aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-xconfig/freeradius2/freeradius.inc133
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradius.xml41
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiusclients.xml22
-rw-r--r--config/freeradius2/freeradiuseapconf.xml290
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiusinterfaces.xml12
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiussettings.xml46
6 files changed, 493 insertions, 51 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 518544c9..38625494 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -27,6 +27,9 @@ function freeradius_install_command() {
}
}
+ exec("chown -R root:wheel /usr/local/etc/raddb");
+ exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12");
+
closedir($handle);
$rcfile = array();
@@ -322,4 +325,134 @@ EOD;
conf_mount_ro();
restart_service("freeradius");
}
+
+
+
+function freeradius_eapconf_resync() {
+ global $config;
+ $conf = '';
+
+ $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
+
+ // Variables: EAP
+ $vareapconfdefaulteaptype = $eapconf['vareapconfdefaulteaptype'];
+ $vareapconftimerexpire = $eapconf['vareapconftimerexpire'];
+ $vareapconfignoreunknowneaptypes = $eapconf['vareapconfignoreunknowneaptypes'];
+ $vareapconfciscoaccountingusernamebug = $eapconf['vareapconfciscoaccountingusernamebug'];
+ $vareapconfmaxsessions = $eapconf['vareapconfmaxsessions'];
+
+ // Variables: EAP-TLS and EAP-TLS with OCSP support
+ $vareapconfprivatekeypassword = $eapconf['vareapconfprivatekeypassword'];
+ $vareapconfprivatekeyfile = $eapconf['vareapconfprivatekeyfile'];
+ $vareapconfcertificatefile = $eapconf['vareapconfcertificatefile'];
+ $vareapconfcafile = $eapconf['vareapconfcafile'];
+ $vareapconfdhfile = $eapconf['vareapconfdhfile'];
+ $vareapconfrandomfile = $eapconf['vareapconfrandomfile'];
+ $vareapconfocspenable = $eapconf['vareapconfocspenable'];
+ $vareapconfocspoverridecerturl = $eapconf['vareapconfocspoverridecerturl'];
+ $vareapconfocspurl = $eapconf['vareapconfocspurl'];
+
+ // Variables: EAP-TTLS
+ $vareapconfttlsdefaulteaptype = $eapconf['vareapconfttlsdefaulteaptype'];
+ $vareapconfttlscopyrequesttotunnel = $eapconf['vareapconfttlscopyrequesttotunnel'];
+ $vareapconfttlsusetunneledreply = $eapconf['vareapconfttlsusetunneledreply'];
+
+ // Variables: EAP-PEAP with MSCHAPv2
+ $vareapconfpeapdefaulteaptype = $eapconf['vareapconfpeapdefaulteaptype'];
+ $vareapconfpeapcopyrequesttotunnel = $eapconf['vareapconfpeapcopyrequesttotunnel'];
+ $vareapconfpeapusetunneledreply = $eapconf['vareapconfpeapusetunneledreply'];
+
+
+ $conf .= <<<EOD
+
+ ### EAP
+ eap {
+ default_eap_type = $vareapconfdefaulteaptype
+ timer_expire = $vareapconftimerexpire
+ ignore_unknown_eap_types = $vareapconfignoreunknowneaptypes
+ cisco_accounting_username_bug = $vareapconfciscoaccountingusernamebug
+ max_sessions = $vareapconfmaxsessions
+
+ md5 {
+ }
+ leap {
+ }
+ gtc {
+ #challenge = "Password: "
+ auth_type = PAP
+ }
+
+
+ ### EAP-TLS and EAP-TLS with OCSP support
+ tls {
+ certdir = \${confdir}/certs
+ cadir = \${confdir}/certs
+ private_key_password = $vareapconfprivatekeypassword
+ private_key_file = \${certdir}/$vareapconfprivatekeyfile
+ certificate_file = \${certdir}/$vareapconfcertificatefile
+ CA_file = \${cadir}/$vareapconfcafile
+ dh_file = \${certdir}/$vareapconfdhfile
+ random_file = \${certdir}/$vareapconfrandomfile
+ # fragment_size = 1024
+ # include_length = yes
+ # check_crl = yes
+ CA_path = \${cadir}
+ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+ # check_cert_cn = %{User-Name}
+ cipher_list = "DEFAULT"
+ make_cert_command = "\${certdir}/bootstrap"
+ ecdh_curve = "prime256v1"
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ max_entries = 255
+ }
+ verify {
+ # tmpdir = /tmp/radiusd
+ # client = "/path/to/openssl verify -CApath ${CA_path} %{TLS-Client-Cert-Filename}"
+ }
+ ocsp {
+ enable = $vareapconfocspenable
+ override_cert_url = $vareapconfocspoverridecerturl
+ url = "$vareapconfocspurl"
+ }
+ } ### end tls
+
+ ### EAP-TTLS
+ ttls {
+ default_eap_type = $vareapconfttlsdefaulteaptype
+ copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel
+ use_tunneled_reply = $vareapconfttlsusetunneledreply
+ ### if disabled this will be processed by the virtual server called "default"
+ # virtual_server = "inner-tunnel"
+ # include_length = yes
+ } ### end ttls
+
+ ### EAP-PEAP with MSCHAPv2
+ peap {
+ default_eap_type = $vareapconfpeapdefaulteaptype
+ copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel
+ use_tunneled_reply = $vareapconfpeapusetunneledreply
+ # proxy_tunneled_request_as_eap = yes
