1 files changed, 240 insertions, 205 deletions

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 35566e22..60ccbdf4 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -45,76 +45,58 @@ require_once("globals.inc");
 require_once("filter.inc");
 require_once("services.inc");
 
-define('RADDB', '/usr/local/etc/raddb');
+// Check pfSense version
+$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+switch ($pfs_version) {
+	case "1.2":
+	case "2.0":
+		define('FREERADIUS_BASE', '/usr/local');
+		break;
+	default:
+		define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m"));
+}
+// End: Check pfSense version
 
 function freeradius_deinstall_command() {
-	exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`");
-	exec("rm -rf /usr/local/etc/raddb/");
-	exec("rm -rf /var/run/radiusd/");
+	if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") {
+		exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`");
+		exec("rm -rf " . FREERADIUS_BASE . "/etc/raddb");
+		exec("rm -rf /var/run/radiusd/");
+	}
 }
 
 function freeradius_install_command() {
 	global $config;
 	conf_mount_rw();
 
+	// put the constant to a variable
+	$varFREERADIUS_BASE = FREERADIUS_BASE;
+
 	// We create here different folders for different counters.
 	if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); }
 	if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter");	}
 	
-	exec("mkdir /usr/local/etc/raddb/scripts");
+	exec("mkdir " . FREERADIUS_BASE . "/etc/raddb/scripts");
 	if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp");	}
 	if (!file_exists("/var/log/radwtmp")) {	exec("touch /var/log/radwtmp");	}
-	exec("chown -R root:wheel /usr/local/etc/raddb && chown -R root:wheel /usr/local/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct");
+	exec("chown -R root:wheel " . FREERADIUS_BASE . "/etc/raddb && chown -R root:wheel " . FREERADIUS_BASE . "/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct");
 
 	// creating a backup file of the original policy.conf no matter if user checked this or not
-	if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) {
-		log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup");
-		copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup");
+	if (!file_exists(FREERADIUS_BASE . "/etc/raddb/policy.conf.backup")) {
+		log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/policy.conf.backup");
+		copy(FREERADIUS_BASE . "/etc/raddb/policy.conf", FREERADIUS_BASE . "/etc/raddb/policy.conf.backup");
 	}
 
 	// creating a backup file of the original /modules/files no matter if user checked this or not
-	if (!file_exists("/usr/local/etc/raddb/files.backup")) {
-		log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup");
-		copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup");
+	if (!file_exists(FREERADIUS_BASE . "/etc/raddb/files.backup")) {
+		log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/files.backup");
+		copy(FREERADIUS_BASE . "/etc/raddb/modules/files", FREERADIUS_BASE . "/etc/raddb/files.backup");
 	}
 
 	// Disable virtual-server we do not need by default
-	if (file_exists("/usr/local/etc/raddb/sites-enabled/control-socket")) { unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); }
-	if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); }
-
-	// We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture.
-	if (!file_exists("/usr/local/lib/libasn1.so.10") || !file_exists("/usr/local/lib/libgssapi.so.10") || !file_exists("/usr/local/lib/libheimntlm.so.10") || !file_exists("/usr/local/lib/libhx509.so.10") || !file_exists("/usr/local/lib/ldd/libkrb5.so.10") || !file_exists("/usr/local/lib/libroken.so.10")) {
-		// For i386 systems
-		if (exec("uname -m") == "i386") {
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10");
-			exec("chmod 0755 /usr/local/lib/libasn1.so.10");
-			exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
-			exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
-			exec("chmod 0755 /usr/local/lib/libhx509.so.10");
-			exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
-			exec("chmod 0755 /usr/local/lib/libroken.so.10");
-		}
-		// For amd64 systems
-		else {
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10");
-			exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10");
-			exec("chmod 0755 /usr/local/lib/libasn1.so.10");
-			exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
-			exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
-			exec("chmod 0755 /usr/local/lib/libhx509.so.10");
-			exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
-			exec("chmod 0755 /usr/local/lib/libroken.so.10");
-		}
-	}
+	if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket"); }
+	if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel"); }
+
 	// We run this here just to suppress some warnings on syslog if file doesn't exist
 	freeradius_authorizedmacs_resync();
 
@@ -139,8 +121,8 @@ function freeradius_install_command() {
 
 	$rcfile = array();
 	$rcfile['file'] = 'radiusd.sh';
-	$rcfile['start'] = '/usr/local/etc/rc.d/radiusd onestart';
-	$rcfile['stop'] = '/usr/local/etc/rc.d/radiusd onestop';
+	$rcfile['start'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestart';
+	$rcfile['stop'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestop';
 	write_rcfile($rcfile);
 		conf_mount_ro();
 	start_service("radiusd");
@@ -150,6 +132,9 @@ function freeradius_settings_resync() {
 	global $config;
 	$conf = '';
 
