diff options
-rw-r--r-- | config/freeradius2/freeradius.inc | 83 | ||||
-rw-r--r-- | config/freeradius2/freeradius.xml | 3 | ||||
-rw-r--r-- | config/freeradius2/freeradiussettings.xml | 3 | ||||
-rw-r--r-- | pkg_config.8.xml | 2 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 2 |
5 files changed, 43 insertions, 50 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index baac37ae..59cb2ce5 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -86,6 +86,10 @@ function freeradius_install_command() { log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}"); copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); } + + // Disable virtual-server we do not need by default + unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); + unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; @@ -902,41 +906,32 @@ function freeradius_serverdefault_resync() { $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; // If unchecked we need the normal EAP section. - If (!$varsettings['varsettingsenablemacauth']) { + if (!$varsettings['varsettingsenablemacauth']) { $varplainmacauthenable = ''; $varplainmacauthenable .= "eap {"; $varplainmacauthenable .= "\n\tok = return"; $varplainmacauthenable .= "\n\t}"; - + $varplainmacpreacctenable = ''; $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####'; } // If checked we need to check if it is plain mac or eap else { $varplainmacauthenable = ''; - $varplainmacauthenable .= "# if cleaning up the Calling-Station-Id..."; + $varplainmacauthenable .= "\t### FIRST check MAC address in authorized_macs and if that fails proceed with other checks below in else-section ###"; + $varplainmacauthenable .= "\n\t# if cleaning up the Calling-Station-Id..."; $varplainmacauthenable .= "\n\trewrite_calling_station_id"; - $varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth"; - $varplainmacauthenable .= "\n\tif (!EAP-Message) {"; - $varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file"; - $varplainmacauthenable .= "\n\t\tauthorized_macs"; - $varplainmacauthenable .= "\n\t\tif (!ok) {"; - $varplainmacauthenable .= "\n\t\t\treject"; - $varplainmacauthenable .= "\n\t\t}"; - $varplainmacauthenable .= "\n\t\telse {"; - $varplainmacauthenable .= "\n\t\t\t# accept"; + $varplainmacauthenable .= "\n\t# now check against the authorized_macs file"; + $varplainmacauthenable .= "\n\tauthorized_macs"; + $varplainmacauthenable .= "\n\tif (ok) {"; $varplainmacauthenable .= "\n\t\t\tupdate control {"; - $varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept"; - $varplainmacauthenable .= "\n\t\t\t}"; + $varplainmacauthenable .= "\n\t\t\tAuth-Type := Accept"; $varplainmacauthenable .= "\n\t\t}"; $varplainmacauthenable .= "\n\t}"; - $varplainmacauthenable .= "\n\telse {"; - $varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g."; - $varplainmacauthenable .= "\n\t\teap"; - $varplainmacauthenable .= "\n\t}"; - + $varplainmacauthenable .= "\n\t### Here we have to place all other authorize modules which should be check when MAC fails ###"; + $varplainmacpreacctenable = ''; - $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####'; + $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH ENABLED #####'; $varplainmacpreacctenable .= "\n\trewrite_calling_station_id"; } @@ -1032,27 +1027,6 @@ authorize { preprocess # - # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP - # authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # As of 2.0, the EAP module returns "ok" in the authorize stage - # for TTLS and PEAP. In 1.x, it never returned "ok" here, so - # this change is compatible with older configurations. - # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. - # - - $varplainmacauthenable - - - # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. @@ -1098,9 +1072,30 @@ authorize { # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # + suffix ntdomain - + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + + $varplainmacauthenable + # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want @@ -1157,7 +1152,7 @@ authorize { # get a chance to set Auth-Type for themselves. # pap - + # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. @@ -2951,7 +2946,7 @@ policy { } } else { - noop + noop } } } diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index e1c6c9f2..2b31996a 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -346,10 +346,9 @@ freeradius_install_command(); freeradius_clients_resync(); freeradius_users_resync(); + freeradius_authorizedmacs_resync(); freeradius_eapconf_resync(); freeradius_sqlconf_resync(); - exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); - exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); </custom_php_install_command> <custom_php_deinstall_command> freeradius_deinstall_command(); diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 611db03f..ea7366fc 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -104,8 +104,7 @@ <field> <fielddescr>Enable Plain MAC Auth</fielddescr> <fieldname>varsettingsenablemacauth</fieldname> - <description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br> - Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description> + <description><![CDATA[This enables plain MAC auth. The Calling-Station-Id in an Access-Request is first checked against an authorized_macs list before all other authorization methods. If your NAS is not able to convert the MAC in a 802.1X format then you could enable this. If you do not need this leave this disabled. (Default: unchecked)]]></description> <type>checkbox</type> </field> <field> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index cb68e9c4..df8beb40 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -805,7 +805,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.4.5</version> + <version>2.1.12 pkg v1.4.6</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 10a5f2f2..fb0ce32d 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -852,7 +852,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.4.5</version> + <version>2.1.12 pkg v1.4.6</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> |