From e7628ab33d1f07910f7f22d5f2180a7c77c18f7c Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:49:27 +0100 Subject: Update config/freeradius2/freeradiusmodulesldap.xml --- config/freeradius2/freeradiusmodulesldap.xml | 98 +++++++++++++++++++++++++++- 1 file changed, 96 insertions(+), 2 deletions(-) diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index cf7f5b33..f6619afd 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -106,7 +106,7 @@ varmodulesldapenableauthorize checkbox - varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval + varmodulesldapenabletlssupport,varmodulesldap2failover,varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval Enable LDAP For Authentication @@ -340,6 +340,53 @@ 80 3 + + LDAP TLS SUPPORT - SERVER 1 + listtopic + + + Enable TSL support + varmodulesldapenabletlssupport + + checkbox + ssl_ca_cert1,ssl_server_cert1,varmodulesldaprequirecert + + + SSL CA Certificate + ssl_ca_cert1 + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid + + + SSL Server Certificate + ssl_server_cert1 + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid + + + Choose certificate verification method + varmodulesldaprequirecert +
+ + never: don't even bother trying
+ allow: try but don't fail if the cerificate can't be verified
+ demand: fail if the certificate doesn't verify]]> + select + never + + + + + + @@ -370,7 +417,7 @@ varmodulesldap2enableauthorize checkbox - varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval + varmodulesldap2enabletlssupport,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval Enable LDAP For Authentication @@ -604,6 +651,53 @@ 80 3 + + LDAP TLS SUPPORT - SERVER 2 + listtopic + + + Enable TSL support + varmodulesldap2enabletlssupport + + checkbox + ssl_ca_cert2,ssl_server_cert2,varmodulesldap2requirecert + + + SSL CA Certificate + ssl_ca_cert2 + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid + + + SSL Server Certificate + ssl_server_cert2 + + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]> + select_source + + descr + refid + + + Choose certificate verification method + varmodulesldap2requirecert +
+ + never: don't even bother trying
+ allow: try but don't fail if the cerificate can't be verified
+ demand: fail if the certificate doesn't verify]]> + select + never + + + + + + freeradius_modulesldap_resync(); -- cgit v1.2.3 From 6ae1644e35eb566034d121225eee91c678e3e047 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:49:44 +0100 Subject: Update config/freeradius2/freeradiusinterfaces.xml --- config/freeradius2/freeradiusinterfaces.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index fd51f800..5ec634f1 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -125,7 +125,7 @@ Interface IP Address varinterfaceip - + * then it means all interfaces. (Default: *)]]> input * @@ -135,9 +135,9 @@ varinterfaceport You could use this as an example:
- auth = 1812
- acct = 1813
- proxy = 1814
+ Authentication = 1812
+ Accounting = 1813
+ Status = 1816
IMPORTANT: For every interface type listening on the same IP address you need different ports.]]> input 1812 @@ -150,8 +150,8 @@ select auth - - + + -- cgit v1.2.3 From 2db96c95ffa476a0eda89c61532a0c46bb38b97d Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:50:00 +0100 Subject: Update config/freeradius2/freeradiusauthorizedmacs.xml --- config/freeradius2/freeradiusauthorizedmacs.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml index 7abd26f5..57ef6f6f 100644 --- a/config/freeradius2/freeradiusauthorizedmacs.xml +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - freeradius.xml + freeradiusauthorizedmacs.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2011 - 2012 Alexander Wilke All rights reserved. @@ -212,7 +212,7 @@ Number of simultaneous connections varmacssimultaneousconnect - + input -- cgit v1.2.3 From 4875b1ae79b3bdc9e04d4037ea831671651bdc89 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:50:17 +0100 Subject: Update config/freeradius2/freeradius.xml --- config/freeradius2/freeradius.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 4cee8c98..a055a945 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -219,7 +219,7 @@ Number of simultaneous connections varuserssimultaneousconnect - + input -- cgit v1.2.3 From 86dc4f500c2911cd4276c11a8b59fbb34a8ae988 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:52:04 +0100 Subject: Update config/freeradius2/freeradius.inc --- config/freeradius2/freeradius.inc | 127 ++++++++++++++++++++++++++++++++------ 1 file changed, 109 insertions(+), 18 deletions(-) diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 7ef5f749..11aa4b3b 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -71,7 +71,7 @@ function freeradius_install_command() { exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); exec("touch /var/log/radutmp && touch /var/log/radwtmp"); exec("chown -R root:wheel /var/log"); - + // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { @@ -432,7 +432,7 @@ if (is_array($arrusers) && !empty($arrusers)) { $varuserscheckitemsadditionaloptions = explode("|", ($users['varuserscheckitemsadditionaloptions'])); $varusersadditionaloptionscheckitems .= ''; foreach ($varuserscheckitemsadditionaloptions as $checkitemtmp) { - $varusersadditionaloptionscheckitems .= $checkitemtmp; + $varusersadditionaloptionscheckitems .= "$checkitemtmp" . " "; } } @@ -585,7 +585,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) { $varmacscheckitemsadditionaloptions = explode("|", ($macs['varmacscheckitemsadditionaloptions'])); $varmacsadditionaloptionscheckitems .