From a2eb7a655ac850e38d874c080a3557e4db37c625 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 14 Nov 2015 18:32:48 +0100 Subject: Add privileges configuration to freeradius2 package, fix file permissions, cleanups --- config/freeradius2/freeradius.xml | 345 ++++++++++++++++++++++++-------------- 1 file changed, 217 insertions(+), 128 deletions(-) diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index eab6b09a..eeea1605 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -1,26 +1,24 @@ - - + + - + Copyright (C) 2015 ESF, LLC All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper . - All rights reserved. - */ -/* ========================================================================== */ +*/ +/* ====================================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. @@ -28,6 +26,7 @@ notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -38,14 +37,12 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ -]]> - - Describe your package requirements here - Currently there are no FAQ items provided. +*/ +/* ====================================================================================== */ + ]]> + freeradius - 1.6.17 + 1.6.18 FreeRADIUS: Users /usr/local/pkg/freeradius.inc @@ -58,9 +55,8 @@ radiusd radiusd.sh radiusd - + FreeRADIUS Server - Users @@ -110,57 +106,50 @@ /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradius.inc + + /etc/inc/priv/ + https://packages.pfsense.org/packages/config/freeradius2/freeradius.priv.inc + /usr/local/www/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradius_view_config.php - + /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiusclients.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiussettings.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiussync.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml /usr/local/pkg/ - 0755 https://packages.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml @@ -228,54 +217,81 @@ Username varusersusername - + + + input Password varuserspassword - + + + password - Password encryption - varuserspasswordencryption - + Password Encryption + varuserspasswordencryption + + + select Cleartext-Password - - - - + + + + Enable One-Time-Password for this user varusersmotpenable -
- IMPORTANT: You need to enabled mOTP first in FreeRADIUS => Settings (Default: unchecked)]]>
+ +
+ IMPORTANT: You need to enabled mOTP first in FreeRADIUS => Settings (Default: unchecked) + ]]> +
checkbox varusersmotpinitsecret,varusersmotppin,varusersmotpoffset
Init-Secret varusersmotpinitsecret - + + + password PIN varusersmotppin - + + + password Time Offset varusersmotpoffset -
- - 1. Write down the first 9 digits of the Epoch-Time on the client.
- 2. Check with date +%s the Epoch-Time on your FreeRADIUS server and write down the first 9 digits.
- 3. Subtract both values, multiply the result with 10 and enter the value in this field. Example: 30 or -180 (Default: 0)]]>
+ +
+ 1. Write down the first 9 digits of the Epoch-Time on the client.
+ 2. Check with date +%s the Epoch-Time on your FreeRADIUS server and write down the first 9 digits.
+ 3. Subtract both values, multiply the result with 10 and enter the value in this field. Example: 30 or -180 (Default: 0) + ]]> +
input 0
@@ -284,21 +300,34 @@ listtopic - Number of simultaneous connections + Number of Simultaneous Connections varuserssimultaneousconnect - + + + input Redirection URL - varuserswisprredirectionurl - + varuserswisprredirectionurl + + + input Description - description - + description + + + input @@ -308,80 +337,107 @@ IP Address varusersframedipaddress - Framed-IP-Address must be supported by NAS.

- If you want this user to be assigned a specific IP address from radius, enter the IP address here.
- Continuous IP address is available with "+" suffix (e.g. 192.168.1.5+). Could be useful for simultaneous connections.

- IMPORTANT: You must enter an IP address here if you checked "RADIUS issued IP" on VPN PPTP or VPN PPPoE configuration.]]>
+ + Framed-IP-Address must be supported by NAS.

+ If you want this user to be assigned a specific IP address from radius, enter the IP address here.
+ Continuous IP address is available with "+" suffix (e.g. 192.168.1.5+). Could be useful for simultaneous connections.

+ IMPORTANT: You must enter an IP address here if you checked "RADIUS issued IP" on VPN PPTP or VPN PPPoE configuration. + ]]> +
input
Subnet Mask - varusersframedipnetmask - Framed-IP-Netmask must be supported by NAS. (e.g. 255.255.255.0)]]> + varusersframedipnetmask + + Framed-IP-Netmask must be supported by NAS. (e.g. 255.255.255.0) + ]]> + input Gateway - varusersframedroute + varusersframedroute Framed-Route must be supported by NAS. Format is: Subnet Gateway Metric (e.g. 192.168.10.0 192.168.10.1 1).]]> input VLAN ID - varusersvlanid - - Must be supported by the NAS.
- This setting can be used for a NAS that supports the following RADIUS parameters:

