "/" + ignore_default = no + ignore_null = no + } + + realm suffix { + format = suffix + delimiter = "@" + ignore_default = no + ignore_null = no + } + + realm realmpercent { + format = suffix + delimiter = "%" + ignore_default = no + ignore_null = no + } + + realm ntdomain { + format = prefix + delimiter = "\\" + ignore_default = no + ignore_null = no + } + + checkval { + item-name = Calling-Station-Id + check-name = Calling-Station-Id + data-type = string + #notfound-reject = no + } + + preprocess { + huntgroups = \${confdir}/huntgroups + hints = \${confdir}/hints + with_ascend_hack = no + ascend_channels_per_line = 23 + with_ntdomain_hack = no + with_specialix_jetstream_hack = no + with_cisco_vsa_hack = no + } + + files { + usersfile = \${confdir}/users + acctusersfile = \${confdir}/acct_users + preproxy_usersfile = \${confdir}/preproxy_users + compat = no + } + + detail { + detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d + detailperm = 0600 + } + + acct_unique { + key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" + } + + \$INCLUDE \${confdir}/sql.conf + + radutmp { + filename = \${logdir}/radutmp + username = %{User-Name} + case_sensitive = yes + check_with_nas = yes + perm = 0600 + callerid = "yes" + } + + radutmp sradutmp { + filename = \${logdir}/sradutmp + perm = 0644 + callerid = "no" + } + + attr_filter { + attrsfile = \${confdir}/attrs + } + + counter daily { + filename = \${raddbdir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + allowed-servicetype = Framed-User + cache-size = 5000 + } + + always fail { + rcode = fail + } + always reject { + rcode = reject + } + always ok { + rcode = ok + simulcount = 0 + mpp = no + } + + expr { + } + + digest { + } + + exec { + wait = yes + input_pairs = request + } + + exec echo { + wait = yes + program = "/bin/echo %{User-Name}" + input_pairs = request + output_pairs = reply + #packet_type = Access-Accept + } + + ippool main_pool { + range-start = 192.168.1.1 + range-stop = 192.168.3.254 + netmask = 255.255.255.0 + cache-size = 800 + session-db = \${raddbdir}/db.ippool + ip-index = \${raddbdir}/db.ipindex + override = no + maximum-timeout = 0 + } +} + +instantiate { + exec + expr + #daily +} + +authorize { + preprocess + #auth_log + #attr_filter + chap + mschap + #digest + #IPASS + suffix + #ntdomain + eap + files + #sql + #etc_smbpasswd + #ldap + #daily + #checkval +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + #digest + #pam + unix + #Auth-Type LDAP { + # ldap + #} + eap +} + +preacct { + preprocess + acct_unique + #IPASS + suffix + #ntdomain + files +} + +accounting { + detail + #daily + unix + radutmp + #sradutmp + #main_pool + #sql + #pgsql-voip +} + +session { + radutmp + #sql +} + +post-auth { + #main_pool + #reply_log + #sql + #ldap + #Post-Auth-Type REJECT { + # insert-module-name-here + #} +} + +pre-proxy { + #attr_rewrite + #files + #pre_proxy_log +} + +post-proxy { + #post_proxy_log + #attr_rewrite + #attr_filter + eap +} + +EOD; + file_put_contents(RADDB . '/radiusd.conf', $conf); + restart_service("freeradius"); +} + +function freeradius_users_resync() { + global $config; + + $conf = ''; + $users = $config['installedpackages']['freeradius']['config']; + if (is_array($users)) { + foreach ($users as $user) + $conf .= "{$user['username']}\tUser-Password == \"{$user['password']}\"\n"; + } + $filename = RADDB . '/users'; + file_put_contents($filename, $conf); + chmod($filename, 0600); + + restart_service('freeradius'); +} + +function freeradius_clients_resync() { + global $config; + + $conf = ''; + $clients = $config['installedpackages']['freeradiusclients']['config']; + if (is_array($clients) && !empty($clients)) { + foreach ($clients as $item) { + $client = $item['client']; + $secret = $item['sharedsecret']; + $shortname = $item['shortname']; + $conf .= <<<EOD +client $client { + secret = $secret + shortname = $shortname +} + +EOD; + } + } + else { + $conf .= <<<EOD +client 127.0.0.1 { + secret = pfsense + shortname = localhost +} + +EOD; + } + + file_put_contents(RADDB . '/clients.conf', $conf); + restart_service("freeradius"); +} +?> diff --git a/packages/freeradius.xml b/packages/freeradius.xml index 279ff469..0f4af220 100644 --- a/packages/freeradius.xml +++ b/packages/freeradius.xml @@ -1,18 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> <packagegui> - <name>freeradius</name> - <version>1.0.1</version> - <title>FreeRADIUS: Users</title> + <include_file>freeradius.inc</include_file> + + <!-- Installation --> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/freeradiusclients.xml</item> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/freeradiussettings.xml</item> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/freeradius.inc</item> + </additional_files_needed> + <custom_php_install_command> + freeradius_install_command(); + </custom_php_install_command> <menu> <name>FreeRADIUS</name> <tooltiptext>Modify FreeRADIUS users, clients, and settings.