+ ### if disabled this will be processed by the virtual server called "default"
+ # virtual_server = "inner-tunnel"
+ # soh = yes
+ # soh_virtual_server = "soh-server"
+ }
+ mschapv2 {
+ # send_error = no
+ }
+ } ### end eap
+
+
+EOD;
+
+ $filename = RADDB . '/eap.conf';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+ restart_service('freeradius');
+}
?> \ No newline at end of file
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index 929dea53..b70b2713 100755..100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -3,7 +3,7 @@
<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
<packagegui>
<copyright>
- <![CDATA[
+<![CDATA[
/* $Id$ */
/* ========================================================================== */
/*
@@ -40,9 +40,10 @@
POSSIBILITY OF SUCH DAMAGE.
*/
/* ========================================================================== */
- ]]>
+]]>
+
</copyright>
- <description>Describe your package here</description>
+ <description><![CDATA[Describe your package here]]></description>
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradius</name>
@@ -59,7 +60,7 @@
<name>FreeRADIUS</name>
<rcfile>radiusd.sh</rcfile>
<executable>radiusd</executable>
- <description>The FreeRADIUS daemon.</description>
+ <description><![CDATA[The FreeRADIUS daemon.]]></description>
</service>
<tabs>
@@ -80,6 +81,10 @@
<text>Settings</text>
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
</tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
</tabs>
<adddeleteeditpagefields>
@@ -133,6 +138,11 @@
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item>
</additional_files_needed>
<additional_files_needed>
@@ -148,21 +158,21 @@
<field>
<fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
- <description>Enter the username.</description>
+ <description><![CDATA[Enter the username.]]></description>
<type>input</type>
<required/>
</field>
<field>
<fielddescr>Password</fielddescr>
<fieldname>password</fieldname>
- <description>Enter the password for this username.</description>
+ <description><![CDATA[Enter the password for this username.]]></description>
<type>password</type>
<required/>
</field>
<field>
<fielddescr>Number of simultaneous connections</fielddescr>
<fieldname>multiconnect</fieldname>
- <description>The maximum of simultaneous connections with this username.</description>
+ <description><![CDATA[The maximum of simultaneous connections with this username.]]></description>
<required/>
<type>input</type>
</field>
@@ -200,8 +210,7 @@
This setting can be used for a NAS that supports the following RADIUS parameters:<br><br>
Tunnel-Type = VLAN<br>
Tunnel-Medium-Type = IEEE-802<br>
- Tunnel-Private-Group-ID = "<b>THIS IS YOUR INPUT</b>"]]>
- </description>
+ Tunnel-Private-Group-ID = "<b>THIS IS YOUR INPUT</b>"]]></description>
<type>input</type>
</field>
<field>
@@ -211,13 +220,13 @@
<field>
<fielddescr>Expiration Time</fielddescr>
<fieldname>expiration</fieldname>
- <description>Enter the date when this account should expire. Format is: Mmm dd yyyy (e.g. Jan 01 2012).</description>
+ <description><![CDATA[Enter the date when this account should expire. Format is: Mmm dd yyyy (e.g. Jan 01 2012).]]></description>
<type>input</type>
</field>
<field>
<fielddescr>Session Time</fielddescr>
<fieldname>sessiontime</fieldname>
- <description>Enter the time this user has until relogin in seconds.</description>
+ <description><![CDATA[Enter the time this user has until relogin in seconds.]]></description>
<type>input</type>
</field>
<field>
@@ -227,7 +236,6 @@
Every time string contains a day (Mo,Tu,We,Th,Fr,Sa,Su) or all weekdays which is from monday till friday (Wk).<br><br>
<b>Wk0855-2305,Sa,Su2230-0230</b><br><br>
This means weekdays after 8:55 AM and before 11:05 PM | any time on saturday | sunday after 10:30 PM and before 02:30 AM.]]></description>
-
<type>input</type>
</field>
<field>
@@ -237,7 +245,7 @@
<field>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter any description for this user you like.</description>
+ <description><![CDATA[Enter any description for this user you like.]]></description>
<type>input</type>
</field>
<field>
@@ -246,8 +254,7 @@
<description><![CDATA[This is for experts only and should be treat with care!<br>
You may append (after all options from above) custom RADIUS options to this user account (separated by commas).<br>
<b>IMPORTANT:</b> If you don't format this field correctly freeRADIUS will not start because of syntax errors.<br>
- Verify your changes by checking users file (/usr/local/etc/raddb/users).]]>
- </description>
+ Verify your changes by checking users file (/usr/local/etc/raddb/users).]]></description>