+	// put the constant to a variable
+	$varFREERADIUS_BASE = FREERADIUS_BASE;
+
 	// We do some checks of some folders which will be deleted after reboot on nanobsd systems
 	if (!file_exists("/var/log/radacct/")) { exec("mkdir /var/log/radacct"); }
 	if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); }
@@ -218,7 +203,7 @@ function freeradius_settings_resync() {
 
 
 	$conf .= <<<EOD
-prefix = /usr/local
+prefix = $varFREERADIUS_BASE
 exec_prefix = \${prefix}
 sysconfdir = \${prefix}/etc
 localstatedir = /var
@@ -257,7 +242,7 @@ extended_expressions = $varsettingsextendedexpressions
 EOD;
 
 // Deletes virtual-server coa by default. Will be re-enabled if there is an interface-type "coa"
-exec("rm -f /usr/local/etc/raddb/sites-enabled/coa");
+exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/coa");
 
 $arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config'];
 	if (is_array($arrinterfaces)  && !empty($arrinterfaces)) {
@@ -284,7 +269,7 @@ EOD;
 			// Begin "if" for interface-type = coa
 			if ($item['varinterfacetype'] == 'coa') {
 			// Enables virtual-server coa because interface-type is coa
-			exec("ln -s /usr/local/etc/raddb/sites-available/coa /usr/local/etc/raddb/sites-enabled/");
+			exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/coa " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/");
 			$conf .= <<<EOD
 listen {
 		type = $varinterfacetype
@@ -375,7 +360,7 @@ instantiate {
 EOD;
 
 	conf_mount_rw();
-	file_put_contents(RADDB . '/radiusd.conf', $conf);
+	file_put_contents(FREERADIUS_BASE . '/etc/raddb/radiusd.conf', $conf);
 	conf_mount_ro();
 	
 	// "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius.
@@ -405,6 +390,18 @@ if (is_array($arrusers) && !empty($arrusers)) {
 	$varusersusername = $users['varusersusername'];
 	$varuserspassword = $users['varuserspassword'];
 	
+
+	// Check password encryption
+	$varuserspasswordencryption = ($users['varuserspasswordencryption']?$users['varuserspasswordencryption']:'Cleartext-Password');
+		switch ($varuserspasswordencryption) {
+			case "MD5-Password":
+				$varuserspassword = md5($varuserspassword);
+				break;
+			default:
+				$varuserspassword = $users['varuserspassword'];
+		}
+	
+		
 	$varusersmotpinitsecret = $users['varusersmotpinitsecret'];
 	$varusersmotppin = $users['varusersmotppin'];
 	$varusersmotpoffset = ($users['varusersmotpoffset']?$users['varusersmotpoffset']:'0');
@@ -482,7 +479,7 @@ if (is_array($arrusers) && !empty($arrusers)) {
 			}
 			else {
 				// Add the user attributes to each user.
-				$varuserscheckitem = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"';
+				$varuserscheckitem = '"' . $varusersusername . '"' . " $varuserspasswordencryption := " . '"' . $varuserspassword .'"';
 			}
 		} // end of check if otp is enabled
 	
@@ -553,7 +550,7 @@ if (is_array($arrusers) && !empty($arrusers)) {
 	if ($varusersmaxtotaloctets != '') {
 		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
 		//create exec script
-		$varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"';
+		$varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"';
 		// create limit file - will be always overwritten so we can increase limit from GUI
 		exec("`echo $varusersmaxtotaloctets > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`");
 		// if used-octets file exist we do NOT overwrite this file!!!
@@ -581,7 +578,7 @@ EOD;
 	} //end foreach
 } // end if
 
-	$filename = RADDB . '/users';
+	$filename = FREERADIUS_BASE . '/etc/raddb/users';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -734,7 +731,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) {
 	if ($varmacsmaxtotaloctets != '') {
 		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
 		//create exec script
-		$varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"';
+		$varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"';
 		// create limit file - will be always overwritten so we can increase limit from GUI
 		exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`");
 		// if used-octets file exist we do NOT overwrite this file!!!
@@ -762,7 +759,7 @@ EOD;
 	} //end foreach
 } // end if
 
