From 488d874ebaf97add9c432916ef828741ce6766ef Mon Sep 17 00:00:00 2001 From: Chris Buechler Date: Sun, 13 Apr 2008 22:59:43 +0000 Subject: changes from Dimitri Rodis --- packages/freeradius.inc | 70 ++++++++++++++++++++++----------------- packages/freeradius.xml | 72 +++++++++++++++++++++++++++++++---------- packages/freeradiussettings.xml | 54 ++++++++++++++++++++++++++++++- 3 files changed, 148 insertions(+), 48 deletions(-) diff --git a/packages/freeradius.inc b/packages/freeradius.inc index 3b173edf..53a1d695 100644 --- a/packages/freeradius.inc +++ b/packages/freeradius.inc @@ -41,6 +41,9 @@ function freeradius_settings_resync() { $iface = convert_friendly_interface_to_real_interface_name($iface); $iface_ip = find_interface_ip($iface); $port = ($settings['port'] != '' ? $settings['port'] : 0); + $radiuslogging = $settings['radiuslogging']; + $radiuslogbadpass = $settings['radiuslogbadpass']; + $radiusloggoodpass = $settings['radiusloggoodpass']; // FreeRADIUS's configuration is huge // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). @@ -71,9 +74,9 @@ allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no -log_auth = no -log_auth_badpass = no -log_auth_goodpass = no +log_auth = $radiuslogging +log_auth_badpass = $radiuslogbadpass +log_auth_goodpass = $radiusloggoodpass usercollide = no lower_user = no lower_pass = no @@ -442,33 +445,40 @@ function freeradius_users_resync() { $password = $user['password']; $multiconnet = $user['multiconnet']; $ip = $user['ip']; - $x=$user['expiration']; - $sessiontime=$user['sessiontime']; - $onlinetime=$user['onlinetime']; - $atrib=''; - $head="$username User-Password == ".'"'.$password.'" '; - if ($multiconnect <> '') - { - $head .=", Simultaneous-Use += $multiconnet"; - } - if ($x <> '') - { - $head .=", Expiration := ".'"'.$x.'"'; - } - if ($ip <> '') - { - $atrib .="\r\n\tFramed-IP-Address = $ip,"; - } - if ($sessiontime <> '') - { - $atrib .="\r\n\tSession-Timeout := $sessiontime,"; - } - if ($onlinetime <> '') - { - $head .=", Login-Time := ". '"' . $onlinetime .'"'; - } - - $conf .= << '') { + $head .=", Simultaneous-Use += $multiconnet"; + } + if ($x <> '') { + $head .=", Expiration := ".'"'.$userexpiration.'"'; + } + if ($onlinetime <> '') { + $head .=", Login-Time := ". '"' . $onlinetime .'"'; + } + if ($ip <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tFramed-IP-Address = $ip"; + } + if ($sessiontime <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tSession-Timeout := $sessiontime"; + } + if ($vlanid <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; + } + if ($additionaloptions <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\t$additionaloptions"; + } + + $conf .= <<Username username - - IP address - ip - - + + Description + description + + + IP address + ip + + Multiple Connection multiconnet @@ -100,10 +104,14 @@ sessiontime - Online time - onlinetime - - + Online time + onlinetime + + + VLAN ID + vlanid + + /usr/local/pkg/ 077 @@ -136,7 +144,7 @@ ip - Ip address + IP address If you want this user to be assigned a specific IP address from radius, enter the IP address here. Continuous IP address is available with "+" suffix(example:192.168.1.5+. It may help for assigning the different IP address to multiple simultaneous connections). IMPORTANT, you MUST ener an IP address here if you checked @@ -187,15 +195,45 @@ Here are a few sample time strings with an explanation of what they mean. This means any day. Since no time is specified, it means any time on any day. - input - - - description - Description - You may enter a description here for your reference (not parsed). input - + + description + Description + You may enter a description here for your reference (not parsed). + input + + + vlanid + VLAN ID +
+ + This setting can be used for switches/wireless access points that support the following radius parameters:
+ Tunnel-Type = VLAN
+ Tunnel-Medium-Type = IEEE-802
+ Tunnel-Private-Group-ID = "insert vlan identifier here"

+ + This was implemented and tested with HP Procurve Switches (3500yl, and 2626). HP Procurve switches support using either the VLAN ID or the VLAN name, while other switches will only work using the VLAN ID. + ]]> +
+ input +
+ + additionaloptions + Additional RADIUS Options + + + You may append extra custom RADIUS options to this user account (separated by commas).
+ IMPORTANT: If you don't format this field correctly, FreeRADIUS may not properly start because the users file will contain a syntax error. + ]]> +
+ textarea + 10 + 75 +
+ freeradius_users_resync(); diff --git a/packages/freeradiussettings.xml b/packages/freeradiussettings.xml index 8e3cf812..0eb9d9d4 100644 --- a/packages/freeradiussettings.xml +++ b/packages/freeradiussettings.xml @@ -78,8 +78,60 @@ port Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1892. input + 1892 - + + Radius Logging + radiuslogging + Enable radius logging to /var/log/radius.log? + select + no + + + + + + + Log bad authentication attempts? + radiuslogbadpass + Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work. + select + no + + + + + + + Log good authentication attempts? + radiusloggoodpass + Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work. + select + no + + + + + + freeradius_settings_resync(); -- cgit v1.2.3