<type>textarea</type>
<rows>10</rows>
<cols>75</cols>
@@ -264,9 +271,9 @@
freeradius_settings_resync();
freeradius_clients_resync();
freeradius_users_resync();
- exec("chown -R root:wheel /usr/local/etc/raddb");
- exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12");
+ freeradius_eapconf_resync();
exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket");
+ exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel");
</custom_php_install_command>
<custom_php_deinstall_command>
freeradius_deinstall_command();
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 2b5d9d0c..62c37f3d 100755..100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -42,7 +42,7 @@
/* ========================================================================== */
]]>
</copyright>
- <description>Describe your package here</description>
+ <description><![CDATA[Describe your package here]]></description>
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiusclients</name>
@@ -67,6 +67,10 @@
<text>Settings</text>
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
</tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
</tabs>
<adddeleteeditpagefields>
<columnitem>
@@ -110,7 +114,7 @@
<field>
<fielddescr>Client IP Address</fielddescr>
<fieldname>varclientip</fieldname>
- <description>Enter the IP address of the client. This is in general the IP of the NAS (switch,accesspoint).</description>
+ <description><![CDATA[Enter the IP address of the client. This is in general the IP of the NAS (switch,accesspoint).]]></description>
<type>input</type>
<required/>
</field>
@@ -128,14 +132,14 @@
<field>
<fielddescr>Client Shortname</fielddescr>
<fieldname>varclientshortname</fieldname>
- <description>Enter shortname of the client. This is in general the IP of the NAS (switch,accesspoint).</description>
+ <description><![CDATA[Enter shortname of the client. This is in general the IP of the NAS (switch,accesspoint).]]></description>
<type>input</type>
<required/>
</field>
<field>
<fielddescr>Client Shared Secret</fielddescr>
<fieldname>varclientsharedsecret</fieldname>
- <description>Enter the shared secret of the client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server.</description>
+ <description><![CDATA[Enter the shared secret of the client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server.]]></description>
<type>password</type>
<required/>
</field>
@@ -146,7 +150,7 @@
<field>
<fielddescr>Client Protocol</fielddescr>
<fieldname>varclientproto</fieldname>
- <description>Enter the protocol the client uses. (Default: udp)</description>
+ <description><![CDATA[Enter the protocol the client uses. (Default: udp)]]></description>
<type>select</type>
<default_value>udp</default_value>
<options>
@@ -157,7 +161,7 @@
<field>
<fielddescr>Client Type</fielddescr>
<fieldname>varclientnastype</fieldname>
- <description>Enter the NAS type of the client. This is used by checkrad.pl for simultaneous use checks. (Default: other)</description>
+ <description><![CDATA[Enter the NAS type of the client. This is used by checkrad.pl for simultaneous use checks. (Default: other)]]></description>
<type>select</type>
<default_value>other</default_value>
<options>
@@ -178,7 +182,7 @@
<field>
<fielddescr>Require Message Authenticator</fielddescr>
<fieldname>varrequiremessageauthenticator</fieldname>
- <description>RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or accesspoints) do not include that. (Default: no)</description>
+ <description><![CDATA[RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or accesspoints) do not include that. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -189,14 +193,14 @@
<field>
<fielddescr>Max Connections</fielddescr>
<fieldname>varclientmaxconnections</fieldname>
- <description>Takes only effect if you use TCP as protocol. This is the mirror of "Max Requests Server" from "Settings" tab. (Default 16)</description>
+ <description><![CDATA[Takes only effect if you use TCP as protocol. This is the mirror of "Max Requests Server" from "Settings" tab. (Default 16)]]></description>
<type>input</type>
<default_value>16</default_value>
</field>
<field>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter any description you like for this client.</description>
+ <description><![CDATA[Enter any description you like for this client.]]></description>
<type>input</type>
</field>
</fields>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
new file mode 100644
index 00000000..cff17c09
--- /dev/null
