From 458b2787beb9bed358d1a9d72edcb8412d72f243 Mon Sep 17 00:00:00 2001 From: Nacht Falke Date: Sun, 18 Dec 2011 23:52:25 +0000 Subject: Added additional .XML to configure eap.conf --- config/freeradius2/freeradius.inc | 133 +++++++++++++ config/freeradius2/freeradius.xml | 41 ++-- config/freeradius2/freeradiusclients.xml | 22 ++- config/freeradius2/freeradiuseapconf.xml | 290 ++++++++++++++++++++++++++++ config/freeradius2/freeradiusinterfaces.xml | 12 +- config/freeradius2/freeradiussettings.xml | 46 +++-- 6 files changed, 493 insertions(+), 51 deletions(-) mode change 100755 => 100644 config/freeradius2/freeradius.xml mode change 100755 => 100644 config/freeradius2/freeradiusclients.xml create mode 100644 config/freeradius2/freeradiuseapconf.xml mode change 100755 => 100644 config/freeradius2/freeradiusinterfaces.xml mode change 100755 => 100644 config/freeradius2/freeradiussettings.xml diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 518544c9..38625494 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -27,6 +27,9 @@ function freeradius_install_command() { } } + exec("chown -R root:wheel /usr/local/etc/raddb"); + exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); + closedir($handle); $rcfile = array(); @@ -322,4 +325,134 @@ EOD; conf_mount_ro(); restart_service("freeradius"); } + + + +function freeradius_eapconf_resync() { + global $config; + $conf = ''; + + $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; + + // Variables: EAP + $vareapconfdefaulteaptype = $eapconf['vareapconfdefaulteaptype']; + $vareapconftimerexpire = $eapconf['vareapconftimerexpire']; + $vareapconfignoreunknowneaptypes = $eapconf['vareapconfignoreunknowneaptypes']; + $vareapconfciscoaccountingusernamebug = $eapconf['vareapconfciscoaccountingusernamebug']; + $vareapconfmaxsessions = $eapconf['vareapconfmaxsessions']; + + // Variables: EAP-TLS and EAP-TLS with OCSP support + $vareapconfprivatekeypassword = $eapconf['vareapconfprivatekeypassword']; + $vareapconfprivatekeyfile = $eapconf['vareapconfprivatekeyfile']; + $vareapconfcertificatefile = $eapconf['vareapconfcertificatefile']; + $vareapconfcafile = $eapconf['vareapconfcafile']; + $vareapconfdhfile = $eapconf['vareapconfdhfile']; + $vareapconfrandomfile = $eapconf['vareapconfrandomfile']; + $vareapconfocspenable = $eapconf['vareapconfocspenable']; + $vareapconfocspoverridecerturl = $eapconf['vareapconfocspoverridecerturl']; + $vareapconfocspurl = $eapconf['vareapconfocspurl']; + + // Variables: EAP-TTLS + $vareapconfttlsdefaulteaptype = $eapconf['vareapconfttlsdefaulteaptype']; + $vareapconfttlscopyrequesttotunnel = $eapconf['vareapconfttlscopyrequesttotunnel']; + $vareapconfttlsusetunneledreply = $eapconf['vareapconfttlsusetunneledreply']; + + // Variables: EAP-PEAP with MSCHAPv2 + $vareapconfpeapdefaulteaptype = $eapconf['vareapconfpeapdefaulteaptype']; + $vareapconfpeapcopyrequesttotunnel = $eapconf['vareapconfpeapcopyrequesttotunnel']; + $vareapconfpeapusetunneledreply = $eapconf['vareapconfpeapusetunneledreply']; + + + $conf .= << \ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml old mode 100755 new mode 100644 index 929dea53..b70b2713 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -3,7 +3,7 @@ - +]]> + - Describe your package here + Describe your package requirements here Currently there are no FAQ items provided. freeradius @@ -59,7 +60,7 @@ FreeRADIUS radiusd.sh radiusd - The FreeRADIUS daemon. + @@ -80,6 +81,10 @@ Settings /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + EAP + /pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + @@ -130,6 +135,11 @@ 0755 http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml + /usr/local/pkg/ 0755 @@ -148,21 +158,21 @@ Username username - Enter the username. + input Password password - Enter the password for this username. + password Number of simultaneous connections multiconnect - The maximum of simultaneous connections with this username. + input @@ -200,8 +210,7 @@ This setting can be used for a NAS that supports the following RADIUS parameters:

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
- Tunnel-Private-Group-ID = "THIS IS YOUR INPUT"]]> - + Tunnel-Private-Group-ID = "THIS IS YOUR INPUT"]]> input @@ -211,13 +220,13 @@ Expiration Time expiration - Enter the date when this account should expire. Format is: Mmm dd yyyy (e.g. Jan 01 2012). + input Session Time sessiontime - Enter the time this user has until relogin in seconds. + input @@ -227,7 +236,6 @@ Every time string contains a day (Mo,Tu,We,Th,Fr,Sa,Su) or all weekdays which is from monday till friday (Wk).

