From 63aac62930cb4ab32c2f0dc5408141408db5a659 Mon Sep 17 00:00:00 2001 From: Nachtfalke Date: Thu, 12 Jan 2012 23:31:14 +0100 Subject: Update config/freeradius2/freeradius.inc --- config/freeradius2/freeradius.inc | 47 +++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 3506641f..1d59ef37 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -590,9 +590,6 @@ function freeradius_eapconf_resync() { $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; - // Choose pfsense Cert-Manager or freeradius Cert-Manager - $vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr'); - // Variables: EAP $vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5'); $vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60'); @@ -600,8 +597,17 @@ function freeradius_eapconf_resync() { $vareapconfciscoaccountingusernamebug = ($eapconf['vareapconfciscoaccountingusernamebug']?$eapconf['vareapconfciscoaccountingusernamebug']:'no'); $vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096'); - // Variables: EAP-TLS and EAP-TLS with OCSP support + // Variables: EAP-TLS $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever'); + $vareapconffragmentsize = ($eapconf['vareapconffragmentsize']?$eapconf['vareapconffragmentsize']:'1024'); + $vareapconfincludelength = ($eapconf['vareapconfincludelength']?$eapconf['vareapconfincludelength']:'yes'); + + // Variables: Cache + $vareapconfcacheenablecache = ($eapconf['vareapconfcacheenablecache']?$eapconf['vareapconfcacheenablecache']:'no'); + $vareapconfcachelifetime = ($eapconf['vareapconfcachelifetime']?$eapconf['vareapconfcachelifetime']:'24'); + $vareapconfcachemaxentries = ($eapconf['vareapconfcachemaxentries']?$eapconf['vareapconfcachemaxentries']:'255'); + + // Variables OSCP $vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no'); $vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no'); $vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/'); @@ -610,6 +616,7 @@ function freeradius_eapconf_resync() { $vareapconfttlsdefaulteaptype = ($eapconf['vareapconfttlsdefaulteaptype']?$eapconf['vareapconfttlsdefaulteaptype']:'md5'); $vareapconfttlscopyrequesttotunnel = ($eapconf['vareapconfttlscopyrequesttotunnel']?$eapconf['vareapconfttlscopyrequesttotunnel']:'no'); $vareapconfttlsusetunneledreply = ($eapconf['vareapconfttlsusetunneledreply']?$eapconf['vareapconfttlsusetunneledreply']:'no'); + $vareapconfttlsincludelength = ($eapconf['vareapconfttlsincludelength']?$eapconf['vareapconfttlsincludelength']:'yes'); // Variables: EAP-PEAP with MSCHAPv2 $vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2'); @@ -633,7 +640,7 @@ function freeradius_eapconf_resync() { // The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time. // This is for the pfsense cert manager // Depends on "freeradius_get_server_certs" and "freeradius_get_ca_certs" -if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { +if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); if ($ca_cert != false) { @@ -682,12 +689,10 @@ if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { } // This is for freeradius cert manager -if ($vareapconfchoosecertmanager == 'radiuscertmgr') { - +else { $vareapconfprivatekeyfile = 'server.pem'; $vareapconfcertificatefile = 'server.pem'; $vareapconfcafile = 'ca.pem'; - } $conf .= << Date: Thu, 12 Jan 2012 23:31:38 +0100 Subject: Update config/freeradius2/freeradiuseapconf.xml --- config/freeradius2/freeradiuseapconf.xml | 126 ++++++++++++++++++++++++++----- 1 file changed, 108 insertions(+), 18 deletions(-) diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 309066f0..ff50dbc4 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -109,12 +109,17 @@ md5 - + + + + + + - Expiration of EAP-Response/Request List + Expiration of EAP-Response / EAP-Request List vareapconftimerexpire input @@ -150,20 +155,19 @@ 4096 - EAP-TLS + CERTIFICATES FOR TLS listtopic Choose your Cert Manager vareapconfchoosecertmanager - To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager). (Default: freeRADIUS)]]> - select + To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager).

+ uncheked: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)
+ cheked: pfSense Cert-Manager (recommended)]]> + checkbox radiuscertmgr - - - - + ssl_ca_cert,ssl_server_cert SSL CA Certificate @@ -188,11 +192,70 @@ Private Key Password vareapconfprivatekeypassword - - The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]> + password whatever + + EAP-TLS + listtopic + + + Include Length + vareapconfincludelength + + select + yes + + + + + + + Fragment Size + vareapconffragmentsize + + input + 1024 + + + + + EAP-TLS - ENABLE CACHE + listtopic + + + Enable cache + vareapconfcacheenablecache + + The cache contains the following information:

+ session Id - unique identifier, managed by SSL User-Name - from the Access-Accept Stripped-User-Name - from the Access-Request Cached-Session-Policy - from the Access-Accept

+ The "Cached-Session-Policy" is the name of a policy which should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.

+ On session resumption, these attributes are copied from the cache, and placed into the reply list. You probably also want "use_tunneled_reply = yes" when using fast session resumption. (Default: Disable)]]> + select + no + + + + + + + Lifetime + vareapconfcachelifetime + + input + 24 + + + Max Entries + vareapconfcachemaxentries + + input + 255 + + + + EAP-TLS with OCSP support listtopic @@ -233,17 +296,25 @@ Default EAP Type vareapconfttlsdefaulteaptype - + select md5 + + + + + + + Copy Request to Tunnel vareapconfttlscopyrequesttotunnel - not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> + + By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> select no @@ -254,7 +325,7 @@ Use Tunneled Reply vareapconfttlsusetunneledreply - + select no @@ -263,23 +334,42 @@ - EAP-PEAP with MSCHAPv2 + Include Length + vareapconfttlsincludelength + + select + yes + + + + + + + EAP-PEAP listtopic Default EAP Type vareapconfpeapdefaulteaptype - + select mschapv2 + + + + + + + Copy Request to Tunnel vareapconfpeapcopyrequesttotunnel - not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> + + By setting this configuration entry to 'yes', any attribute which NOT in the tunneled authentication request, but which IS available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> select no @@ -290,7 +380,7 @@ Use Tunneled Reply vareapconfpeapusetunneledreply - + select no -- cgit v1.2.3 From 0ce9865385126b3d4fb81638f49e975f4e807bcb Mon Sep 17 00:00:00 2001 From: Nachtfalke Date: Thu, 12 Jan 2012 23:32:25 +0100 Subject: Update pkg_config.8.xml.amd64 --- pkg_config.8.xml.amd64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 9c2d4474..2500d1ba 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -854,7 +854,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12 pkg v1.5.0 + 2.1.12 pkg v1.5.1 BETA 2.0 nachtfalkeaw@web.de -- cgit v1.2.3 From d5cc997c641f650e9aa8649fb64e9f378163d872 Mon Sep 17 00:00:00 2001 From: Nachtfalke Date: Thu, 12 Jan 2012 23:32:45 +0100 Subject: Update pkg_config.8.xml --- pkg_config.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.8.xml b/pkg_config.8.xml index cac12575..48d92223 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -807,7 +807,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12 pkg v1.5.0 + 2.1.12 pkg v1.5.1 BETA 2.0 nachtfalkeaw@web.de -- cgit v1.2.3