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -0,0 +1,290 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description><![CDATA[Describe your package here]]></description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>freeradiuseapconf</name>
+ <version>none</version>
+ <title>FreeRADIUS: Settings</title>
+ <aftersaveredirect>pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</aftersaveredirect>
+ <include_file>/usr/local/pkg/freeradius.inc</include_file>
+ <tabs>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=freeradius.xml</url>
+ </tab>
+ <tab>
+ <text>NAS / Clients</text>
+ <url>/pkg.php?xml=freeradiusclients.xml</url>
+ </tab>
+ <tab>
+ <text>Interfaces</text>
+ <url>/pkg.php?xml=freeradiusinterfaces.xml</url>
+ </tab>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>EAP</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Default EAP Type</fielddescr>
+ <fieldname>vareapconfdefaulteaptype</fieldname>
+ <description><![CDATA[Invoke the default supported EAP type when EAP-Identity response is received. (Default: md5)]]></description>
+ <type>select</type>
+ <default_value>md5</default_value>
+ <options>
+ <option><name>MD5</name><value>md5</value></option>
+ <option><name>LEAP</name><value>leap</value></option>
+ <option><name>GTC</name><value>gtc</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Expiration of EAP-Response/Request List</fielddescr>
+ <fieldname>vareapconftimerexpire</fieldname>
+ <description><![CDATA[A list is maintained to correlate EAP-Response packets with EAP-Request packets. Define the expire time of the list. (Default: 60)]]></description>
+ <type>input</type>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>Ignore Unknown EAP Types</fielddescr>
+ <fieldname>vareapconfignoreunknowneaptypes</fieldname>
+ <description><![CDATA[If the RADIUS does not know the EAP type it rejects it. If set to "yes" an other module <b>must</b> be configured to proxy the request to a further RADIUS server. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>CISCO Accounting Username Bug</fielddescr>
+ <fieldname>vareapconfciscoaccountingusernamebug</fieldname>
+ <description><![CDATA[CISCO AP1230B firmware 12.2(13)JA1 has a bug which can be workaround by setting this to "yes". (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Maximum Sessions Tracking per Server</fielddescr>
+ <fieldname>vareapconfmaxsessions</fieldname>
+ <description><![CDATA[Help to prevent DoS attacks by limiting the number of sessions that the server is tracking. (Default: 4096)]]></description>
+ <type>input</type>
+ <default_value>4096</default_value>
+ </field>
+ <field>
+ <name>EAP-TLS and EAP-TLS with OCSP support</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Private Key Password</fielddescr>
+ <fieldname>vareapconfprivatekeypassword</fieldname>
+ <description><![CDATA[Enter the private key of the password. (Default: whatever)]]></description>
+ <type>password</type>
+ <default_value>whatever</default_value>
+ </field>
+ <field>
+ <fielddescr>Private Key File</fielddescr>
+ <fieldname>vareapconfprivatekeyfile</fieldname>
+ <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
+ <type>input</type>
+ <default_value>server.pem</default_value>
+ </field>
+ <field>
+ <fielddescr>Private Key File</fielddescr>
+ <fieldname>vareapconfprivatekeyfile</fieldname>
+ <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
+ <type>input</type>
+ <default_value>server.pem</default_value>
+ </field>
+ <field>
+ <fielddescr>Server Certificate File</fielddescr>
+ <fieldname>vareapconfcertificatefile</fieldname>
+ <description><![CDATA[Enter the filename of the Certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]></description>
+ <type>input</type>
+ <default_value>server.pem</default_value>
+ </field>
+ <field>
+ <fielddescr>CA File</fielddescr>
+ <fieldname>vareapconfcafile</fieldname>
+ <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: ca.pem)]]></description>
+ <type>input</type>
+ <default_value>ca.pem</default_value>
+ </field>
+ <field>
+ <fielddescr>DH File</fielddescr>
+ <fieldname>vareapconfdhfile</fieldname>
+ <description><![CDATA[Enter the filename of the DH file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: dh)]]></description>
+ <type>input</type>
+ <default_value>dh</default_value>
+ </field>
+ <field>
+ <fielddescr>Random File</fielddescr>
+ <fieldname>vareapconfrandomfile</fieldname>
+ <description><![CDATA[Enter the filename of the random file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: random)]]></description>
+ <type>input</type>
+ <default_value>random</default_value>
+ </field>
+ <field>
+ <fielddescr>Enable OCSP</fielddescr>
+ <fieldname>vareapconfocspenable</fieldname>
