diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/freeradius2/freeradius.inc | 47 | ||||
-rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 126 |
2 files changed, 133 insertions, 40 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 3506641f..1d59ef37 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -590,9 +590,6 @@ function freeradius_eapconf_resync() { $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; - // Choose pfsense Cert-Manager or freeradius Cert-Manager - $vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr'); - // Variables: EAP $vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5'); $vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60'); @@ -600,8 +597,17 @@ function freeradius_eapconf_resync() { $vareapconfciscoaccountingusernamebug = ($eapconf['vareapconfciscoaccountingusernamebug']?$eapconf['vareapconfciscoaccountingusernamebug']:'no'); $vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096'); - // Variables: EAP-TLS and EAP-TLS with OCSP support + // Variables: EAP-TLS $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever'); + $vareapconffragmentsize = ($eapconf['vareapconffragmentsize']?$eapconf['vareapconffragmentsize']:'1024'); + $vareapconfincludelength = ($eapconf['vareapconfincludelength']?$eapconf['vareapconfincludelength']:'yes'); + + // Variables: Cache + $vareapconfcacheenablecache = ($eapconf['vareapconfcacheenablecache']?$eapconf['vareapconfcacheenablecache']:'no'); + $vareapconfcachelifetime = ($eapconf['vareapconfcachelifetime']?$eapconf['vareapconfcachelifetime']:'24'); + $vareapconfcachemaxentries = ($eapconf['vareapconfcachemaxentries']?$eapconf['vareapconfcachemaxentries']:'255'); + + // Variables OSCP $vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no'); $vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no'); $vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/'); @@ -610,6 +616,7 @@ function freeradius_eapconf_resync() { $vareapconfttlsdefaulteaptype = ($eapconf['vareapconfttlsdefaulteaptype']?$eapconf['vareapconfttlsdefaulteaptype']:'md5'); $vareapconfttlscopyrequesttotunnel = ($eapconf['vareapconfttlscopyrequesttotunnel']?$eapconf['vareapconfttlscopyrequesttotunnel']:'no'); $vareapconfttlsusetunneledreply = ($eapconf['vareapconfttlsusetunneledreply']?$eapconf['vareapconfttlsusetunneledreply']:'no'); + $vareapconfttlsincludelength = ($eapconf['vareapconfttlsincludelength']?$eapconf['vareapconfttlsincludelength']:'yes'); // Variables: EAP-PEAP with MSCHAPv2 $vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2'); @@ -633,7 +640,7 @@ function freeradius_eapconf_resync() { // The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time. // This is for the pfsense cert manager // Depends on "freeradius_get_server_certs" and "freeradius_get_ca_certs" -if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { +if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); if ($ca_cert != false) { @@ -682,12 +689,10 @@ if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { } // This is for freeradius cert manager -if ($vareapconfchoosecertmanager == 'radiuscertmgr') { - +else { $vareapconfprivatekeyfile = 'server.pem'; $vareapconfcertificatefile = 'server.pem'; $vareapconfcafile = 'ca.pem'; - } $conf .= <<<EOD @@ -710,7 +715,7 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { } - ### EAP-TLS and EAP-TLS with OCSP support + ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = \${confdir}/certs cadir = \${confdir}/certs @@ -720,20 +725,18 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { CA_file = \${cadir}/$vareapconfcafile dh_file = \${certdir}/dh random_file = \${certdir}/random - # fragment_size = 1024 - # include_length = yes + fragment_size = $vareapconffragmentsize + include_length = $vareapconfincludelength # check_crl = yes CA_path = \${cadir} - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} cipher_list = "DEFAULT" - ### we make this from Certificate tab on GUI at startup - # make_cert_command = "\${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { - enable = no - lifetime = 24 # hours - max_entries = 255 + enable = $vareapconfcacheenablecache + lifetime = $vareapconfcachelifetime + max_entries = $vareapconfcachemaxentries } verify { # tmpdir = /tmp/radiusd @@ -744,17 +747,17 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { override_cert_url = $vareapconfocspoverridecerturl url = "$vareapconfocspurl" } - } ### end tls + } - ### EAP-TTLS + ### EAP-TTLS ttls { default_eap_type = $vareapconfttlsdefaulteaptype copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel use_tunneled_reply = $vareapconfttlsusetunneledreply - # include_length = yes + include_length = $vareapconfttlsincludelength } ### end ttls - ### EAP-PEAP with MSCHAPv2 + ### EAP-PEAP peap { default_eap_type = $vareapconfpeapdefaulteaptype copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel @@ -765,7 +768,7 @@ if ($vareapconfchoosecertmanager == 'radiuscertmgr') { mschapv2 { # send_error = no } - } ### end eap + } EOD; diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 309066f0..ff50dbc4 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -109,12 +109,17 @@ <default_value>md5</default_value> <options> <option><name>MD5</name><value>md5</value></option> - <option><name>LEAP</name><value>leap</value></option> <option><name>GTC</name><value>gtc</value></option> + <option><name>LEAP</name><value>leap</value></option> + <option><name>TLS</name><value>tls</value></option> + <option><name>TTLS</name><value>ttls</value></option> + <option><name>PEAP</name><value>peap</value></option> + <option><name>MSCHAP</name><value>mschap</value></option> + <option><name>MSCHAPv2</name><value>mschapv2</value></option> </options> </field> <field> - <fielddescr>Expiration of EAP-Response/Request List</fielddescr> + <fielddescr>Expiration of EAP-Response / EAP-Request List</fielddescr> <fieldname>vareapconftimerexpire</fieldname> <description><![CDATA[A list is maintained to correlate EAP-Response packets with EAP-Request packets. Define the expire time of the list. (Default: 60)]]></description> <type>input</type> @@ -150,20 +155,19 @@ <default_value>4096</default_value> </field> <field> - <name>EAP-TLS</name> + <name>CERTIFICATES FOR TLS</name> <type>listtopic</type> </field> <field> <fielddescr>Choose your Cert Manager</fielddescr> <fieldname>vareapconfchoosecertmanager</fieldname> <description><![CDATA[Choose your Cert manager. By default it is the freeradius cert manager because the server needs some default certs to start service. For more information take al look at "Certificates"-Tab.<br> - To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager). (Default: freeRADIUS)]]></description> - <type>select</type> + To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager).<br><br> + <b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br> + <b>cheked</b>: pfSense Cert-Manager (recommended)]]></description> + <type>checkbox</type> <default_value>radiuscertmgr</default_value> - <options> - <option><name>freeRADIUS Cert Manager (not recommended)</name><value>radiuscertmgr</value></option> - <option><name>pfSense Cert Manager (recommended)</name><value>pfsensecertmgr</value></option> - </options> + <enablefields>ssl_ca_cert,ssl_server_cert</enablefields> </field> <field> <fielddescr>SSL CA Certificate</fielddescr> @@ -188,12 +192,71 @@ <field> <fielddescr>Private Key Password</fielddescr> <fieldname>vareapconfprivatekeypassword</fieldname> - <description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate.<br> - The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]></description> + <description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]></description> <type>password</type> <default_value>whatever</default_value> </field> <field> + <name>EAP-TLS</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Include Length</fielddescr> + <fieldname>vareapconfincludelength</fieldname> + <description><![CDATA[include_length is a flag which is by default set to yes If set to yes, Total Length of the message is included in EVERY packet we send. If set to no, Total Length of the message is included ONLY in the first packet of a fragment series. (Default: Yes)]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Fragment Size</fielddescr> + <fieldname>vareapconffragmentsize</fieldname> + <description><![CDATA[This can never exceed the size of a RADIUS packet (4096 bytes), and is preferably half that, to accomodate other attributes in RADIUS packet. On most APs the MAX packet length is configured between 1500 - 1600 In these cases, fragment size should be 1024 or less. (Default: 1024)]]></description> + <type>input</type> + <default_value>1024</default_value> + </field> + + + <field> + <name>EAP-TLS - ENABLE CACHE</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable cache</fielddescr> + <fieldname>vareapconfcacheenablecache</fieldname> + <description><![CDATA[Session resumption / fast reauthentication cache.<br> + The cache contains the following information:<br><br> + session Id - unique identifier, managed by SSL User-Name - from the Access-Accept Stripped-User-Name - from the Access-Request Cached-Session-Policy - from the Access-Accept<br><br> + The "Cached-Session-Policy" is the name of a policy which should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.<br><br> + On session resumption, these attributes are copied from the cache, and placed into the reply list. You probably also want "use_tunneled_reply = yes" when using fast session resumption. (Default: Disable)]]></description> + <type>select</type> + <default_value>no</default_value> + <options> + <option><name>Enable</name><value>yes</value></option> + <option><name>Disable</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Lifetime</fielddescr> + <fieldname>vareapconfcachelifetime</fieldname> + <description><![CDATA[Lifetime of the cached entries, in hours. The sessions will be deleted after this time. (Default: 24)]]></description> + <type>input</type> + <default_value>24</default_value> + </field> + <field> + <fielddescr>Max Entries</fielddescr> + <fieldname>vareapconfcachemaxentries</fieldname> + <description><![CDATA[The maximum number of entries in the cache. Set to "0" for "infinite". This could be set to the number of users who are logged in... which can be a LOT. (Default: 