-	$filename = RADDB . '/authorized_macs';
+	$filename = FREERADIUS_BASE . '/etc/raddb/authorized_macs';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -833,7 +830,7 @@ EOD;
 	}
 
 	conf_mount_rw();
-	file_put_contents(RADDB . '/clients.conf', $conf);
+	file_put_contents(FREERADIUS_BASE . '/etc/raddb/clients.conf', $conf);
 	conf_mount_ro();
 	
 	freeradius_sync_on_changes();
@@ -901,12 +898,12 @@ function freeradius_eapconf_resync() {
 	// This is for enable/disbable MS SoH in EAP-PEAP and the virtuial-server "soh-server"
 	if ($eapconf['vareapconfpeapsohenable'] == 'Enable') {
 		$vareapconfpeapsoh = 'soh = yes' . "\n\t\t\tsoh_virtual_server = " . '"' . "soh-server" . '"';
-		exec("ln -s /usr/local/etc/raddb/sites-available/soh /usr/local/etc/raddb/sites-enabled/");
+		exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/soh " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/");
 	}
 	else {
 		$vareapconfpeapsoh = '### MS SoH Server is disabled ###';
-			if (file_exists("/usr/local/etc/raddb/sites-enabled/soh")) {
-			exec("rm -f /usr/local/etc/raddb/sites-enabled/soh");
+			if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh")) {
+			exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh");
 			}
 	}
 		
@@ -920,33 +917,33 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
 		$ca_cert = lookup_ca($eapconf["ssl_ca_cert"]);
 		if ($ca_cert != false) {
 			if(base64_decode($ca_cert['prv'])) {
-				file_put_contents(RADDB . "/certs/ca_key.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_key.pem", 
 					base64_decode($ca_cert['prv']));
-				$conf['ssl_ca_key'] = RADDB . '/certs/ca_key.pem';
+				$conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_key.pem';
 			}
 
 
 			if(base64_decode($ca_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/ca_cert.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", 
 					base64_decode($ca_cert['crt']));
-				$conf['ssl_ca_cert'] = RADDB . "/certs/ca_cert.pem";
+				$conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem";
 			}
 
 
 			$svr_cert = lookup_cert($eapconf["ssl_server_cert"]);
 			if ($svr_cert != false) {
 				if(base64_decode($svr_cert['prv'])) {
-					file_put_contents(RADDB . "/certs/server_key.pem", 
+					file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_key.pem", 
 						base64_decode($svr_cert['prv']));
-					$conf['ssl_key'] = RADDB . '/certs/server_key.pem';
+					$conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/server_key.pem';
 				}
 			}
 
 
 			if(base64_decode($svr_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/server_cert.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem", 
 					base64_decode($svr_cert['crt']));
-				$conf['ssl_server_cert'] = RADDB . "/certs/server_cert.pem";
+				$conf['ssl_server_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem";
 			}
 			
 			
@@ -954,23 +951,23 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
 				$svr_cert = lookup_cert($eapconf["ssl_client_cert"]);
 				if ($svr_cert != false) {
 					if(base64_decode($svr_cert['prv'])) {
-						file_put_contents(RADDB . "/certs/client_key.pem", 
+						file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem", 
 							base64_decode($svr_cert['prv']));
-						$conf['ssl_key'] = RADDB . '/certs/client_key.pem';
+						$conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/client_key.pem';
 					}
 				}
 
 
 				if(base64_decode($svr_cert['crt'])) {
-					file_put_contents(RADDB . "/certs/client_cert.pem", 
+					file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem", 
 						base64_decode($svr_cert['crt']));
-					$conf['ssl_client_cert'] = RADDB . "/certs/client_cert.pem";
+					$conf['ssl_client_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem";
 				}
 			
-			exec("openssl pkcs12 -export -in /usr/local/etc/raddb/certs/client_cert.pem -inkey /usr/local/etc/raddb/certs/client_key.pem -out /usr/local/etc/raddb/certs/client_cert.p12 -passout pass\:");	
+			exec("openssl pkcs12 -export -in " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem -inkey " . FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem -out " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.p12 -passout pass\:");	
 			}
 			
-			$conf['ssl_cert_dir'] = RADDB . '/certs';
+			$conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs';
 		}
 
 	$vareapconfprivatekeyfile = 'server_key.pem';
@@ -979,11 +976,11 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
 	
 	// generate new DH and RANDOM file
 	// We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files
-	if (!file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) {
-		log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs");
-		exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
-		exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
-		exec("touch /usr/local/etc/raddb/certs/pfsense_cert_mgr");
+	if (!file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) {
+		log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
+		exec("touch " . FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr");
 	}
 }
 
@@ -1078,7 +1075,7 @@ else {
 	}
 EOD;
 
-	$filename = RADDB . '/eap.conf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/eap.conf';
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
 	conf_mount_ro();
@@ -1232,7 +1229,7 @@ sql sql2 {
 }
 EOD;
 
-	$filename = RADDB . '/sql.conf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/sql.conf';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2080,7 +2077,7 @@ post-proxy {
 }
 EOD;
 