+ <description><![CDATA[Choose if you like to enable or disable OCSP support. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>Disable</name><value>no</value></option>
+ <option><name>Enable</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Override OCSP Responder URL</fielddescr>
+ <fieldname>vareapconfocspoverridecerturl</fieldname>
+ <description><![CDATA[The OCSP responder URL is extracted from the certificate. You can override it below. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>OCSP Responder</fielddescr>
+ <fieldname>vareapconfocspurl</fieldname>
+ <description><![CDATA[Enter the URL of the OCSP responder. OCSP <b>must</b> be enabled for this to work. (Default: http://127.0.0.1/ocsp/)]]></description>
+ <type>input</type>
+ <default_value>http://127.0.0.1/ocsp/</default_value>
+ </field>
+ <field>
+ <name>EAP-TTLS</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Default EAP Type</fielddescr>
+ <fieldname>vareapconfttlsdefaulteaptype</fieldname>
+ <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. (Default: MD5)]]></description>
+ <type>select</type>
+ <default_value>md5</default_value>
+ <options>
+ <option><name>MD5</name><value>md5</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Copy Request to Tunnel</fielddescr>
+ <fieldname>vareapconfttlscopyrequesttotunnel</fieldname>
+ <description><![CDATA[By setting this configuration entry to "yes", any attribute which is <b>not</b> in the tunneled authentication request, but which <b>is</b> available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Use Tunneled Reply</fielddescr>
+ <fieldname>vareapconfttlsusetunneledreply</fieldname>
+ <description><![CDATA[By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <name>EAP-PEAP with MSCHAPv2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Default EAP Type</fielddescr>
+ <fieldname>vareapconfpeapdefaulteaptype</fieldname>
+ <description><![CDATA[The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. (Default: MSCHAPv2)]]></description>
+ <type>select</type>
+ <default_value>mschapv2</default_value>
+ <options>
+ <option><name>MSCHAPv2</name><value>mschapv2</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Copy Request to Tunnel</fielddescr>
+ <fieldname>vareapconfpeapcopyrequesttotunnel</fieldname>
+ <description><![CDATA[By setting this configuration entry to "yes", any attribute which is <b>not</b> in the tunneled authentication request, but which <b>is</b> available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Use Tunneled Reply</fielddescr>
+ <fieldname>vareapconfpeapusetunneledreply</fieldname>
+ <description><![CDATA[By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>No</name><value>no</value></option>
+ <option><name>Yes</name><value>yes</value></option>
+ </options>
+ </field>
+ </fields>
+ <custom_delete_php_command>
+ freeradius_eapconf_resync();
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ freeradius_eapconf_resync();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index c00cd6b1..22f2b87e 100755..100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -42,7 +42,7 @@
/* ========================================================================== */
]]>
</copyright>
- <description>Describe your package here</description>
+ <description><![CDATA[Describe your package here]]></description>
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiusinterfaces</name>
@@ -67,6 +67,10 @@
<text>Settings</text>
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
</tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
</tabs>
<adddeleteeditpagefields>
<columnitem>
@@ -119,7 +123,7 @@
<field>
<fielddescr>Interface Type</fielddescr>
<fieldname>varinterfacetype</fieldname>
- <description>Enter the type of the listening interface. (Default: auth)</description>
+ <description><![CDATA[Enter the type of the listening interface. (Default: auth)]]></description>
<type>select</type>
<default_value>auth</default_value>
<options>
@@ -135,7 +139,7 @@
<field>
<fielddescr>IP Version</fielddescr>
<fieldname>varinterfaceipversion</fieldname>
- <description>Enter the IP version of the listening interface. (Default: IPv4)</description>
+ <description><![CDATA[Enter the IP version of the listening interface. (Default: IPv4)]]></description>
<type>select</type>
<default_value>ipaddr</default_value>
<options>
@@ -147,7 +151,7 @@
<field>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter any description you like for this interface.</description>
+ <description><![CDATA[Enter any description you like for this interface.]]></description>
<type>input</type>
</field>