Wk0855-2305,Sa,Su2230-0230

This means weekdays after 8:55 AM and before 11:05 PM | any time on saturday | sunday after 10:30 PM and before 02:30 AM.]]> - input
@@ -237,7 +245,7 @@ Description description - Enter any description for this user you like. + input @@ -246,8 +254,7 @@ You may append (after all options from above) custom RADIUS options to this user account (separated by commas).
IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
- Verify your changes by checking users file (/usr/local/etc/raddb/users).]]> -
+ Verify your changes by checking users file (/usr/local/etc/raddb/users).]]> textarea 10 75 @@ -264,9 +271,9 @@ freeradius_settings_resync(); freeradius_clients_resync(); freeradius_users_resync(); - exec("chown -R root:wheel /usr/local/etc/raddb"); - exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); + freeradius_eapconf_resync(); exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); + exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); freeradius_deinstall_command(); diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml old mode 100755 new mode 100644 index 2b5d9d0c..62c37f3d --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -42,7 +42,7 @@ /* ========================================================================== */ ]]> - Describe your package here + Describe your package requirements here Currently there are no FAQ items provided. freeradiusclients @@ -67,6 +67,10 @@ Settings /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + EAP + /pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + @@ -110,7 +114,7 @@ Client IP Address varclientip - Enter the IP address of the client. This is in general the IP of the NAS (switch,accesspoint). + input @@ -128,14 +132,14 @@ Client Shortname varclientshortname - Enter shortname of the client. This is in general the IP of the NAS (switch,accesspoint). + input Client Shared Secret varclientsharedsecret - Enter the shared secret of the client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server. + password @@ -146,7 +150,7 @@ Client Protocol varclientproto - Enter the protocol the client uses. (Default: udp) + select udp @@ -157,7 +161,7 @@ Client Type varclientnastype - Enter the NAS type of the client. This is used by checkrad.pl for simultaneous use checks. (Default: other) + select other @@ -178,7 +182,7 @@ Require Message Authenticator varrequiremessageauthenticator - RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or accesspoints) do not include that. (Default: no) + select no @@ -189,14 +193,14 @@ Max Connections varclientmaxconnections - Takes only effect if you use TCP as protocol. This is the mirror of "Max Requests Server" from "Settings" tab. (Default 16) + input 16 Description description - Enter any description you like for this client. + input diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml new file mode 100644 index 00000000..cff17c09 --- /dev/null +++ b/config/freeradius2/freeradiuseapconf.xml @@ -0,0 +1,290 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + + Describe your package requirements here + Currently there are no FAQ items provided. + freeradiuseapconf + none + FreeRADIUS: Settings + pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + /usr/local/pkg/freeradius.inc + + + Users + /pkg.php?xml=freeradius.xml + + + NAS / Clients + /pkg.php?xml=freeradiusclients.xml + + + Interfaces + /pkg.php?xml=freeradiusinterfaces.xml + + + Settings + /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + + EAP + /pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + + + + + + EAP + listtopic + + + Default EAP Type + vareapconfdefaulteaptype + + select + md5 + + + + + + + + Expiration of EAP-Response/Request List + vareapconftimerexpire + + input + 60 + + + Ignore Unknown EAP Types + vareapconfignoreunknowneaptypes + must be configured to proxy the request to a further RADIUS server. (Default: no)]]> + select + no + + + + + + + CISCO Accounting Username Bug + vareapconfciscoaccountingusernamebug + + select + no + + + + + + + Maximum Sessions Tracking per Server + vareapconfmaxsessions + + input + 4096 + + + EAP-TLS and EAP-TLS with OCSP support + listtopic + + + Private Key Password + vareapconfprivatekeypassword + + password + whatever + + + Private Key File + vareapconfprivatekeyfile + must in /usr/local/etc/raddb/certs/ (Default: server.pem)]]> + input + server.pem + + + Private Key File + vareapconfprivatekeyfile + must be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]> + input + server.pem + + + Server Certificate File + vareapconfcertificatefile + must be in /usr/local/etc/raddb/certs/ (Default: server.pem)]]> + input + server.pem + + + CA File + vareapconfcafile + must be in /usr/local/etc/raddb/certs/ (Default: ca.pem)]]> + input + ca.pem + + + DH File + vareapconfdhfile + must be in /usr/local/etc/raddb/certs/ (Default: dh)]]> + input + dh + + + Random File + vareapconfrandomfile + must be in /usr/local/etc/raddb/certs/ (Default: random)]]> + input + random + + + Enable OCSP + vareapconfocspenable + + select + no + + + + + + + Override OCSP Responder URL + vareapconfocspoverridecerturl + + select + no + + + + + + + OCSP Responder + vareapconfocspurl + must be enabled for this to work. (Default: http://127.0.0.1/ocsp/)]]> + input + http://127.0.0.1/ocsp/ + + + EAP-TTLS + listtopic + + + Default EAP Type + vareapconfttlsdefaulteaptype + + select + md5 + + + + + + Copy Request to Tunnel + vareapconfttlscopyrequesttotunnel + not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> + select + no + + + + + + + Use Tunneled