-	$filename = RADDB . '/sites-available/default';
+	$filename = FREERADIUS_BASE . '/etc/raddb/sites-available/default';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2175,7 +2172,7 @@ authorityKeyIdentifier	= keyid:always,issuer:always
 basicConstraints	= CA:true
 EOD;
 
-	$filename = RADDB . '/certs/ca.cnf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/certs/ca.cnf';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2260,7 +2257,7 @@ emailAddress		= $varcertsserveremailaddress
 commonName		= "$varcertsservercommonname"
 EOD;
 
-	$filename = RADDB . '/certs/server.cnf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/certs/server.cnf';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2345,7 +2342,7 @@ emailAddress		= $varcertsclientemailaddress
 commonName		= "$varcertsclientcommonname"
 EOD;
 
-	$filename = RADDB . '/certs/client.cnf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/certs/client.cnf';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2378,12 +2375,12 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
 		if ($arrcerts['varcertscreateclient'] == 'yes') {
 		
 		// delete all old certificates and keys
-		log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in /usr/local/etc/raddb/certs");
-		exec("rm -f /usr/local/etc/raddb/certs/client.csr");
-		exec("rm -f /usr/local/etc/raddb/certs/client.crt");
-		exec("rm -f /usr/local/etc/raddb/certs/client.key");
-		exec("rm -f /usr/local/etc/raddb/certs/client.pem");
-		exec("rm -f /usr/local/etc/raddb/certs/client.tar");
+		log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in " . FREERADIUS_BASE . "/etc/raddb/certs");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar");
 				
 			
 		// run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml
@@ -2391,21 +2388,21 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
 	
 	
 		// make bootstrap executable and run to create cert based on client.cnf files
-		exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
-		exec("/usr/local/etc/raddb/certs/bootstrap");
+		exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap");
+		exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap");
 			
 		// rename client generated XX.pem to client.pem // use regex to replace spaces and so on.
-		$varserial = preg_replace("/\s/","",file_get_contents('/usr/local/etc/raddb/certs/serial.old'));
-		if (file_exists("/usr/local/etc/raddb/certs/$varserial.pem"))
-		rename("/usr/local/etc/raddb/certs/$varserial.pem","/usr/local/etc/raddb/certs/client.pem");
+		$varserial = preg_replace("/\s/","",file_get_contents(FREERADIUS_BASE . '/etc/raddb/certs/serial.old'));
+		if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem"))
+		rename(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem");
 		
 		
 		// tar client-cert files
-		exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
 		
 		// Make all files in certs folder read/write only for root
-		exec("chmod -R 0600 /usr/local/etc/raddb/certs/");
-		log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in /usr/local/etc/raddb/certs/client.tar");
+		exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/");
+		log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar");
 		}
 	}
 	else {
@@ -2413,18 +2410,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
 		if ($arrcerts['varcertsdeleteall'] == 'yes') {
 	
 		// delete all old certificates and keys - deletes certs from pfsense cert-manager IN THIS FOLDER, too.
-		log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in /usr/local/etc/raddb/certs");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.pem && rm -f /usr/local/etc/raddb/certs/server.pem && rm -f /usr/local/etc/raddb/certs/client.pem");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.der && rm -f /usr/local/etc/raddb/certs/server.der && rm -f /usr/local/etc/raddb/certs/client.der");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.csr && rm -f /usr/local/etc/raddb/certs/server.csr && rm -f /usr/local/etc/raddb/certs/client.csr");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.crt && rm -f /usr/local/etc/raddb/certs/server.crt && rm -f /usr/local/etc/raddb/certs/client.crt");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.key && rm -f /usr/local/etc/raddb/certs/server.key && rm -f /usr/local/etc/raddb/certs/client.key");
-		exec("rm -f /usr/local/etc/raddb/certs/ca.p12 && rm -f /usr/local/etc/raddb/certs/server.p12 && rm -f /usr/local/etc/raddb/certs/client.p12");
-		exec("rm -f /usr/local/etc/raddb/certs/serial*");
-		exec("rm -f /usr/local/etc/raddb/certs/index*");
-		exec("rm -f /usr/local/etc/raddb/certs/dh");
-		exec("rm -f /usr/local/etc/raddb/certs/random");
-		exec("rm -f /usr/local/etc/raddb/certs/client.tar");
+		log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in " . FREERADIUS_BASE . "/etc/raddb/certs");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.der");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.p12");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/serial*");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/index*");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/dh");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/random");
+		exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar");
 		
 	
 		// run fuctions to create new .cnf files based on user input from freeradiuscert.xml
@@ -2433,28 +2430,28 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
 		freeradius_clientcertcnf_resync();
 		