</fields>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index e918c249..a0b08ab4 100755..100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -42,7 +42,7 @@
/* ========================================================================== */
]]>
</copyright>
- <description>Describe your package here</description>
+ <description><![CDATA[Describe your package here]]></description>
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiussettings</name>
@@ -68,6 +68,10 @@
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
<active/>
</tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
</tabs>
<fields>
<field>
@@ -77,28 +81,28 @@
<field>
<fielddescr>Maximum Requests Server</fielddescr>
<fieldname>varsettingsmaxrequests</fieldname>
- <description>The maximum number of requests the server could handle at a time until "Cleanup Delay" deletes them. Useful range 256 * NAS. If it is set to low it will make the server busy. A higher value is better (but increased RAM usage) but it shouldn't be higher than 1000 * NAS. (Default: 1024)</description>
+ <description><![CDATA[The maximum number of requests the server could handle at a time until "Cleanup Delay" deletes them. Useful range 256 * NAS. If it is set to low it will make the server busy. A higher value is better (but increased RAM usage) but it shouldn't be higher than 1000 * NAS. (Default: 1024)]]></description>
<type>input</type>
<default_value>1024</default_value>
</field>
<field>
<fielddescr>Max Request Timeout</fielddescr>
<fieldname>varsettingsmaxrequesttime</fieldname>
- <description>The maximum time to handle a request in seconds. (Default: 30)</description>
+ <description><![CDATA[The maximum time to handle a request in seconds. (Default: 30)]]></description>
<type>input</type>
<default_value>30</default_value>
</field>
<field>
<fielddescr>Cleanup Delay</fielddescr>
<fieldname>varsettingscleanupdelay</fieldname>
- <description>The time to wait before cleaning up a reply which was sent to the NAS in seconds. (Default: 5)</description>
+ <description><![CDATA[The time to wait before cleaning up a reply which was sent to the NAS in seconds. (Default: 5)]]></description>
<type>input</type>
<default_value>5</default_value>
</field>
<field>
<fielddescr>NAS Hostname Lookup</fielddescr>
<fieldname>varsettingshostnamelookups</fieldname>
- <description>Log the names of NAS instead of IP addresses. Turning this on can result in lock ups of the RADIUS Server. (Default: no)</description>
+ <description><![CDATA[Log the names of NAS instead of IP addresses. Turning this on can result in lock ups of the RADIUS Server. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -109,7 +113,7 @@
<field>
<fielddescr>Allow Core Dumps</fielddescr>
<fieldname>varsettingsallowcoredumps</fieldname>
- <description>Only turn this on if you need to debug the RADIUS server! (Default: no)</description>
+ <description><![CDATA[Only turn this on if you need to debug the RADIUS server! (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -120,7 +124,7 @@
<field>
<fielddescr>Regular Expressions</fielddescr>
<fieldname>varsettingsregularexpressions</fieldname>
- <description>Allows regular expressions. (Default: yes)</description>
+ <description><![CDATA[Allows regular expressions. (Default: yes)]]></description>
<type>select</type>
<default_value>yes</default_value>
<options>
@@ -131,7 +135,7 @@
<field>
<fielddescr>Extended Expressions</fielddescr>
<fieldname>varsettingsextendedexpressions</fieldname>
- <description>Allows extended expressions. (Default: yes)</description>
+ <description><![CDATA[Allows extended expressions. (Default: yes)]]></description>
<type>select</type>
<default_value>yes</default_value>
<options>
@@ -146,7 +150,7 @@
<field>
<fielddescr>Logging Destination of RADIUS</fielddescr>
<fieldname>varsettingslogdir</fieldname>
- <description>Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log)</description>
+ <description><![CDATA[Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log)]]></description>
<type>select</type>
<default_value>files</default_value>
<options>
@@ -159,7 +163,7 @@
<field>
<fielddescr>RADIUS Logging</fielddescr>
<fieldname>varsettingsauth</fieldname>
- <description>Choose if you want to enable logging. (Default: Disabled)</description>
+ <description><![CDATA[Choose if you want to enable logging. (Default: Disabled)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -170,7 +174,7 @@
<field>
<fielddescr>Log Bad Authentication Attempts</fielddescr>
<fieldname>varsettingsauthbadpass</fieldname>
- <description>Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no)</description>