Reply + vareapconfttlsusetunneledreply + + select + no + + + + + + + EAP-PEAP with MSCHAPv2 + listtopic + + + Default EAP Type + vareapconfpeapdefaulteaptype + + select + mschapv2 + + + + + + Copy Request to Tunnel + vareapconfpeapcopyrequesttotunnel + not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request. (Default: no)]]> + select + no + + + + + + + Use Tunneled Reply + vareapconfpeapusetunneledreply + + select + no + + + + + + + + freeradius_eapconf_resync(); + + + freeradius_eapconf_resync(); + + \ No newline at end of file diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml old mode 100755 new mode 100644 index c00cd6b1..22f2b87e --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -42,7 +42,7 @@ /* ========================================================================== */ ]]> - Describe your package here + Describe your package requirements here Currently there are no FAQ items provided. freeradiusinterfaces @@ -67,6 +67,10 @@ Settings /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + EAP + /pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + @@ -119,7 +123,7 @@ Interface Type varinterfacetype - Enter the type of the listening interface. (Default: auth) + select auth @@ -135,7 +139,7 @@ IP Version varinterfaceipversion - Enter the IP version of the listening interface. (Default: IPv4) + select ipaddr @@ -147,7 +151,7 @@ Description description - Enter any description you like for this interface. + input diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml old mode 100755 new mode 100644 index e918c249..a0b08ab4 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -42,7 +42,7 @@ /* ========================================================================== */ ]]> - Describe your package here + Describe your package requirements here Currently there are no FAQ items provided. freeradiussettings @@ -68,6 +68,10 @@ /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + EAP + /pkg_edit.php?xml=freeradiuseapconf.xml&id=0 + @@ -77,28 +81,28 @@ Maximum Requests Server varsettingsmaxrequests - The maximum number of requests the server could handle at a time until "Cleanup Delay" deletes them. Useful range 256 * NAS. If it is set to low it will make the server busy. A higher value is better (but increased RAM usage) but it shouldn't be higher than 1000 * NAS. (Default: 1024) + input 1024 Max Request Timeout varsettingsmaxrequesttime - The maximum time to handle a request in seconds. (Default: 30) + input 30 Cleanup Delay varsettingscleanupdelay - The time to wait before cleaning up a reply which was sent to the NAS in seconds. (Default: 5) + input 5 NAS Hostname Lookup varsettingshostnamelookups - Log the names of NAS instead of IP addresses. Turning this on can result in lock ups of the RADIUS Server. (Default: no) + select no @@ -109,7 +113,7 @@ Allow Core Dumps varsettingsallowcoredumps - Only turn this on if you need to debug the RADIUS server! (Default: no) + select no @@ -120,7 +124,7 @@ Regular Expressions varsettingsregularexpressions - Allows regular expressions. (Default: yes) + select yes @@ -131,7 +135,7 @@ Extended Expressions varsettingsextendedexpressions - Allows extended expressions. (Default: yes) + select yes @@ -146,7 +150,7 @@ Logging Destination of RADIUS varsettingslogdir - Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log) + select files @@ -159,7 +163,7 @@ RADIUS Logging varsettingsauth - Choose if you want to enable logging. (Default: Disabled) + select no @@ -170,7 +174,7 @@ Log Bad Authentication Attempts varsettingsauthbadpass - Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no) + select no @@ -181,7 +185,7 @@ Log good authentication attempts? varsettingsauthgoodpass - Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no) + select no @@ -192,7 +196,7 @@ Log Stripped Names varsettingsstrippednames - Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no) + select no @@ -207,14 +211,14 @@ Maximum Number of Attributes varsettingsmaxattributes - The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. (Default: 200) + input 200 Access-Reject Delay varsettingsrejectdelay - When sending an Access-Reject it can be delayed for a few seconds. This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a users password. (Default: 1)(Immediately: 0) + input 1 @@ -225,42 +229,42 @@ Number of Threads After Start varsettingsstartservers - The thread pool is a long-lived group of threads which take turns (round-robin) handling any incoming requests. (Default: 5) + input 5 Maximum Number of Threads varsettingsmaxservers - If this limit is ever reached, clients will be locked out so it should not be set to low. (Default: 32) + input 32 Min Spare Servers varsettingsminspareservers - This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle MANY requests and LESS than "Min Spare Servers" are left than the RADIUS server will INCREASE the number of running threads. (Default: 3) + input 3 Max Spare Servers varsettingsmaxspareservers - This dynamically adjusts the "Number of Threads After Start". If the RADIUS server has to handle FEW requests and MORE than "Max Spare Servers" are left than the RADIUS server will DECREASE the number of running threads. (Default: 10) + input 10 Server Packet Queue Size varsettingsmaxqueuesize - This is the queue size where the server stores packets before processing them. (Default: 65536) + input 65536 Maximum Requests per Server varsettingsmaxrequestsperserver - You should only change this if you encounter memory leaks while running RADIUS. (Default: 0) + input 0 -- cgit v1.2.3