 		// this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created
-		if (file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) {
-			unlink("/usr/local/etc/raddb/certs/pfsense_cert_mgr");
+		if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) {
+			unlink(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr");
 		}
 		
 		// generate new DH and RANDOM file
-		log_error("freeRADIUS: Creating new DH and random file in /usr/local/etc/raddb/certs");
-		exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024");
-		exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
+		log_error("freeRADIUS: Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10");
 		
-		log_error("freeRADIUS: Creating new CA, Server and Client certs in /usr/local/etc/raddb/certs");
+		log_error("freeRADIUS: Creating new CA, Server and Client certs in " . FREERADIUS_BASE . "/etc/raddb/certs");
 		// make bootstrap executable and run to create certs based on .cnf files
-		exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap");
-		exec("/usr/local/etc/raddb/certs/bootstrap");
+		exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap");
+		exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap");
 		
 		// rename client generated 02.pem to client.pem
-		if (file_exists("/usr/local/etc/raddb/certs/02.pem"))
-		rename("/usr/local/etc/raddb/certs/02.pem","/usr/local/etc/raddb/certs/client.pem");
+		if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/02.pem"))
+		rename(FREERADIUS_BASE . "/etc/raddb/certs/02.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem");
 		
 		// tar client-cert files
-		exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
-		exec("chmod -R 0600 /usr/local/etc/raddb/certs/");
-		log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in /usr/local/etc/raddb/certs/client.tar");
+		exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
+		exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/");
+		log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar");
 		
 		// If there were changes on the certificates we need to restart freeradius
 		restart_service('radiusd');
@@ -2473,24 +2470,36 @@ conf_mount_ro();
 /* Uses XMLRPC to synchronize the changes to a remote node */
 function freeradius_sync_on_changes() {
 	global $config, $g;
-	$varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];	
-	
+	$varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];
+	$varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];	
+
 	// if checkbox is NOT checked do nothing
 	if(!$varsyncenablexmlrpc) {
 		return;
 	}
-	
-	log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync).");	
+ 
+	log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds.");
 	
 	// if checkbox is checked get IP and password of the destination hosts
 	foreach ($config['installedpackages']['freeradiussync']['config'] as $rs ){
 		foreach($rs['row'] as $sh){
-			$varsyncprotocol 	= $sh['varsyncprotocol'];
-			$sync_to_ip 		= $sh['varsyncipaddress'];
-			$password   		= $sh['varsyncpassword'];
-			$varsyncport 		= $sh['varsyncport'];
-			if($password && $sync_to_ip && $varsyncport && $varsyncprotocol)
-				freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol);
+			// if checkbox is NOT checked do nothing
+			if($sh['varsyncdestinenable']) {
+				$varsyncprotocol 	= $sh['varsyncprotocol'];
+				$sync_to_ip 		= $sh['varsyncipaddress'];
+				$password   		= $sh['varsyncpassword'];
+				$varsyncport 		= $sh['varsyncport'];
+				// check if all credentials are complete for this host
+				if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) {
+					freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol);
+				}
+				else {
+					log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!");
+				}
+			}
+			else {
+				log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled");
+			}
 		}
 	}
 	log_error("FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync).");
@@ -2500,6 +2509,14 @@ function freeradius_sync_on_changes() {
 function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol) {
 	global $config, $g;
 
+	$varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];
+
+	if($varsynctimeout == '' || $varsynctimeout == 0) {
+		$varsynctimeout = 150;
+	}
+
+	// log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds.");
+
 	if(!$password)
 		return;
 
@@ -2539,15 +2556,15 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
 	$cli->setCredentials('admin', $password);
 		if($g['debug'])
 			$cli->setDebug(1);
-		/* send our XMLRPC message and timeout after 150 seconds */
-		$resp = $cli->send($msg, "150");
+		/* send our XMLRPC message and timeout after $varsynctimeout seconds */
+		$resp = $cli->send($msg, $varsynctimeout);
 		if(!$resp) {
 			$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}.";
 			log_error("FreeRADIUS: $error");
 			file_notice("sync_settings", $error, "freeradius Settings Sync", "");
 		} elseif($resp->faultCode()) {
 			$cli->setDebug(1);
-			$resp = $cli->send($msg, "150");
+			$resp = $cli->send($msg, $varsynctimeout);
 			$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 			log_error("FreeRADIUS: $error");
 			file_notice("sync_settings", $error, "freeradius Settings Sync", "");
@@ -2571,14 +2588,14 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials('admin', $password);
-		$resp = $cli->send($msg, "150");
+		$resp = $cli->send($msg, $varsynctimeout);
 		if(!$resp) {
 			$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php).";
 			log_error($error);
 			file_notice("sync_settings", $error, "freeradius Settings Sync", "");
 		} elseif($resp->faultCode()) {
 			$cli->setDebug(1);
-			$resp = $cli->send($msg, "150");
+			$resp = $cli->send($msg, $varsynctimeout);
 			$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 			log_error($error);
 			file_notice("sync_settings", $error, "freeradius Settings Sync", "");
@@ -2600,7 +2617,7 @@ function freeradius_all_after_XMLRPC_resync() {
 	
 	log_error("FreeRADIUS: Finished XMLRPC process. It should be OK. For more information look at the host which started sync.");
 	