</tooltiptext> <section>Services</section> - <configfile>freeradius.xml</configfile> + <url>/pkg.php?xml=freeradius.xml</url> </menu> <service> <name>FreeRADIUS</name> - <rcfile>freeradius.sh</rcfile> + <description>The FreeRADIUS daemon.</description> + <rcfile>radiusd.sh</rcfile> <executable>radiusd</executable> </service> + + <!-- Interface --> + <name>freeradius</name> + <title>FreeRADIUS: Users</title> <tabs> <tab> <text>Users</text> @@ -28,16 +46,6 @@ <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> </tab> </tabs> - <additional_files_needed> - <item>http://www.pfsense.com/packages/config/freeradiusclients.xml</item> - </additional_files_needed> - <additional_files_needed> - <item>http://www.pfsense.com/packages/config/freeradiussettings.xml</item> - </additional_files_needed> - <additional_files_needed> - <item>http://www.pfsense.com/packages/config/freeradiusconfig.tgz</item> - </additional_files_needed> - <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <adddeleteeditpagefields> <columnitem> <fielddescr>Username</fielddescr> @@ -50,73 +58,30 @@ </adddeleteeditpagefields> <fields> <field> - <fielddescr>Username</fielddescr> <fieldname>username</fieldname> - <description>Enter the username here</description> + <fielddescr>Username</fielddescr> + <description>Enter the username.</description> + <required/> <type>input</type> </field> <field> - <fielddescr>Password</fielddescr> <fieldname>password</fieldname> - <description>Enter the password here</description> + <fielddescr>Password</fielddescr> + <description>Enter the password for this username.</description> + <required/> <type>password</type> </field> <field> - <fielddescr>Username Description</fielddescr> <fieldname>description</fieldname> - <description>Enter the description of the user here</description> + <fielddescr>Description</fielddescr> + <description>You may enter a description here for your reference (not parsed).</description> <type>input</type> </field> </fields> - <custom_php_install_command> - global $config; - $fout = fopen("/usr/local/etc/raddb/clients.conf","w"); - fwrite($fout, "client 127.0.0.1" . "{\n" . "secret = pfsense\n" . "shortname = localhost\n}\n\n"); - fclose($fout); - write_rcfile(array( - "file" => "freeradius.sh", - "start" => "/usr/local/sbin/radiusd -X -d /usr/local/etc/raddb &", - "stop" => "/usr/bin/killall radiusd" - ) - ); - $fout = fopen("/usr/local/etc/radiusd.conf.dynamic","w"); - fwrite($fout, "{\nipaddr = 127.0.0.1\nport = 0\ntype = auth\n}\n\n"); - fclose($fout); - start_service("freeradius"); - </custom_php_install_command> - <custom_php_global_functions> - function sync_package_freeradius() { - conf_mount_rw(); - config_lock(); - global $config; - $fout = fopen("/usr/local/etc/raddb/users","w"); - fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n"); - if($config['installedpackages']['freeradius']['config'] != "") { - foreach($config['installedpackages']['freeradius']['config'] as $rowhelper) { - fwrite($fout, $rowhelper['username'] . "\tUser-Password == \"" . $rowhelper['password'] . "\"\n"); - if ($rowhelper['bwrestriction'] == "on") { - if (($rowhelper['uploadbw'] != "") and ($rowhelper['downloadbw'] != "")) { - fwrite($fout, "\tNomadix-Bw-Up = " . $rowhelper['uploadbw'] . ",\n"); - fwrite($fout, "\tNomadix-Bw-Down = " . $rowhelper['downloadbw'] . "\n\n"); - } elseif ($rowhelper['uploadbw'] != "") { - fwrite($fout, "\tNomadix-Bw-Up = " . $rowhelper['uploadbw'] . "\n\n"); - } elseif ($rowhelper['downloadbw'] != "") { - fwrite($fout, "\tNomadix-Bw-Down = " . $rowhelper['downloadbw'] . "\n\n"); - } - } - } - } - fclose($fout); - chmod("/usr/local/etc/raddb/users", 0600); - conf_mount_ro(); - config_unlock(); - restart_service("freeradius"); - } - </custom_php_global_functions> + <custom_delete_php_command> + freeradius_users_resync(); + </custom_delete_php_command> <custom_php_resync_config_command> - sync_package_freeradius(); + freeradius_users_resync(); </custom_php_resync_config_command> - <custom_add_php_command> - sync_package_freeradius(); - </custom_add_php_command> </packagegui> diff --git a/packages/freeradiusclients.xml b/packages/freeradiusclients.xml index c24d01eb..d3dc95ec 100644 --- a/packages/freeradiusclients.xml +++ b/packages/freeradiusclients.xml @@ -1,6 +1,8 @@ +<?xml version="1.0" encoding="utf-8"?