From e0a8a416de9e2ba4500f9342af47364205a8ff15 Mon Sep 17 00:00:00 2001
From: Alexander Wilke <nachtfalkeaw@web.de>
Date: Sat, 7 Jan 2012 13:04:35 +0100
Subject: freeradius2 updates pkg v.1.4.5

---
 config/freeradius2/freeradius.inc               | 458 ++++++++++++++++++++++--
 config/freeradius2/freeradius.xml               |   4 +
 config/freeradius2/freeradius_view_config.php   |   4 +
 config/freeradius2/freeradiusauthorizedmacs.xml | 201 +++++++++++
 config/freeradius2/freeradiuscerts.xml          |   4 +
 config/freeradius2/freeradiusclients.xml        |   4 +
 config/freeradius2/freeradiuseapconf.xml        |   4 +
 config/freeradius2/freeradiusinterfaces.xml     |   4 +
 config/freeradius2/freeradiusmodulesldap.xml    |   4 +
 config/freeradius2/freeradiussettings.xml       |  17 +-
 config/freeradius2/freeradiussqlconf.xml        |   4 +
 config/freeradius2/freeradiussync.xml           |   6 +-
 12 files changed, 686 insertions(+), 28 deletions(-)
 mode change 100755 => 100644 config/freeradius2/freeradius.inc
 create mode 100644 config/freeradius2/freeradiusauthorizedmacs.xml

(limited to 'config/freeradius2')

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
old mode 100755
new mode 100644
index 6c64a615..98ac837f
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -70,10 +70,22 @@ function freeradius_install_command() {
 		}
 	}
 	
+	closedir($handle);
+	
 	exec("chown -R root:wheel /usr/local/etc/raddb");
 	exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12");
 	
-	closedir($handle);
+	// creating a backup file of the original policy.conf no matter if user checked this or not
+	if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) {
+		log_error("FreeRADIUS: Creating backup of the original file to {$filepolicyconfbackup}");
+		copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup");
+	}
+	
+	// creating a backup file of the original /modules/files no matter if user checked this or not
+	if (!file_exists("/usr/local/etc/raddb/files.backup")) {
+		log_error("FreeRADIUS: Creating backup of the original file to {$filemodulesfilesbackup}");
+		copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup");
+	}
 
 	$rcfile = array();
 	$rcfile['file'] = 'radiusd.sh';
@@ -82,7 +94,7 @@ function freeradius_install_command() {
         conf_mount_rw();
 	write_rcfile($rcfile);
         conf_mount_ro();
-	start_service("radiusd");
+	restart_service("radiusd");
 }
 
 function freeradius_settings_resync() {
@@ -123,7 +135,6 @@ function freeradius_settings_resync() {
 	$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
 	$varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable');
 		
-	
 	// Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf
 	if ($sqlconf['varsqlconfincludeenable'] == 'Enable') {
 		$varsqlconfinclude = '$INCLUDE sql.conf';
@@ -301,6 +312,7 @@ EOD;
 	conf_mount_ro();
 	
 	// "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius.
+	freeradius_plainmacauth_resync();
 	freeradius_serverdefault_resync();
 	freeradius_modulescounter_resync();
 	freeradius_modulesmschap_resync();
@@ -435,6 +447,39 @@ EOD;
 	restart_service('freeradius');
 }
 
+
+function freeradius_authorizedmacs_resync() {
+global $config;
+
+$conf = '';
+
+$arrmacs = $config['installedpackages']['freeradiusauthorizedmacs']['config'];
+
+if (is_array($arrmacs) && !empty($arrmacs)) {
+	foreach ($arrmacs as $macs) {
+	
+	// Variables for macs file defined parameters
+	$varmacaddress = $macs['varmacaddress'];
+	$varmacaddress = "\n$varmacaddress";
+	
+	$conf .= <<<EOD
+$varmacaddress
+EOD;
+	} //end foreach
+} // end if
+
+	$filename = RADDB . '/authorized_macs';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+	
+	freeradius_sync_on_changes();
+	restart_service('freeradius');
+}
+
+
+
 function freeradius_clients_resync() {
 	global $config;
 
@@ -852,6 +897,48 @@ function freeradius_serverdefault_resync() {
 	$varsqlconfpostauth = '#sql';
 	}
 	