- - Tunnel-Type = VLAN
- Tunnel-Medium-Type = IEEE-802
- Tunnel-Private-Group-ID = "THIS IS YOUR INPUT"]]>
+ varusersvlanid + + + Must be supported by the NAS.
+ This setting can be used for a NAS that supports the following RADIUS parameters:

+ Tunnel-Type = VLAN
+ Tunnel-Medium-Type = IEEE-802
+ Tunnel-Private-Group-ID = "THIS IS YOUR INPUT" + ]]> +
input -
+
Time Configuration listtopic Expiration Date - varusersexpiration - + varusersexpiration + + + input Session Timeout - varuserssessiontimeout + varuserssessiontimeout input Possible Login Times - varuserslogintime - - Every time string contains a day (Mo,Tu,We,Th,Fr,Sa,Su) or all weekdays which is from monday till friday (Wk).
- All weekdays plus weekend which means all days from monday till sunday is (Al).

- Wk0855-2305,Sa,Su2230-0230

- This means weekdays after 8:55 AM and before 11:05 PM | any time on saturday | sunday after 10:30 PM and before 02:30 AM.]]>
+ varuserslogintime + + + Every time string contains a day (Mo,Tu,We,Th,Fr,Sa,Su) or all weekdays which is from monday till friday (Wk).
+ All weekdays plus weekend which means all days from monday till sunday is (Al).

+ Wk0855-2305,Sa,Su2230-0230

+ This means weekdays after 8:55 AM and before 11:05 PM | any time on saturday | sunday after 10:30 PM and before 02:30 AM. + ]]> +
input
Amount of Time - varusersamountoftime - + varusersamountoftime + + + input Time Period - varuserspointoftime - + varuserspointoftime + + + select daily - - - - - - + + + + + + Traffic and Bandwidth @@ -389,39 +445,60 @@ Amount of Download and Upload Traffic - varusersmaxtotaloctets - MegaByte (MB). There is a bug in CP (pfSense v2.0.x) which counts the real traffic many times faster and incorrect.]]> + varusersmaxtotaloctets + + MegaByte (MB). There is a bug in CP (pfSense v2.0.x) which counts the real traffic many times faster and incorrect. + ]]> + input Time Period - varusersmaxtotaloctetstimerange - + varusersmaxtotaloctetstimerange + + + You need to setup a cronjob (with cron package) which will reset the counter. Read the documentation! + ]]> + select daily - - - - - - + + + + + + Maximum Bandwidth Down - varusersmaxbandwidthdown - KiloBits per second.]]> + varusersmaxbandwidthdown + + KiloBits per second. + ]]> + input Maximum Bandwidth Up - varusersmaxbandwidthup - KiloBits per second.]]> + varusersmaxbandwidthup + + KiloBits per second. + ]]> + input Accounting Interim Interval - varusersacctinteriminterval - + varusersacctinteriminterval + + + input @@ -430,39 +507,51 @@ Additional RADIUS Attributes on the TOP of this entry - varuserstopadditionaloptions - - You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
- To put a command in a new line use a vertical bar (|).

- Example: DEFAULT Auth-Type = System

- IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
- Verify your changes by checking users file (View config -> users).]]>
+ varuserstopadditionaloptions + + + You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
+ To put a command in a new line use a vertical bar (|).

+ Example: DEFAULT Auth-Type = System

+ IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
+ Verify your changes by checking users file (View config -> users). + ]]> +
textarea 4 75
Additional RADIUS Attributes (CHECK-ITEM). - varuserscheckitemsadditionaloptions - - You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
- To put a command in a new line use a vertical bar (|).

- Example: Max-Daily-Session := 36000

- IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
- Verify your changes by checking users file (View config -> users).]]>
+ varuserscheckitemsadditionaloptions + + + You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
+ To put a command in a new line use a vertical bar (|).

+ Example: Max-Daily-Session := 36000

+ IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
+ Verify your changes by checking users file (View config -> users). + ]]> +
textarea 4 75
Additional RADIUS Attributes (REPLY-ITEM). - varusersreplyitemsadditionaloptions - - You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
- To put a command in a new line use a vertical bar (|).

- Example: Service-Type == Login-User,|Login-Service == Telnet,|Login-IP-Host == 192.168.1.2

- IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
- Verify your changes by checking users file (View config -> users).]]>
+ varusersreplyitemsadditionaloptions + + + You may append custom RADIUS options to this user account. If the syntax needs it, you have to set quotes and commas.
+ To put a command in a new line use a vertical bar (|).

+ Example: Service-Type == Login-User,|Login-Service == Telnet,|Login-IP-Host == 192.168.1.2

+ IMPORTANT: If you don't format this field correctly freeRADIUS will not start because of syntax errors.
+ Verify your changes by checking users file (View config -> users). + ]]> +
textarea 4 75 -- cgit v1.2.3