aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2
diff options
context:
space:
mode:
Diffstat (limited to 'config/freeradius2')
-rw-r--r--config/freeradius2/freeradius.inc83
-rw-r--r--config/freeradius2/freeradius.xml3
-rw-r--r--config/freeradius2/freeradiussettings.xml3
3 files changed, 41 insertions, 48 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index baac37ae..59cb2ce5 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -86,6 +86,10 @@ function freeradius_install_command() {
log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}");
copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup");
}
+
+ // Disable virtual-server we do not need by default
+ unlink("/usr/local/etc/raddb/sites-enabled/control-socket");
+ unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel");
$rcfile = array();
$rcfile['file'] = 'radiusd.sh';
@@ -902,41 +906,32 @@ function freeradius_serverdefault_resync() {
$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
// If unchecked we need the normal EAP section.
- If (!$varsettings['varsettingsenablemacauth']) {
+ if (!$varsettings['varsettingsenablemacauth']) {
$varplainmacauthenable = '';
$varplainmacauthenable .= "eap {";
$varplainmacauthenable .= "\n\tok = return";
$varplainmacauthenable .= "\n\t}";
-
+
$varplainmacpreacctenable = '';
$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####';
}
// If checked we need to check if it is plain mac or eap
else {
$varplainmacauthenable = '';
- $varplainmacauthenable .= "# if cleaning up the Calling-Station-Id...";
+ $varplainmacauthenable .= "\t### FIRST check MAC address in authorized_macs and if that fails proceed with other checks below in else-section ###";
+ $varplainmacauthenable .= "\n\t# if cleaning up the Calling-Station-Id...";
$varplainmacauthenable .= "\n\trewrite_calling_station_id";
- $varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth";
- $varplainmacauthenable .= "\n\tif (!EAP-Message) {";
- $varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file";
- $varplainmacauthenable .= "\n\t\tauthorized_macs";
- $varplainmacauthenable .= "\n\t\tif (!ok) {";
- $varplainmacauthenable .= "\n\t\t\treject";
- $varplainmacauthenable .= "\n\t\t}";
- $varplainmacauthenable .= "\n\t\telse {";
- $varplainmacauthenable .= "\n\t\t\t# accept";
+ $varplainmacauthenable .= "\n\t# now check against the authorized_macs file";
+ $varplainmacauthenable .= "\n\tauthorized_macs";
+ $varplainmacauthenable .= "\n\tif (ok) {";
$varplainmacauthenable .= "\n\t\t\tupdate control {";
- $varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept";
- $varplainmacauthenable .= "\n\t\t\t}";
+ $varplainmacauthenable .= "\n\t\t\tAuth-Type := Accept";
$varplainmacauthenable .= "\n\t\t}";
$varplainmacauthenable .= "\n\t}";
- $varplainmacauthenable .= "\n\telse {";
- $varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g.";
- $varplainmacauthenable .= "\n\t\teap";
- $varplainmacauthenable .= "\n\t}";
-
+ $varplainmacauthenable .= "\n\t### Here we have to place all other authorize modules which should be check when MAC fails ###";
+
$varplainmacpreacctenable = '';
- $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####';
+ $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH ENABLED #####';
$varplainmacpreacctenable .= "\n\trewrite_calling_station_id";
}
@@ -1032,27 +1027,6 @@ authorize {
preprocess
#
- # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
- # authentication.
- #
- # It also sets the EAP-Type attribute in the request
- # attribute list to the EAP type from the packet.
- #
- # As of 2.0, the EAP module returns "ok" in the authorize stage
- # for TTLS and PEAP. In 1.x, it never returned "ok" here, so
- # this change is compatible with older configurations.
- #
- # The example below uses module failover to avoid querying all
- # of the following modules if the EAP module returns "ok".
- # Therefore, your LDAP and/or SQL servers will not be queried
- # for the many packets that go back and forth to set up TTLS
- # or PEAP. The load on those servers will therefore be reduced.
- #
-
- $varplainmacauthenable
-
-
- #
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
@@ -1098,9 +1072,30 @@ authorize {
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
+
suffix
ntdomain
-
+
+ #
+ # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+ # authentication.
+ #
+ # It also sets the EAP-Type attribute in the request
+ # attribute list to the EAP type from the packet.
+ #
+ # As of 2.0, the EAP module returns "ok" in the authorize stage
+ # for TTLS and PEAP. In 1.x, it never returned "ok" here, so
+ # this change is compatible with older configurations.
+ #
+ # The example below uses module failover to avoid querying all
+ # of the following modules if the EAP module returns "ok".
+ # Therefore, your LDAP and/or SQL servers will not be queried
+ # for the many packets that go back and forth to set up TTLS
+ # or PEAP. The load on those servers will therefore be reduced.
+ #
+
+ $varplainmacauthenable
+
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
@@ -1157,7 +1152,7 @@ authorize {
# get a chance to set Auth-Type for themselves.
#
pap
-
+
#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
@@ -2951,7 +2946,7 @@ policy {
}
}
else {
- noop
+ noop
}
}
}
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index e1c6c9f2..2b31996a 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -346,10 +346,9 @@
freeradius_install_command();
freeradius_clients_resync();
freeradius_users_resync();
+ freeradius_authorizedmacs_resync();
freeradius_eapconf_resync();
freeradius_sqlconf_resync();
- exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket");
- exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel");
</custom_php_install_command>
<custom_php_deinstall_command>
freeradius_deinstall_command();
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 611db03f..ea7366fc 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -104,8 +104,7 @@
<field>
<fielddescr>Enable Plain MAC Auth</fielddescr>
<fieldname>varsettingsenablemacauth</fieldname>
- <description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br>
- Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description>
+ <description><![CDATA[This enables plain MAC auth. The Calling-Station-Id in an Access-Request is first checked against an authorized_macs list before all other authorization methods. If your NAS is not able to convert the MAC in a 802.1X format then you could enable this. If you do not need this leave this disabled. (Default: unchecked)]]></description>
<type>checkbox</type>
</field>
<field>