+	// Changing authorize section for plain mac auth
+	// Variables: If not using 802.1x, mac address must be known
+	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
+	
+	// If unchecked we need the normal EAP section.
+	If (!$varsettings['varsettingsenablemacauth']) {
+		$varplainmacauthenable = '';
+		$varplainmacauthenable .= "eap {";
+		$varplainmacauthenable .= "\n\tok = return";
+		$varplainmacauthenable .= "\n\t}";
+		
+		$varplainmacpreacctenable = '';
+		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####';
+	}
+	// If checked we need to check if it is plain mac or eap
+	else {
+		$varplainmacauthenable = '';
+		$varplainmacauthenable .= "# if cleaning up the Calling-Station-Id...";
+		$varplainmacauthenable .= "\n\trewrite_calling_station_id";
+		$varplainmacauthenable .= "\n\t# If this is NOT 802.1x, assume mac-auth";
+		$varplainmacauthenable .= "\n\tif (!EAP-Message) {";
+		$varplainmacauthenable .= "\n\t\t# now check against the authorized_macs file";
+		$varplainmacauthenable .= "\n\t\tauthorized_macs";
+		$varplainmacauthenable .= "\n\t\tif (!ok) {";
+		$varplainmacauthenable .= "\n\t\t\treject";
+		$varplainmacauthenable .= "\n\t\t}";
+		$varplainmacauthenable .= "\n\t\telse {";
+		$varplainmacauthenable .= "\n\t\t\t# accept";
+		$varplainmacauthenable .= "\n\t\t\tupdate control {";
+		$varplainmacauthenable .= "\n\t\t\t\tAuth-Type := Accept";
+		$varplainmacauthenable .= "\n\t\t\t}";
+		$varplainmacauthenable .= "\n\t\t}";
+		$varplainmacauthenable .= "\n\t}";
+		$varplainmacauthenable .= "\n\telse {";
+		$varplainmacauthenable .= "\n\t\t# normal FreeRadius virtual server config goes here e.g.";
+		$varplainmacauthenable .= "\n\t\teap";
+		$varplainmacauthenable .= "\n\t}";
+		
+		$varplainmacpreacctenable = '';
+		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH #####';
+		$varplainmacpreacctenable .= "\n\trewrite_calling_station_id";
+	}
 	
 	$conf .= <<<EOD
 
@@ -943,7 +1030,28 @@ authorize {
 	#  It takes care of processing the 'raddb/hints' and the
 	#  'raddb/huntgroups' files.
 	preprocess
-
+	
+	#
+	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
+	#  authentication.
+	#
+	#  It also sets the EAP-Type attribute in the request
+	#  attribute list to the EAP type from the packet.
+	#
+	#  As of 2.0, the EAP module returns "ok" in the authorize stage
+	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
+	#  this change is compatible with older configurations.
+	#
+	#  The example below uses module failover to avoid querying all
+	#  of the following modules if the EAP module returns "ok".
+	#  Therefore, your LDAP and/or SQL servers will not be queried
+	#  for the many packets that go back and forth to set up TTLS
+	#  or PEAP.  The load on those servers will therefore be reduced.
+	#
+	
+	$varplainmacauthenable
+	
+		
 	#
 	#  If you want to have a log of authentication requests,
 	#  un-comment the following line, and the 'detail auth_log'
@@ -993,27 +1101,6 @@ authorize {
 	suffix
 	ntdomain
 
-	#
-	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
-	#  authentication.
-	#
-	#  It also sets the EAP-Type attribute in the request
-	#  attribute list to the EAP type from the packet.
-	#
-	#  As of 2.0, the EAP module returns "ok" in the authorize stage
-	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
-	#  this change is compatible with older configurations.
-	#
-	#  The example below uses module failover to avoid querying all
-	#  of the following modules if the EAP module returns "ok".
-	#  Therefore, your LDAP and/or SQL servers will not be queried
-	#  for the many packets that go back and forth to set up TTLS
-	#  or PEAP.  The load on those servers will therefore be reduced.
-	#
-	eap {
-		ok = return
-	}
-
 	#
 	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
 	#  using the system API's to get the password.  If you want
@@ -1190,7 +1277,9 @@ authenticate {
 #
 preacct {
 	preprocess
-
+	
+	$varplainmacpreacctenable
+	
 	#
 	#  Session start times are *implied* in RADIUS.
 	#  The NAS never sends a "start time".  Instead, it sends
@@ -2000,6 +2089,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password) {
 function freeradius_all_after_XMLRPC_resync() {
 	
 	freeradius_users_resync();
+	freeradius_sync_on_changes();
 	freeradius_clients_resync();
 	
 	log_error("freeRADIUS has finished XMLRPC process. It should be OK. For more information look at the host which started sync.");
@@ -2560,4 +2650,320 @@ EOD;
 	