= ''; foreach ($varmacscheckitemsadditionaloptions as $checkitemtmp) { - $varmacsadditionaloptionscheckitems .= $checkitemtmp; + $varmacsadditionaloptionscheckitems .= "$checkitemtmp" . " "; } } @@ -2857,9 +2857,100 @@ function freeradius_modulesldap_resync() { $varmodulesldap2timelimit = ($arrmodulesldap['varmodulesldap2timelimit']?$arrmodulesldap['varmodulesldap2timelimit']:'3'); $varmodulesldap2nettimeout = ($arrmodulesldap['varmodulesldap2nettimeout']?$arrmodulesldap['varmodulesldap2nettimeout']:'1'); - // Variables for TLS / Certificates - will be added later + // Variables for TLS / Certificates - ldap1 + $varmodulesldaprequirecert = ($arrmodulesldap['varmodulesldaprequirecert']?$arrmodulesldap['varmodulesldaprequirecert']:'never'); + +// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap1 module +if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') { + + $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_ldap1_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap1_key.pem'; + } + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_ldap1_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert1'] = RADDB . "/certs/ca_ldap1_cert.pem"; + } + + + $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/radius_ldap1_cert.key", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/radius_ldap1_cert.key'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/radius_ldap1_cert.crt", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert1'] = RADDB . "/certs/radius_ldap1_cert.crt"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + $varmodulesldapstarttls = "yes"; +} +else { + $varmodulesldapstarttls = "no"; +} + + // Variables for TLS / Certificates - ldap2 + $varmodulesldap2requirecert = ($arrmodulesldap['varmodulesldap2requirecert']?$arrmodulesldap['varmodulesldap2requirecert']:'never'); + +// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap2 module +if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') { + + $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_ldap2_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap2_key.pem'; + } + + + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_ldap2_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert2'] = RADDB . "/certs/ca_ldap2_cert.pem"; + } + + + $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/radius_ldap2_cert.key", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/radius_ldap2_cert.key'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/radius_ldap2_cert.crt", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert2'] = RADDB . "/certs/radius_ldap2_cert.crt"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + $varmodulesldap2starttls = "yes"; +} +else { + $varmodulesldap2starttls = "no"; +} + // Miscellaneous Configuration + MS Active Directory Compatibility ldap1 $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable'); if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') { @@ -3054,13 +3145,13 @@ ldap { # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections - start_tls = no + start_tls = $varmodulesldapstarttls - # cacertfile = /path/to/cacert.pem - # cacertdir = /path/to/ca/dir/ - # certfile = /path/to/radius.crt - # keyfile = /path/to/radius.key - # randfile = /path/to/rnd + cacertfile = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem + cacertdir = /usr/local/etc/raddb/certs/ + certfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt + keyfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.key + randfile = /usr/local/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3069,7 +3160,7 @@ ldap { # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" - # require_cert = "demand" + require_cert = "$varmodulesldaprequirecert" } $varmodulesldapdefaultprofile @@ -3213,13 +3304,13 @@ ldap ldap2{ # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections - start_tls = no + start_tls = $varmodulesldap2starttls - # cacertfile = /path/to/cacert.pem - # cacertdir = /path/to/ca/dir/ - # certfile = /path/to/radius.crt - # keyfile = /path/to/radius.key - # randfile = /path/to/rnd + cacertfile = /usr/local/etc/raddb/certs/ca_ldap2_cert.pem + cacertdir = /usr/local/etc/raddb/certs/ + certfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.crt + keyfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.key + randfile = /usr/local/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3228,7 +3319,7 @@ ldap ldap2{ # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" - # require_cert = "demand" + require_cert = "$varmodulesldap2requirecert" } $varmodulesldap2defaultprofile -- cgit v1.2.3 From 903081a76f1709cfdc95b7a04537d40dcf932a8b Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:52:39 +0100 Subject: Update pkg_config.8.xml.amd64 --- pkg_config.8.xml.amd64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index fc9b034b..06515d61 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -853,7 +853,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12 pkg v1.5.5 + 2.1.12 pkg v1.5.6 BETA 2.0 nachtfalkeaw@web.de -- cgit v1.2.3 From f25ba12e5b03b97f656751fb38b830ba76720f70 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Tue, 24 Jan 2012 21:53:00 +0100 Subject: Update pkg_config.8.xml --- pkg_config.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 84dc990b..1f2f6e7b 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -807,7 +807,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12 pkg v1.5.5 + 2.1.12 pkg v1.5.6 BETA 2.0 nachtfalkeaw@web.de -- cgit v1.2.3