aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2/freeradius.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/freeradius2/freeradius.inc')
-rwxr-xr-xconfig/freeradius2/freeradius.inc349
1 files changed, 319 insertions, 30 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 6b1cfb9d..52456822 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -281,7 +281,10 @@ instantiate {
exec
expr
- #daily
+ daily
+ weekly
+ monthly
+ forever
expiration
logintime
### Dis-/Enable sql instatiate
@@ -299,6 +302,9 @@ EOD;
// "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius.
freeradius_serverdefault_resync();
+ freeradius_modulescounter_resync();
+ freeradius_modulesmschap_resync();
+ freeradius_modulesrealm_resync();
restart_service("freeradius");
}
@@ -348,45 +354,57 @@ if (is_array($arrusers) && !empty($arrusers)) {
}
// Empty variable
- $varusersmainoptions = '';
+ $varuserscheckitem = '';
+ $varusersreplyitem = '';
// Add the user attributes to each user.
- $varusersmainoptions = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"';
+ $varuserscheckitem = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"';
+ // Add additional CHECK-ITEMS here. Different formatting in "users" file needed.
if ($varuserssimultaneousconnect != '') {
- $varusersmainoptions .= "\n\tSimultaneous-Use := $varuserssimultaneousconnect";
+ $varuserscheckitem .= ", Simultaneous-Use := " . '"' . $varuserssimultaneousconnect . '"';
}
if ($varusersexpiration != '') {
- $varusersmainoptions .= ",\n\tExpiration := " . '"' . $varusersexpiration . '"';
+ $varuserscheckitem .= ", Expiration := " . '"' . $varusersexpiration . '"';
}
if ($varuserslogintime != '') {
- $varusersmainoptions .= ",\n\tLogin-Time := " . '"' . $varuserslogintime . '"';
+ $varuserscheckitem .= ", Login-Time := " . '"' . $varuserslogintime . '"';
}
- if ($varuserssessiontimeout != '') {
- $varusersmainoptions .= ",\n\tSession-Timeout := $varuserssessiontimeout";
- }
+
+ // Add additional REPLY-ITEMS here. Different formatting in "users" file needed.
if ($varusersframedipaddress != '') {
- $varusersmainoptions .= ",\n\tFramed-IP-Address = $varusersframedipaddress";
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\tFramed-IP-Address = $varusersframedipaddress";
}
if ($varusersframedipnetmask != '') {
- $varusersmainoptions .= ",\n\tFramed-IP-Netmask = $varusersframedipnetmask";
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\tFramed-IP-Netmask = $varusersframedipnetmask";
}
if ($varusersframedroute != '') {
- $varusersmainoptions .= ",\n\tFramed-Route = " . '"' . $varusersframedroute . '"';
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\tFramed-Route = " . '"' . $varusersframedroute . '"';
+ }
+ if ($varuserssessiontimeout != '') {
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\tSession-Timeout := $varuserssessiontimeout";
}
if ($varusersvlanid != '') {
- $varusersmainoptions .= ",\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"';
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"';
}
if ($varusersadditionaloptionsbottom != '') {
- $varusersmainoptions .= ",\n\t$varusersadditionaloptionsbottom";
+ if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
+ $varusersreplyitem .= "\n\t$varusersadditionaloptionsbottom";
}
- // Cosmetic fix - This is just to make a blank new line after each user entry
- $varusersmainoptions .= "\n\n";
+
+ // Cosmetic fix - This is just to make a blank new line after each user entry
+ $varusersreplyitem .= "\n\n";
$conf .= <<<EOD
$varusersadditionaloptionstop
-$varusersmainoptions
+$varuserscheckitem
+ $varusersreplyitem
EOD;
} //end foreach
} // end if
@@ -610,8 +628,6 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
default_eap_type = $vareapconfttlsdefaulteaptype
copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel
use_tunneled_reply = $vareapconfttlsusetunneledreply
- ### if disabled this will be processed by the virtual server called "default"
- # virtual_server = "inner-tunnel"
# include_length = yes
} ### end ttls
@@ -621,10 +637,8 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') {
copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel
use_tunneled_reply = $vareapconfpeapusetunneledreply
# proxy_tunneled_request_as_eap = yes
- ### if disabled this will be processed by the virtual server called "default"
- # virtual_server = "inner-tunnel"
- # soh = yes
- # soh_virtual_server = "soh-server"
+ soh = yes
+ soh_virtual_server = "soh"