-	exec("/usr/local/etc/rc.d/radiusd onerestart");
+	exec(FREERADIUS_BASE . "/etc/rc.d/radiusd onerestart");
 }
 
 function freeradius_modulescounter_resync() {
@@ -2723,7 +2740,7 @@ counter forever {
 }
 EOD;
 
-	$filename = RADDB . '/modules/counter';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/counter';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2817,7 +2834,7 @@ nt-response=%{%{mschap:NT-Response}:-00}"
 }
 EOD;
 
-	$filename = RADDB . '/modules/mschap';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/mschap';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2862,7 +2879,7 @@ realm ntdomain {
 }
 EOD;
 
-	$filename = RADDB . '/modules/realm';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/realm';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -2913,37 +2930,37 @@ if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') {
 		$ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]);
 		if ($ca_cert != false) {
 			if(base64_decode($ca_cert['prv'])) {
-				file_put_contents(RADDB . "/certs/ca_ldap1_key.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_key.pem", 
 					base64_decode($ca_cert['prv']));
-				$conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap1_key.pem';
+				$conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap1_key.pem';
 			}
 
 
 			if(base64_decode($ca_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/ca_ldap1_cert.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem", 
 					base64_decode($ca_cert['crt']));
-				$conf['ssl_ca_cert1'] = RADDB . "/certs/ca_ldap1_cert.pem";
+				$conf['ssl_ca_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem";
 			}
 
 
 			$svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]);
 			if ($svr_cert != false) {
 				if(base64_decode($svr_cert['prv'])) {
-					file_put_contents(RADDB . "/certs/radius_ldap1_cert.key", 
+					file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.key", 
 						base64_decode($svr_cert['prv']));
-					$conf['ssl_key'] = RADDB . '/certs/radius_ldap1_cert.key';
+					$conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap1_cert.key';
 				}
 			}
 
 
 			if(base64_decode($svr_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/radius_ldap1_cert.crt", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt", 
 					base64_decode($svr_cert['crt']));
-				$conf['ssl_server_cert1'] = RADDB . "/certs/radius_ldap1_cert.crt";
+				$conf['ssl_server_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt";
 			}
 
 
-			$conf['ssl_cert_dir'] = RADDB . '/certs';
+			$conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs';
 		}
 	$varmodulesldapstarttls = "yes";
 }
@@ -2960,37 +2977,37 @@ if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') {
 		$ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]);
 		if ($ca_cert != false) {
 			if(base64_decode($ca_cert['prv'])) {
-				file_put_contents(RADDB . "/certs/ca_ldap2_key.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_key.pem", 
 					base64_decode($ca_cert['prv']));
-				$conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap2_key.pem';
+				$conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap2_key.pem';
 			}
 
 
 			if(base64_decode($ca_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/ca_ldap2_cert.pem", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem", 
 					base64_decode($ca_cert['crt']));
-				$conf['ssl_ca_cert2'] = RADDB . "/certs/ca_ldap2_cert.pem";
+				$conf['ssl_ca_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem";
 			}
 
 
 			$svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]);
 			if ($svr_cert != false) {
 				if(base64_decode($svr_cert['prv'])) {
-					file_put_contents(RADDB . "/certs/radius_ldap2_cert.key", 
+					file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.key", 
 						base64_decode($svr_cert['prv']));
-					$conf['ssl_key'] = RADDB . '/certs/radius_ldap2_cert.key';
+					$conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap2_cert.key';
 				}
 			}
 
 
 			if(base64_decode($svr_cert['crt'])) {
-				file_put_contents(RADDB . "/certs/radius_ldap2_cert.crt", 
+				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt", 
 					base64_decode($svr_cert['crt']));
-				$conf['ssl_server_cert2'] = RADDB . "/certs/radius_ldap2_cert.crt";
+				$conf['ssl_server_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt";
 			}
 