> <packagegui> <name>freeradiusclients</name> <title>FreeRADIUS: Clients</title> + <include_file>freeradius.inc</include_file> <tabs> <tab> <text>Users</text> @@ -16,7 +18,6 @@ <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> </tab> </tabs> - <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <adddeleteeditpagefields> <columnitem> <fielddescr>Client</fielddescr> @@ -33,52 +34,37 @@ </adddeleteeditpagefields> <fields> <field> - <fielddescr>Client</fielddescr> <fieldname>client</fieldname> - <description>Enter the client's IP address here</description> + <fielddescr>Client</fielddescr> + <description>Enter the client's IP address.</description> <type>input</type> + <required/> </field> <field> - <fielddescr>Shortname</fielddescr> <fieldname>shortname</fieldname> - <description>Enter the client's shortname here</description> + <fielddescr>Shortname</fielddescr> + <description>Enter the client's shortname.</description> <type>input</type> + <required/> </field> <field> - <fielddescr>Shared Secret</fielddescr> <fieldname>sharedsecret</fieldname> + <fielddescr>Shared Secret</fielddescr> <description>Enter the client's shared secret here</description> <type>password</type> + <required/> </field> <field> - <fielddescr>Description</fielddescr> <fieldname>description</fieldname> + <fielddescr>Description</fielddescr> <description>Enter the description of the user here</description> <type>input</type> </field> </fields> - <custom_php_command_before_form> - function sync_package_freeradius_clients() { - conf_mount_rw(); - config_lock(); - global $config; - $fout = fopen("/usr/local/etc/raddb/clients.conf","w"); - fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n"); - fwrite($fout, "client 127.0.0.1" . "{\n" . "secret = pfsense\n" . "shortname = localhost\n}\n\n"); - if($config['installedpackages']['freeradiusclients']['config'] != "") { - foreach($config['installedpackages']['freeradiusclients']['config'] as $rowhelper) { - fwrite($fout, "client " . $rowhelper['client'] . "{\n" . "secret = " . $rowhelper['sharedsecret'] . "\nshortname = " . $rowhelper['shortname'] . "\n}\n\n"); - } - } - fclose($fout); - conf_mount_ro(); - config_unlock(); - restart_service("freeradius"); - } - sync_package_freeradius_clients(); - </custom_php_command_before_form> - <custom_add_php_command> - sync_package_freeradius_clients(); - </custom_add_php_command> + <custom_delete_php_command> + freeradius_clients_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_clients_resync(); + </custom_php_resync_config_command> </packagegui> - diff --git a/packages/freeradiussettings.xml b/packages/freeradiussettings.xml index 7db3402d..91c1cd63 100644 --- a/packages/freeradiussettings.xml +++ b/packages/freeradiussettings.xml @@ -1,6 +1,8 @@ +<?xml version="1.0" encoding="utf-8"?> <packagegui> <name>freeradiussettings</name> <title>FreeRADIUS: Settings</title> + <include_file>freeradius.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=freeradiussettings.xml&id=0</aftersaveredirect> <tabs> <tab> @@ -17,47 +19,25 @@ <active/> </tab> </tabs> - <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <fields> <field> - <fielddescr>Listening Interface(s)</fielddescr> <fieldname>interface</fieldname> - <description>Enter the desired listening interface here</description> + <fielddescr>Listening Interface(s)</fielddescr> + <description>Enter the desired listening interface here.</description> <type>interfaces_selection</type> + <required/> </field> <field> - <fielddescr>Port</fielddescr> <fieldname>port</fieldname> - <description>Enter the desired port here (default 1812)</description> + <fielddescr>Port</fielddescr> + <description>Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1892.</description> <type>input</type> </field> </fields> - <custom_php_command_before_form> - function sync_package_freeradius_settings() { - conf_mount_rw(); - config_lock(); - global $config; - $fout = fopen("/usr/local/etc/raddb/radiusd.conf.dynamic","w"); - fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n"); - $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['freeradiussettings']['config']['0']['interface']); - $int_ip = find_interface_ip($int); - $port = $config['installedpackages']['freeradiussettings']['config'][0]['port']; - fwrite($fout, "{\nipaddr = " . $int_ip); - if($port != "") { - fwrite($fout, "port = " . $port . "\n"); - } else { - fwrite($fout, "port = 0\n"); - } - fwrite($fout, "type = auth\n}\n\n"); - fwrite($fout, "{\nipaddr = 127.0.0.1\nport = 0\ntype = auth\n}\n\n"); - fclose($fout); - conf_mount_ro(); - config_unlock(); - restart_service("freeradius"); - } - </custom_php_command_before_form> - <custom_add_php_command> - sync_package_freeradius_settings(); - </custom_add_php_command> + <custom_delete_php_command> + freeradius_settings_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_settings_resync(); + </custom_php_resync_config_command> </packagegui> - |