}
mschapv2 {
# send_error = no
@@ -929,7 +943,7 @@ authorize {
# the other styles won't be checked.
#
suffix
-# ntdomain
+ ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
@@ -984,11 +998,14 @@ authorize {
#
# Enforce daily limits on time spent logged in.
-# daily
+ daily
+ weekly
+ monthly
+ forever
#
# Use the checkval module
-# checkval
+ checkval
expiration
logintime
@@ -1160,7 +1177,7 @@ preacct {
# home server as authentication requests.
# IPASS
suffix
-# ntdomain
+ ntdomain
#
# Read the 'acct_users' file
@@ -1176,7 +1193,10 @@ accounting {
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
-# daily
+ daily
+ weekly
+ monthly
+ forever
# Update the wtmp file
#
@@ -1375,7 +1395,7 @@ pre-proxy {
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
-# attr_filter.pre-proxy
+ attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
@@ -1399,7 +1419,7 @@ post-proxy {
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
-# attr_filter.post-proxy
+ attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
@@ -1941,4 +1961,273 @@ function freeradius_all_after_XMLRPC_resync() {
exec("/usr/local/etc/rc.d/radiusd onerestart");
}
+function freeradius_modulescounter_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+# -*- text -*-
+#
+# $Id$
+
+# counter module:
+# This module takes an attribute (count-attribute).
+# It also takes a key, and creates a counter for each unique
+# key. The count is incremented when accounting packets are
+# received by the server. The value of the increment depends
+# on the attribute type.
+# If the attribute is Acct-Session-Time or of an integer type we add
+# the value of the attribute. If it is anything else we increase the
+# counter by one.
+#
+# The 'reset' parameter defines when the counters are all reset to
+# zero. It can be hourly, daily, weekly, monthly or never.
+#
+# hourly: Reset on 00:00 of every hour
+# daily: Reset on 00:00:00 every day
+# weekly: Reset on 00:00:00 on sunday
+# monthly: Reset on 00:00:00 of the first day of each month
+#
+# It can also be user defined. It should be of the form:
+# num[hdwm] where:
+# h: hours, d: days, w: weeks, m: months
+# If the letter is ommited days will be assumed. In example:
+# reset = 10h (reset every 10 hours)
+# reset = 12 (reset every 12 days)
+#
+#
+# The check-name attribute defines an attribute which will be
+# registered by the counter module and can be used to set the
+# maximum allowed value for the counter after which the user
+# is rejected.
+# Something like:
+#
+# DEFAULT Max-Daily-Session := 36000
+# Fall-Through = 1
+#
+# You should add the counter module in the instantiate
+# section so that it registers check-name before the files
+# module reads the users file.
+#
+# If check-name is set and the user is to be rejected then we
+# send back a Reply-Message and we log a Failure-Message in
+# the radius.log
+#
+# If the count attribute is Acct-Session-Time then on each
+# login we send back the remaining online time as a
+# Session-Timeout attribute ELSE and if the reply-name is
+# set, we send back that attribute. The reply-name attribute
+# MUST be of an integer type.
+#
+# The counter-name can also be used instead of using the check-name
+# like below:
+#
+# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
+# Reply-Message = "You've used up more than one hour today"
+#
+# The allowed-servicetype attribute can be used to only take
+# into account specific sessions. For example if a user first
+# logs in through a login menu and then selects ppp there will
+# be two sessions. One for Login-User and one for Framed-User
+# service type. We only need to take into account the second one.
+#
+# The module should be added in the instantiate, authorize and
+# accounting sections. Make sure that in the authorize
+# section it comes after any module which sets the
+# 'check-name' attribute.