 
-			$conf['ssl_cert_dir'] = RADDB . '/certs';
+			$conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs';
 		}
 	$varmodulesldap2starttls = "yes";
 }
@@ -3113,7 +3130,7 @@ else {
 	$varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60');
 	$varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3');
 	$varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3');
-	
+$raddb = FREERADIUS_BASE . '/etc/raddb';
 $conf .= <<<EOD
 # -*- text -*-
 #
@@ -3193,11 +3210,11 @@ ldap {
 		# using ldaps (port 689) connections
 		start_tls = $varmodulesldapstarttls
 
-		cacertfile = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
-		cacertdir = /usr/local/etc/raddb/certs/
-		certfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
-		keyfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.key
-		randfile = /usr/local/etc/raddb/certs/random
+		cacertfile = {$raddb}/certs/ca_ldap1_cert.pem
+		cacertdir = {$raddb}/certs/
+		certfile = {$raddb}/certs/radius_ldap1_cert.crt
+		keyfile = {$raddb}/certs/radius_ldap1_cert.key
+		randfile = {$raddb}/certs/random
 
 		#  Certificate Verification requirements.  Can be:
 		#    "never" (don't even bother trying)
@@ -3352,11 +3369,11 @@ ldap ldap2{
 		# using ldaps (port 689) connections
 		start_tls = $varmodulesldap2starttls
 
-		cacertfile = /usr/local/etc/raddb/certs/ca_ldap2_cert.pem
-		cacertdir = /usr/local/etc/raddb/certs/
-		certfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.crt
-		keyfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.key
-		randfile = /usr/local/etc/raddb/certs/random
+		cacertfile = {$raddb}/certs/ca_ldap2_cert.pem
+		cacertdir = {$raddb}/certs/
+		certfile = {$raddb}/certs/radius_ldap2_cert.crt
+		keyfile = {$raddb}/certs/radius_ldap2_cert.key
+		randfile = {$raddb}/certs/random
 
 		#  Certificate Verification requirements.  Can be:
 		#    "never" (don't even bother trying)
@@ -3462,7 +3479,7 @@ ldap ldap2{
 }
 EOD;
 
-	$filename = RADDB . '/modules/ldap';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/ldap';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -3483,29 +3500,29 @@ function freeradius_plainmacauth_resync() {
 	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
 	
 	// defining variables with filename path
-	$filepolicyconf = '/usr/local/etc/raddb/policy.conf';
-	$filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup';
-	$filemodulesfiles = '/usr/local/etc/raddb/modules/files';
-	$filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup';
+	$filepolicyconf = FREERADIUS_BASE . '/etc/raddb/policy.conf';
+	$filepolicyconfbackup = FREERADIUS_BASE . '/etc/raddb/policy.conf.backup';
+	$filemodulesfiles = FREERADIUS_BASE . '/etc/raddb/modules/files';
+	$filemodulesfilesbackup = FREERADIUS_BASE . '/etc/raddb/files.backup';
 	
 	// If unchecked then plain mac auth is disabled and backups of the original files will be restored
 	if ($varsettings['varsettingsenablemacauth'] == '') {
 		// This is a check - only restore files if they aren't already
-		if (file_exists("/usr/local/etc/raddb/plain_macauth_enabled")) {
+		if (file_exists(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled")) {
 			log_error("FreeRADIUS: Plain-MAC-Auth disabled. Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}");
 			copy($filepolicyconfbackup, $filepolicyconf);
 			copy($filemodulesfilesbackup, $filemodulesfiles);
-			unlink("/usr/local/etc/raddb/plain_macauth_enabled");
+			unlink(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled");
 			freeradius_serverdefault_resync();
 		}
 	}
 	// If checked then plain mac auth is enabled
 	else {
 		// This is a check - only modify files if they aren't already
-		if (!file_exists("/usr/local/etc/raddb/plain_macauth_enabled")) {
+		if (!file_exists(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled")) {
 			freeradius_modulesfiles_resync();
 			freeradius_policyconf_resync();
-			exec("cd /usr/local/etc/raddb/ && touch /usr/local/etc/raddb/plain_macauth_enabled");
+			exec("cd " . FREERADIUS_BASE . "/etc/raddb && touch " . FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled");
 			log_error("FreeRADIUS: Plain-MAC-Auth enabled. Modified {$filepolicyconf} and {$filemodulesfiles}");
 			freeradius_serverdefault_resync();
 		}
@@ -3567,7 +3584,7 @@ files authorized_macs {
 }
 EOD;
 
-	$filename = RADDB . '/modules/files';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/files';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -3793,7 +3810,7 @@ policy {
 }
 EOD;
 
-	$filename = RADDB . '/policy.conf';
+	$filename = FREERADIUS_BASE . '/etc/raddb/policy.conf';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -3816,21 +3833,33 @@ function freeradius_motp_resync() {
 	
