From 1f4bc1be263879aa41e32a6aa576e98f4f4a4223 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Sat, 31 Dec 2011 14:24:32 +0000 Subject: freeradius2 updates: pkg v1.4.0 --- config/freeradius2/freeradius.inc | 34 +++++++++++++++++++++++--------- config/freeradius2/freeradius.xml | 2 -- config/freeradius2/freeradiussqlconf.xml | 4 ---- config/freeradius2/freeradiussync.xml | 0 pkg_config.8.xml | 2 +- pkg_config.8.xml.amd64 | 2 +- 6 files changed, 27 insertions(+), 17 deletions(-) mode change 100755 => 100644 config/freeradius2/freeradiussync.xml diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 0b02f176..6b1cfb9d 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -82,7 +82,7 @@ function freeradius_install_command() { conf_mount_rw(); write_rcfile($rcfile); conf_mount_ro(); - start_service("freeradius"); + restart_service("freeradius"); } function freeradius_settings_resync() { @@ -297,6 +297,8 @@ EOD; file_put_contents(RADDB . '/radiusd.conf', $conf); conf_mount_ro(); + // "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius. + freeradius_serverdefault_resync(); restart_service("freeradius"); } @@ -488,7 +490,8 @@ function freeradius_eapconf_resync() { // The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time. -// This is for the pfsense cert manager +// This is for the pfsense cert manager +// Depends on "freeradius_get_server_certs" and "freeradius_get_ca_certs" if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); @@ -530,7 +533,9 @@ if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { $vareapconfprivatekeyfile = 'server_key.pem'; $vareapconfcertificatefile = 'server_cert.pem'; $vareapconfcafile = 'ca_cert.pem'; + // generate new DH and RANDOM file + log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs"); exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); } @@ -638,7 +643,7 @@ EOD; restart_service('freeradius'); } - +// Gets started from freeradiuseapconf.xml function freeradius_get_ca_certs() { global $config; $ca_arr = array(); @@ -650,6 +655,7 @@ function freeradius_get_ca_certs() { return $ca_arr; } +// Gets started from freeradiuseapconf.xml function freeradius_get_server_certs() { global $config; $cert_arr = array(); @@ -734,8 +740,11 @@ EOD; file_put_contents($filename, $conf); chmod($filename, 0600); conf_mount_ro(); - - restart_service('freeradius'); + + // We don't need a restart at this time because there are additional changes needed in: + // "freeradius_settings_resync" and "freeradius_serverdefault_resync". + // restart_service('freeradius'); + freeradius_settings_resync(); } function freeradius_serverdefault_resync() { @@ -1434,8 +1443,9 @@ EOD; file_put_contents($filename, $conf); chmod($filename, 0600); conf_mount_ro(); - - restart_service('freeradius'); + + // No need to restart here because the restart of the service will be done in "freeradius_settings_resync" + // restart_service('freeradius'); } function freeradius_cacertcnf_resync() { @@ -1719,9 +1729,11 @@ function freeradius_allcertcnf_resync() { if ($arrcerts['varcertscreateclient'] == 'yes') { // delete all old certificates and keys + log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in /usr/local/etc/raddb/certs"); exec("rm -f /usr/local/etc/raddb/certs/client.csr"); exec("rm -f /usr/local/etc/raddb/certs/client.crt"); exec("rm -f /usr/local/etc/raddb/certs/client.key"); + exec("rm -f /usr/local/etc/raddb/certs/client.pem"); exec("rm -f /usr/local/etc/raddb/certs/client.tar"); @@ -1744,12 +1756,14 @@ function freeradius_allcertcnf_resync() { // Make all files in certs folder read/write only for root exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); + log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in /usr/local/etc/raddb/certs/client.tar"); } if ($arrcerts['varcertsdeleteall'] == 'yes') { // delete all old certificates and keys - deletes certs from pfsense cert-manager IN THIS FOLDER, too. + log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in /usr/local/etc/raddb/certs"); exec("rm -f /usr/local/etc/raddb/certs/*.pem"); exec("rm -f /usr/local/etc/raddb/certs/*.der"); exec("rm -f /usr/local/etc/raddb/certs/*.csr"); @@ -1769,10 +1783,11 @@ function freeradius_allcertcnf_resync() { freeradius_clientcertcnf_resync(); // generate new DH and RANDOM file + log_error("freeRADIUS: Creating new DH and random file in /usr/local/etc/raddb/certs"); exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); - + log_error("freeRADIUS: Creating new CA, Server and Client certs in /usr/local/etc/raddb/certs"); // make bootstrap executable and run to create certs based on .cnf files exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); exec("/usr/local/etc/raddb/certs/bootstrap"); @@ -1784,7 +1799,8 @@ function freeradius_allcertcnf_resync() { // tar client-cert files exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); - + log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in /usr/local/etc/raddb/certs/client.tar"); + // If there were changes on the certificates we need to restart freeradius restart_service('freeradius'); } diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 264df467..9ebefe47 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -317,8 +317,6 @@ freeradius_users_resync(); freeradius_eapconf_resync(); freeradius_sqlconf_resync(); - freeradius_settings_resync(); - freeradius_serverdefault_resync(); exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index b8fc829d..bce593fe 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -347,12 +347,8 @@ freeradius_sqlconf_resync(); - freeradius_serverdefault_resync(); - freeradius_settings_resync(); freeradius_sqlconf_resync(); - freeradius_serverdefault_resync(); - freeradius_settings_resync(); \ No newline at end of file diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml old mode 100755 new mode 100644 diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 530e4c48..6ee06057 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -792,7 +792,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]> http://forum.pfsense.org/index.php/topic,43675.0.html System - 2.1.12 pkg v1.3.9 + 2.1.12 pkg v1.4.0 BETA 2.0 nachtfalkeaw@web.de diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index a4e37689..436db009 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -834,7 +834,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]> http://forum.pfsense.org/index.php/topic,43675.0.html System - 2.1.12 pkg v1.3.9 + 2.1.12 pkg v1.4.0 BETA 2.0 nachtfalkeaw@web.de -- cgit v1.2.3