+#
+counter daily {
+ filename = \${raddbdir}/db.daily
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = daily
+ counter-name = Daily-Session-Time
+ check-name = Max-Daily-Session
+ reply-name = Session-Timeout
+ cache-size = 5000
+}
+
+counter weekly {
+ filename = \${raddbdir}/db.weekly
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = weekly
+ counter-name = Weekly-Session-Time
+ check-name = Max-Weekly-Session
+ reply-name = Session-Timeout
+ cache-size = 5000
+}
+
+counter monthly {
+ filename = \${raddbdir}/db.monthly
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = monthly
+ counter-name = Monthly-Session-Time
+ check-name = Max-Monthly-Session
+ reply-name = Session-Timeout
+ cache-size = 5000
+}
+
+counter forever {
+ filename = \${raddbdir}/db.forever
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = never
+ counter-name = Forever-Session-Time
+ check-name = Max-Forever-Session
+ reply-name = Session-Timeout
+ cache-size = 5000
+}
+
+EOD;
+
+ $filename = RADDB . '/modules/counter';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+}
+
+function freeradius_modulesmschap_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+# -*- text -*-
+#
+# $Id$
+
+# Microsoft CHAP authentication
+#
+# This module supports MS-CHAP and MS-CHAPv2 authentication.
+# It also enforces the SMB-Account-Ctrl attribute.
+#
+mschap {
+ #
+ # If you are using /etc/smbpasswd, see the 'passwd'
+ # module for an example of how to use /etc/smbpasswd
+
+ # if use_mppe is not set to no mschap will
+ # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+ # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+ #
+# use_mppe = no
+
+ # if mppe is enabled require_encryption makes
+ # encryption moderate
+ #
+# require_encryption = yes
+
+ # require_strong always requires 128 bit key
+ # encryption
+ #
+# require_strong = yes
+
+ # Windows sends us a username in the form of
+ # DOMAIN\user, but sends the challenge response
+ # based on only the user portion. This hack
+ # corrects for that incorrect behavior.
+ #
+ with_ntdomain_hack = yes
+
+ # The module can perform authentication itself, OR
+ # use a Windows Domain Controller. This configuration
+ # directive tells the module to call the ntlm_auth
+ # program, which will do the authentication, and return
+ # the NT-Key. Note that you MUST have "winbindd" and
+ # "nmbd" running on the local machine for ntlm_auth
+ # to work. See the ntlm_auth program documentation
+ # for details.
+ #
+ # If ntlm_auth is configured below, then the mschap
+ # module will call ntlm_auth for every MS-CHAP
+ # authentication request. If there is a cleartext
+ # or NT hashed password available, you can set
+ # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+ # and the mschap module will do the authentication itself,
+ # without calling ntlm_auth.
+ #
+ # Be VERY careful when editing the following line!
+ #
+ # You can also try setting the user name as:
+ #
+ # ... --username=%{mschap:User-Name} ...
+ #
+ # In that case, the mschap module will look at the User-Name
+ # attribute, and do prefix/suffix checks in order to obtain
+ # the "best" user name for the request.
+ #
+# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --
+nt-response=%{%{mschap:NT-Response}:-00}"
+
+ # For Apple Server, when running on the same machine as
+ # Open Directory. It has no effect on other systems.
+ #
+# use_open_directory = yes
+
+ # On failure, set (or not) the MS-CHAP error code saying
+ # "retries allowed".
+# allow_retry = yes
+
+ # An optional retry message.
+# retry_msg = "Re-enter (or reset) the password"
+}
+
+EOD;
+
+ $filename = RADDB . '/modules/mschap';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+}
+
+function freeradius_modulesrealm_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+# 'realm/username'
+# Using this entry, IPASS users have their realm set to "IPASS".
+realm IPASS {
+ format = prefix
+ delimiter = "/"
+ ignore_null = yes
+ ignore_default = no
+}
+# 'username@realm'
+realm suffix {
+ format = suffix
+ delimiter = "@"
+ ignore_null = yes
+ ignore_default = no
+}
+# 'username%realm'
+realm realmpercent {
+ format = suffix
+ delimiter = "%"
+ ignore_null = yes
+ ignore_default = no
+}
+# 'domain\user'
+realm ntdomain {
+ format = prefix
+ ### 3 backslash in .inc will be 2 backslash in file and after starting radiusd just only one
+ delimiter = "\\\"
+ ignore_null = yes
+ ignore_default = no
+}
+EOD;
+
+ $filename = RADDB . '/modules/realm';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+}
+
?> \ No newline at end of file