 	// check if disabled then we delete bash und otpverify.sh script
 	if ($varsettings['varsettingsmotpenable'] == '') {
-		if (file_exists("/usr/local/etc/raddb/scripts/otpverify.sh")) {
-			unlink("/usr/local/etc/raddb/scripts/otpverify.sh");
+		if (file_exists(FREERADIUS_BASE . "/etc/raddb/scripts/otpverify.sh")) {
+			unlink(FREERADIUS_BASE . "/etc/raddb/scripts/otpverify.sh");
 		}
 		if (exec("cd /var/db/pkg && ls | grep bash") == "bash-4.1.7") {
 			exec("cd /var/db/pkg && pkg_delete `ls | grep bash`");
 			log_error('FreeRADIUS: Uninstalling package "bash-4.1.7" which comes with Mobile-One-Time-Password (motp).');
 		}
+		if (exec("cd /var/db/pkg && ls | grep bash") == "bash-4.2.20") {
+			exec("cd /var/db/pkg && pkg_delete `ls | grep bash`");
+			log_error('FreeRADIUS: Uninstalling package "bash-4.2.20" which comes with Mobile-One-Time-Password (motp).');
+		}
 	}
 	
 	// check if enabled then we need to download "bash"
 	else {
-		if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.1.7") {
-			log_error('FreeRADIUS: Downloading and installing package "bash-4.1.7" to use Mobile-One-Time-Password (motp).');
-			exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname -m`/packages-8.1-release/All/bash-4.1.7.tbz");
+		if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") {
+			if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.1.7") {
+				log_error('FreeRADIUS: Downloading and installing package "bash-4.1.7" to use Mobile-One-Time-Password (motp).');
+				exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname -m`/packages-8.1-release/All/bash-4.1.7.tbz");
+			}
+		} else {
+			if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.2.20") {
+				log_error('FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp).');
+				exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/`uname -m`/packages-8.3-release/All/bash-4.2.20.tbz");
+			}
 		}
+		
 	
 	$conf .= <<<EOD
 #!/bin/bash
@@ -3950,7 +3979,7 @@ exit 11
 
 
 EOD;
-	$filename = RADDB . '/scripts/otpverify.sh';
+	$filename = FREERADIUS_BASE . '/etc/raddb/scripts/otpverify.sh';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0750);
@@ -3965,14 +3994,17 @@ function freeradius_modulesmotp_resync() {
 	global $config;
 	$conf = '';
 
+	// put the constant to a variable
+	$varFREERADIUS_BASE = FREERADIUS_BASE;
+
 	$conf .= <<<EOD
 exec motp {
 		wait = yes
-		program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
+		program = "/usr/local/bin/bash $varFREERADIUS_BASE/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
 	}	
 EOD;
 
-	$filename = RADDB . '/modules/motp';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/motp';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -3984,26 +4016,29 @@ function freeradius_modulesdatacounter_resync() {
 	global $config;
 	$conf = '';
 
+	// put the constant to a variable
+	$varFREERADIUS_BASE = FREERADIUS_BASE;
+
 	$conf .= <<<EOD
 exec datacounterdaily {
 		wait = yes
-		program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
+		program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
 	}
 exec datacounterweekly {
 		wait = yes
-		program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
+		program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
 	}
 exec datacountermonthly {
 		wait = yes
-		program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
+		program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
 	}
 exec datacounterforever {
 		wait = yes
-		program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
+		program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
 	}	
 EOD;
 
-	$filename = RADDB . '/modules/datacounter_acct';
+	$filename = FREERADIUS_BASE . '/etc/raddb/modules/datacounter_acct';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -4034,15 +4069,15 @@ USEDOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octe
 	
 ### We check if MAX-OCTETS-USERNAME is greater than USED-OCTETS-USERNAME and accept or reject the user
 if [ `cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"` -gt `cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"` ]; then
-	logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!"
+	logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!"
 	exit 0
 else
-	logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!"
+	logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!"
 	exit 99
 fi
 EOD;
 
-	$filename = RADDB . '/scripts/datacounter_auth.sh';
+	$filename = FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0750);
@@ -4090,7 +4125,7 @@ fi
 
 EOD;
 
-	$filename = RADDB . '/scripts/datacounter_acct.sh';
+	$filename = FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_acct.sh';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0750);
@@ -4158,7 +4193,7 @@ ATTRIBUTE 		MOTP-Offset 			902 	string
 
 EOD;
 
-	$filename = RADDB . '/dictionary';
+	$filename = FREERADIUS_BASE . '/etc/raddb/dictionary';
 	conf_mount_rw();
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
@@ -4166,4 +4201,4 @@ EOD;
 
 }
 
-?>
\ No newline at end of file
+?>