+ <description><![CDATA[Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -181,7 +185,7 @@
<field>
<fielddescr>Log good authentication attempts?</fielddescr>
<fieldname>varsettingsauthgoodpass</fieldname>
- <description>Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no)</description>
+ <description><![CDATA[Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -192,7 +196,7 @@
<field>
<fielddescr>Log Stripped Names</fielddescr>
<fieldname>varsettingsstrippednames</fieldname>
- <description>Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)</description>
+ <description><![CDATA[Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -207,14 +211,14 @@
<field>
<fielddescr>Maximum Number of Attributes</fielddescr>
<fieldname>varsettingsmaxattributes</fieldname>
- <description>The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. (Default: 200)</description>
+ <description><![CDATA[The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. (Default: 200)]]></description>
<type>input</type>
<default_value>200</default_value>
</field>
<field>
<fielddescr>Access-Reject Delay</fielddescr>
<fieldname>varsettingsrejectdelay</fieldname>
- <description>When sending an Access-Reject it can be delayed for a few seconds. This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a users password. (Default: 1)(Immediately: 0)</description>
+ <description><![CDATA[When sending an Access-Reject it can be delayed for a few seconds. This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a users password. (Default: 1)(Immediately: 0)]]></description>
<type>input</type>
<default_value>1</default_value>
</field>
@@ -225,42 +229,42 @@
<field>
<fielddescr>Number of Threads After Start</fielddescr>
<fieldname>varsettingsstartservers</fieldname>
- <description>The thread pool is a long-lived group of threads which take turns (round-robin) handling any incoming requests. (Default: 5)</description>
+ <description><![CDATA[The thread pool is a long-lived group of threads which take turns (round-robin) handling any incoming requests. (Default: 5)]]></description>
<type>input</type>
<default_value>5</default_value>
</field>
<field>
<fielddescr>Maximum Number of Threads</fielddescr>
<fieldname>varsettingsmaxservers</fieldname>
- <description>If this limit is ever reached, clients will be locked out so it should not be set to low. (Default: 32)</description>
+ <description><![CDATA[If this limit is ever reached, clients will be locked out so it should not be set to low. (Default: 32)]]></description>
<type>input</type>
<default_value>32</default_value>
</field>
<field>
<fielddescr>Min Spare Servers</fielddescr>
<fieldname>varsettingsminspareservers</fieldname>
- <description>This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle MANY requests and LESS than "Min Spare Servers" are left than the RADIUS server will INCREASE the number of running threads. (Default: 3)</description>
+ <description><![CDATA[This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle MANY requests and LESS than "Min Spare Servers" are left than the RADIUS server will INCREASE the number of running threads. (Default: 3)]]></description>
<type>input</type>
<default_value>3</default_value>
</field>
<field>
<fielddescr>Max Spare Servers</fielddescr>
<fieldname>varsettingsmaxspareservers</fieldname>
- <description>This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle FEW requests and MORE than "Max Spare Servers" are left than the RADIUS server will DECREASE the number of running threads. (Default: 10)</description>
+ <description><![CDATA[This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle FEW requests and MORE than "Max Spare Servers" are left than the RADIUS server will DECREASE the number of running threads. (Default: 10)]]></description>
<type>input</type>
<default_value>10</default_value>
</field>
<field>
<fielddescr>Server Packet Queue Size</fielddescr>
<fieldname>varsettingsmaxqueuesize</fieldname>
- <description>This is the queue size where the server stores packets before processing them. (Default: 65536)</description>
+ <description><![CDATA[This is the queue size where the server stores packets before processing them. (Default: 65536)]]></description>
<type>input</type>
<default_value>65536</default_value>
</field>
<field>
<fielddescr>Maximum Requests per Server</fielddescr>
<fieldname>varsettingsmaxrequestsperserver</fieldname>
- <description>You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)</description>
+ <description><![CDATA[You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)]]></description>
<type>input</type>
<default_value>0</default_value>
</field>