diff options
Diffstat (limited to 'config/freeradius2')
-rw-r--r-- | config/freeradius2/freeradius.inc | 127 | ||||
-rw-r--r-- | config/freeradius2/freeradius.xml | 2 | ||||
-rw-r--r-- | config/freeradius2/freeradiusauthorizedmacs.xml | 4 | ||||
-rw-r--r-- | config/freeradius2/freeradiusinterfaces.xml | 12 | ||||
-rw-r--r-- | config/freeradius2/freeradiusmodulesldap.xml | 98 |
5 files changed, 214 insertions, 29 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 7ef5f749..11aa4b3b 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -71,7 +71,7 @@ function freeradius_install_command() { exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); exec("touch /var/log/radutmp && touch /var/log/radwtmp"); exec("chown -R root:wheel /var/log"); - + // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { @@ -432,7 +432,7 @@ if (is_array($arrusers) && !empty($arrusers)) { $varuserscheckitemsadditionaloptions = explode("|", ($users['varuserscheckitemsadditionaloptions'])); $varusersadditionaloptionscheckitems .= ''; foreach ($varuserscheckitemsadditionaloptions as $checkitemtmp) { - $varusersadditionaloptionscheckitems .= $checkitemtmp; + $varusersadditionaloptionscheckitems .= "$checkitemtmp" . " "; } } @@ -585,7 +585,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) { $varmacscheckitemsadditionaloptions = explode("|", ($macs['varmacscheckitemsadditionaloptions'])); $varmacsadditionaloptionscheckitems .= ''; foreach ($varmacscheckitemsadditionaloptions as $checkitemtmp) { - $varmacsadditionaloptionscheckitems .= $checkitemtmp; + $varmacsadditionaloptionscheckitems .= "$checkitemtmp" . " "; } } @@ -2857,9 +2857,100 @@ function freeradius_modulesldap_resync() { $varmodulesldap2timelimit = ($arrmodulesldap['varmodulesldap2timelimit']?$arrmodulesldap['varmodulesldap2timelimit']:'3'); $varmodulesldap2nettimeout = ($arrmodulesldap['varmodulesldap2nettimeout']?$arrmodulesldap['varmodulesldap2nettimeout']:'1'); - // Variables for TLS / Certificates - will be added later + // Variables for TLS / Certificates - ldap1 + $varmodulesldaprequirecert = ($arrmodulesldap['varmodulesldaprequirecert']?$arrmodulesldap['varmodulesldaprequirecert']:'never'); + +// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap1 module +if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') { + + $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_ldap1_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap1_key.pem'; + } + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_ldap1_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert1'] = RADDB . "/certs/ca_ldap1_cert.pem"; + } + + + $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/radius_ldap1_cert.key", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/radius_ldap1_cert.key'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/radius_ldap1_cert.crt", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert1'] = RADDB . "/certs/radius_ldap1_cert.crt"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + $varmodulesldapstarttls = "yes"; +} +else { + $varmodulesldapstarttls = "no"; +} + + // Variables for TLS / Certificates - ldap2 + $varmodulesldap2requirecert = ($arrmodulesldap['varmodulesldap2requirecert']?$arrmodulesldap['varmodulesldap2requirecert']:'never'); + +// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap2 module +if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') { + + $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_ldap2_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap2_key.pem'; + } + + + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_ldap2_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert2'] = RADDB . "/certs/ca_ldap2_cert.pem"; + } + + + $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/radius_ldap2_cert.key", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/radius_ldap2_cert.key'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/radius_ldap2_cert.crt", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert2'] = RADDB . "/certs/radius_ldap2_cert.crt"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + $varmodulesldap2starttls = "yes"; +} +else { + $varmodulesldap2starttls = "no"; +} + // Miscellaneous Configuration + MS Active Directory Compatibility ldap1 $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable'); if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') { @@ -3054,13 +3145,13 @@ ldap { # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections - start_tls = no + start_tls = $varmodulesldapstarttls - # cacertfile = /path/to/cacert.pem - # cacertdir = /path/to/ca/dir/ - # certfile = /path/to/radius.crt - # keyfile = /path/to/radius.key - # randfile = /path/to/rnd + cacertfile = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem + cacertdir = /usr/local/etc/raddb/certs/ + certfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt + keyfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.key + randfile = /usr/local/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3069,7 +3160,7 @@ ldap { # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" - # require_cert = "demand" + require_cert = "$varmodulesldaprequirecert" } $varmodulesldapdefaultprofile @@ -3213,13 +3304,13 @@ ldap ldap2{ # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections - start_tls = no + start_tls = $varmodulesldap2starttls - # cacertfile = /path/to/cacert.pem - # cacertdir = /path/to/ca/dir/ - # certfile = /path/to/radius.crt - # keyfile = /path/to/radius.key - # randfile = /path/to/rnd + cacertfile = /usr/local/etc/raddb/certs/ca_ldap2_cert.pem + cacertdir = /usr/local/etc/raddb/certs/ + certfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.crt + keyfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.key + randfile = /usr/local/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3228,7 +3319,7 @@ ldap ldap2{ # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" - # require_cert = "demand" + require_cert = "$varmodulesldap2requirecert" } $varmodulesldap2defaultprofile diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 4cee8c98..a055a945 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -219,7 +219,7 @@ <field> <fielddescr>Number of simultaneous connections</fielddescr> <fieldname>varuserssimultaneousconnect</fieldname> - <description><![CDATA[The maximum of simultaneous connections with this username. (Default: 1)]]></description> + <description><![CDATA[The maximum of simultaneous connections with this username. If you leave this field empty than there is no limit. If you are using FreeRADIUS with CaptivePortal you should leave this empty.]]></description> <default_value></default_value> <type>input</type> </field> diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml index 7abd26f5..57ef6f6f 100644 --- a/config/freeradius2/freeradiusauthorizedmacs.xml +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - freeradius.xml + freeradiusauthorizedmacs.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. @@ -212,7 +212,7 @@ <field> <fielddescr>Number of simultaneous connections</fielddescr> <fieldname>varmacssimultaneousconnect</fieldname> - <description><![CDATA[The maximum of simultaneous connections with this MAC address.]]></description> + <description><![CDATA[The maximum of simultaneous connections with this MAC address. If you leave this field empty than there is no limit. If you are using FreeRADIUS with CaptivePortal you should leave this empty.]]></description> <default_value></default_value> <type>input</type> </field> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index fd51f800..5ec634f1 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -125,7 +125,7 @@ <field> <fielddescr>Interface IP Address</fielddescr> <fieldname>varinterfaceip</fieldname> - <description><![CDATA[Enter the IP address of the listening interface. e.g. 192.168.100.1 (Default: *)]]></description> + <description><![CDATA[Enter the IP address (e.g. 192.168.100.1) of the listening interface. If you choose <b>*</b> then it means all interfaces. (Default: *)]]></description> <type>input</type> <default_value>*</default_value> <required/> @@ -135,9 +135,9 @@ <fieldname>varinterfaceport</fieldname> <description><![CDATA[Enter the port number of the listening interface. Different interface types need different ports.<br> You could use this as an example:<br> - auth = 1812<br> - acct = 1813<br> - proxy = 1814<br> + Authentication = 1812<br> + Accounting = 1813<br> + Status = 1816<br> <b>IMPORTANT:</b> For <b>every interface type</b> listening on the <b>same IP address</b> you need <b>different ports</b>.]]