255)]]></description> + <type>input</type> + <default_value>255</default_value> + </field> + + + + <field> <name>EAP-TLS with OCSP support</name> <type>listtopic</type> </field> @@ -233,17 +296,25 @@ <field> <fielddescr>Default EAP Type</fielddescr> <fieldname>vareapconfttlsdefaulteaptype</fieldname> - <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. (Default: MD5)]]></description> + <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. Inside of the TTLS tunnel, we recommend using EAP-MD5. If the request does not contain an EAP conversation, then this configuration entry is ignored. (Default: MD5)]]></description> <type>select</type> <default_value>md5</default_value> <options> <option><name>MD5</name><value>md5</value></option> + <option><name>GTC</name><value>gtc</value></option> + <option><name>OTP</name><value>otp</value></option> + <option><name>TLS</name><value>tls</value></option> + <option><name>PAP</name><value>pap</value></option> + <option><name>CHAP</name><value>chap</value></option> + <option><name>MSCHAP</name><value>mschap</value></option> + <option><name>MSCHAPv2</name><value>mschapv2</value></option> </options> </field> <field> <fielddescr>Copy Request to Tunnel</fielddescr> <fieldname>vareapconfttlscopyrequesttotunnel</fieldname> - <description><![CDATA[By setting this configuration entry to "yes", any attribute which is <b>not</b> in the tunneled authentication request, but which <b>is</b> available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> + <description><![CDATA[The tunneled authentication request does not usually contain useful attributes like 'Calling-Station-Id', etc. These attributes are outside of the tunnel, and normally unavailable to the tunneled authentication request.<br> + By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -254,7 +325,7 @@ <field> <fielddescr>Use Tunneled Reply</fielddescr> <fieldname>vareapconfttlsusetunneledreply</fieldname> - <description><![CDATA[By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> + <description><![CDATA[The reply attributes sent to the NAS are usually based on the name of the user 'outside' of the tunnel (usually 'anonymous'). If you want to send the reply attributes based on the user name inside of the tunnel, then set this configuration entry to 'yes', and the reply to the NAS will be taken from the reply to the tunneled request. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -263,23 +334,42 @@ </options> </field> <field> - <name>EAP-PEAP with MSCHAPv2</name> + <fielddescr>Include Length</fielddescr> + <fieldname>vareapconfttlsincludelength</fieldname> + <description><![CDATA[include_length is a flag which is by default set to yes If set to yes, Total Length of the message is included in EVERY packet we send. If set to no, Total Length of the message is included ONLY in the first packet of a fragment series. (Default: Yes)]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <name>EAP-PEAP</name> <type>listtopic</type> </field> <field> <fielddescr>Default EAP Type</fielddescr> <fieldname>vareapconfpeapdefaulteaptype</fieldname> - <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. (Default: MSCHAPv2)]]></description> + <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. Inside of the PEAP tunnel, we recommend using MS-CHAPv2, as that is the default type supported by Windows clients. (Default: MSCHAPv2)]]></description> <type>select</type> <default_value>mschapv2</default_value> <options> + <option><name>MD5</name><value>md5</value></option> + <option><name>GTC</name><value>gtc</value></option> + <option><name>OTP</name><value>otp</value></option> + <option><name>TLS</name><value>tls</value></option> + <option><name>PAP</name><value>pap</value></option> + <option><name>CHAP</name><value>chap</value></option> + <option><name>MSCHAP</name><value>mschap</value></option> <option><name>MSCHAPv2</name><value>mschapv2</value></option> </options> </field> <field> <fielddescr>Copy Request to Tunnel</fielddescr> <fieldname>vareapconfpeapcopyrequesttotunnel</fieldname> - <description><![CDATA[By setting this configuration entry to "yes", any attribute which is <b>not</b> in the tunneled authentication request, but which <b>is</b> available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> + <description><![CDATA[The tunneled authentication request does not usually contain useful attributes like 'Calling-Station-Id', etc. These attributes are outside of the tunnel, and normally unavailable to the tunneled authentication request.<br> + By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -290,7 +380,7 @@ <field> <fielddescr>Use Tunneled Reply</fielddescr> <fieldname>vareapconfpeapusetunneledreply</fieldname> - <description><![CDATA[By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description> + <description><![CDATA[The reply attributes sent to the NAS are usually based on the name of the user 'outside' of the tunnel (usually 'anonymous'). If you want to send the reply attributes based on the user name inside of the tunnel, then set this configuration entry to 'yes', and the reply to the NAS will be taken from the reply to the tunneled request. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> |