aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/freeradius2/freeradius.inc47
1 files changed, 25 insertions, 22 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 3506641f..1d59ef37 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -590,9 +590,6 @@ function freeradius_eapconf_resync() {
$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
- // Choose pfsense Cert-Manager or freeradius Cert-Manager
- $vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr');
-
// Variables: EAP
$vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5');
$vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60');
@@ -600,8 +597,17 @@ function freeradius_eapconf_resync() {
$vareapconfciscoaccountingusernamebug = ($eapconf['vareapconfciscoaccountingusernamebug']?$eapconf['vareapconfciscoaccountingusernamebug']:'no');
$vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096');
- // Variables: EAP-TLS and EAP-TLS with OCSP support
+ // Variables: EAP-TLS
$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever');
+ $vareapconffragmentsize = ($eapconf['vareapconffragmentsize']?$eapconf['vareapconffragmentsize']:'1024');
+ $vareapconfincludelength = ($eapconf['vareapconfincludelength']?$eapconf['vareapconfincludelength']:'yes');
+
+ // Variables: Cache
+ $vareapconfcacheenablecache = ($eapconf['vareapconfcacheenablecache']?$eapconf['vareapconfcacheenablecache']:'no');
+ $vareapconfcachelifetime = ($eapconf['vareapconfcachelifetime']?$eapconf['vareapconfcachelifetime']:'24');
+ $vareapconfcachemaxentries = ($eapconf['vareapconfcachemaxentries']?$eapconf['vareapconfcachemaxentries']:'255');
+
+ // Variables OSCP
$vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no');
$vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no');
$vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/');
@@ -610,6 +616,7 @@ function freeradius_eapconf_resync() {
$vareapconfttlsdefaulteaptype = ($eapconf['vareapconfttlsdefaulteaptype']?$eapconf['vareapconfttlsdefaulteaptype']:'md5');
$vareapconfttlscopyrequesttotunnel = ($eapconf['vareapconfttlscopyrequesttotunnel']?$eapconf['vareapconfttlscopyrequesttotunnel']:'no');
$vareapconfttlsusetunneledreply = ($eapconf['vareapconfttlsusetunneledreply']?$eapconf['vareapconfttlsusetunneledreply']:'no');
+ $vareapconfttlsincludelength = ($eapconf['vareapconfttlsincludelength']?$eapconf['vareapconfttlsincludelength']:'yes');
// Variables: EAP-PEAP with MSCHAPv2
$vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2');
@@ -633,7 +640,7 @@ function freeradius_eapconf_resync() {
// The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time.
// This is for the pfsense cert manager
// Depends on "freeradius_get_server_certs" and "freeradius_get_ca_certs"
-if ($vareapconfchoosecertmanager == 'pfsensecertmgr') {
+if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
$ca_cert = lookup_ca($eapconf["ssl_ca_cert"]);
if ($ca_cert != false) {
@@ -682,12 +689,10 @@ if ($vareapconfchoosecertmanager == 'pfsensecertmgr') {
}
// This is for freeradius cert manager
-if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
-
+else {
$vareapconfprivatekeyfile = 'server.pem';
$vareapconfcertificatefile = 'server.pem';
$vareapconfcafile = 'ca.pem';
-
}
$conf .= <<<EOD
@@ -710,7 +715,7 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
}
- ### EAP-TLS and EAP-TLS with OCSP support
+ ### EAP-TLS and EAP-TLS with OCSP support
tls {
certdir = \${confdir}/certs
cadir = \${confdir}/certs
@@ -720,20 +725,18 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
CA_file = \${cadir}/$vareapconfcafile
dh_file = \${certdir}/dh
random_file = \${certdir}/random
- # fragment_size = 1024
- # include_length = yes
+ fragment_size = $vareapconffragmentsize
+ include_length = $vareapconfincludelength
# check_crl = yes
CA_path = \${cadir}
- # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
- ### we make this from Certificate tab on GUI at startup
- # make_cert_command = "\${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
- enable = no
- lifetime = 24 # hours
- max_entries = 255
+ enable = $vareapconfcacheenablecache
+ lifetime = $vareapconfcachelifetime
+ max_entries = $vareapconfcachemaxentries
}
verify {
# tmpdir = /tmp/radiusd
@@ -744,17 +747,17 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
override_cert_url = $vareapconfocspoverridecerturl
url = "$vareapconfocspurl"
}
- } ### end tls
+ }
- ### EAP-TTLS
+ ### EAP-TTLS
ttls {
default_eap_type = $vareapconfttlsdefaulteaptype
copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel
use_tunneled_reply = $vareapconfttlsusetunneledreply
- # include_length = yes
+ include_length = $vareapconfttlsincludelength
} ### end ttls
- ### EAP-PEAP with MSCHAPv2
+ ### EAP-PEAP
peap {
default_eap_type = $vareapconfpeapdefaulteaptype
copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel
@@ -765,7 +768,7 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
mschapv2 {
# send_error = no
}
- } ### end eap
+ }
EOD;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 16:26:20 +0000