></description> <type>input</type> <default_value>1812</default_value> @@ -150,8 +150,8 @@ <type>select</type> <default_value>auth</default_value> <options> - <option><name>Auth</name><value>auth</value></option> - <option><name>Acct</name><value>acct</value></option> + <option><name>Authentication</name><value>auth</value></option> + <option><name>Accounting</name><value>acct</value></option> <option><name>Proxy</name><value>proxy</value></option> <option><name>Detail</name><value>detail</value></option> <option><name>Status</name><value>status</value></option> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index cf7f5b33..f6619afd 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -106,7 +106,7 @@ <fieldname>varmodulesldapenableauthorize</fieldname> <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> <type>checkbox</type> - <enablefields>varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> + <enablefields>varmodulesldapenabletlssupport,varmodulesldap2failover,varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> </field> <field> <fielddescr>Enable LDAP For Authentication</fielddescr> @@ -340,6 +340,53 @@ <size>80</size> <default_value>3</default_value> </field> + <field> + <name>LDAP TLS SUPPORT - SERVER 1</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable TSL support</fielddescr> + <fieldname>varmodulesldapenabletlssupport</fieldname> + <description><![CDATA[Enable TLS support for LDAP server 1. If enabled then certs in ../raddb/certs/ will be checked against the certs on LDAP.]]></description> + <type>checkbox</type> + <enablefields>ssl_ca_cert1,ssl_server_cert1,varmodulesldaprequirecert</enablefields> + </field> + <field> + <fielddescr>SSL CA Certificate</fielddescr> + <fieldname>ssl_ca_cert1</fieldname> + <description><![CDATA[Choose the SSL CA Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_ca_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>SSL Server Certificate</fielddescr> + <fieldname>ssl_server_cert1</fieldname> + <description><![CDATA[Choose the SSL Server Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_server_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>Choose certificate verification method</fielddescr> + <fieldname>varmodulesldaprequirecert</fieldname> + <description><![CDATA[Choose how the certs should be checked:<br><br> + + <b>never: </b>don't even bother trying<br> + <b>allow: </b>try but don't fail if the cerificate can't be verified<br> + <b>demand: </b>fail if the certificate doesn't verify]]></description> + <type>select</type> + <default_value>never</default_value> + <options> + <option><name>Never</name><value>never</value></option> + <option><name>Allow</name><value>allow</value></option> + <option><name>Demand</name><value>demand</value></option> + </options> + </field> <field> @@ -370,7 +417,7 @@ <fieldname>varmodulesldap2enableauthorize</fieldname> <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> <type>checkbox</type> - <enablefields>varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> + <enablefields>varmodulesldap2enabletlssupport,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> </field> <field> <fielddescr>Enable LDAP For Authentication</fielddescr> @@ -604,6 +651,53 @@ <size>80</size> <default_value>3</default_value> </field> + <field> + <name>LDAP TLS SUPPORT - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable TSL support</fielddescr> + <fieldname>varmodulesldap2enabletlssupport</fieldname> + <description><![CDATA[Enable TLS support for LDAP server 1. If enabled then certs in ../raddb/certs/ will be checked against the certs on LDAP.]]></description> + <type>checkbox</type> + <enablefields>ssl_ca_cert2,ssl_server_cert2,varmodulesldap2requirecert</enablefields> + </field> + <field> + <fielddescr>SSL CA Certificate</fielddescr> + <fieldname>ssl_ca_cert2</fieldname> + <description><![CDATA[Choose the SSL CA Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_ca_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>SSL Server Certificate</fielddescr> + <fieldname>ssl_server_cert2</fieldname> + <description><![CDATA[Choose the SSL Server Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_server_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>Choose certificate verification method</fielddescr> + <fieldname>varmodulesldap2requirecert</fieldname> + <description><![CDATA[Choose how the certs should be checked:<br><br> + + <b>never: </b>don't even bother trying<br> + <b>allow: </b>try but don't fail if the cerificate can't be verified<br> + <b>demand: </b>fail if the certificate doesn't verify]]></description> + <type>select</type> + <default_value>never</default_value> + <options> + <option><name>Never</name><value>never</value></option> + <option><name>Allow</name><value>allow</value></option> + <option><name>Demand</name><value>demand</value></option> + </options> + </field> </fields> <custom_delete_php_command> freeradius_modulesldap_resync(); |