 }
 
+function freeradius_plainmacauth_resync() {
+	global $config;
+	$conf = '';
+	
+	// Variables: If not using 802.1x, mac address must be known
+	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
+	
+	// defining variables with filename path
+	$filepolicyconf = '/usr/local/etc/raddb/policy.conf';
+	$filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup';
+	$filemodulesfiles = '/usr/local/etc/raddb/modules/files';
+	$filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup';
+	
+	// If unchecked then plain mac auth is disabled and backups of the original files will be restored
+	if (!$varsettings['varsettingsenablemacauth']) {
+		log_error("FreeRADIUS: Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}");
+		copy($filepolicyconfbackup, $filepolicyconf);
+		copy($filemodulesfilesbackup, $filemodulesfiles);
+	}
+	// If checked then plain mac auth is enabled
+	else {
+		freeradius_modulesfiles_resync();
+		freeradius_policyconf_resync();
+	}
+}
+
+function freeradius_modulesfiles_resync() {
+	global $config;
+	$conf = '';
+
+	$conf .= <<<EOD
+# -*- text -*-
+#
+#  \$Id\$
+
+# Livingston-style 'users' file
+#
+files {
+	# The default key attribute to use for matches.  The content
+	# of this attribute is used to match the "name" of the
+	# entry.
+	#key = "%{Stripped-User-Name:-%{User-Name}}"
+
+	usersfile = \${confdir}/users
+	acctusersfile = \${confdir}/acct_users
+	preproxy_usersfile = \${confdir}/preproxy_users
+
+	#  If you want to use the old Cistron 'users' file
+	#  with FreeRADIUS, you should change the next line
+	#  to 'compat = cistron'.  You can the copy your 'users'
+	#  file from Cistron.
+	compat = no
+}
+
+#  An example which defines a second instance of the "files" module.
+#  This instance is named "second_files".  In order for it to be used
+#  in a virtual server, it needs to be listed as "second_files"
+#  inside of the "authorize" section (or other section).  If you just
+#  list "files", that will refer to the configuration defined above.
+#
+
+#  The two names here mean:
+#	"files" - this is a configuration for the "rlm_files" module
+#	"second_files" - this is a named configuration, which isn't
+#			the default configuration.
+files authorized_macs {
+        # The default key attribute to use for matches.  The content
+        # of this attribute is used to match the "name" of the
+        # entry.
+        key = "%{Calling-Station-ID}"
+
+        usersfile = \${confdir}/authorized_macs
+
+        #  If you want to use the old Cistron 'users' file
+        #  with FreeRADIUS, you should change the next line
+        #  to 'compat = cistron'.  You can the copy your 'users'
+        #  file from Cistron.
+        compat = no
+}
+EOD;
+
+	$filename = RADDB . '/modules/files';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+
+}
+
+function freeradius_policyconf_resync() {
+	global $config;
+	$conf = '';
+
+	$conf .= <<<EOD
+# -*- text -*-
+##
+## policy.conf	-- FreeRADIUS server configuration file.
+##
+##	http://www.freeradius.org/
+##	\$Id\$
+##
+
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantate" section of radiusd.conf.
+#
+#  Defining a policy here means that it can be referenced in multiple
+#  places as a *name*, rather than as a series of conditions to match,
+#  and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively.  They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+policy {
+	#
+	#	Forbid all EAP types.
+	#
+	forbid_eap {
+		if (EAP-Message) {
+			reject
+		}
+	}
+
+	#
+	#	Forbid all non-EAP types outside of an EAP tunnel.
+	#
+	permit_only_eap {
+		if (!EAP-Message) {
+			#  We MAY be inside of a TTLS tunnel.
+			#  PEAP and EAP-FAST require EAP inside of
+			#  the tunnel, so this check is OK.
+			#  If so, then there MUST be an outer EAP message.
+			if (!"%{outer.request:EAP-Message}") {
+				reject
+			}
+		}
+	}
+
+	#
+	#	Forbid all attempts to login via realms.
+	#
+	deny_realms {
+		if (User-Name =~ /@|\\\\/) {
+			reject
+		}
+	}
+
+	#
+	#	If you want the server to pretend that it is dead,
+	#	then use the "do_not_respond" policy.
+	#
+	do_not_respond {
+		update control {
+			Response-Packet-Type := Do-Not-Respond
+		}
+
+		handled
+	}
+
+	#
+	#  Force some sanity on User-Name.  This helps to avoid issues
+	#  issues where the back-end database is "forgiving" about
+	#  what constitutes a user name.
+	#
+	filter_username {
+		# spaces at the start: reject
+		if (User-Name =~ /^ /) {
+			reject
+		}
+
+		# spaces at the end: reject
+		if (User-Name =~ / \$\$/) {
+			reject
+		}
+
+		# Mixed case: reject
+		if (User-Name != "%{tolower:%{User-Name}}") {
+			reject
+		}
+	}
+
+
+	#	
+	#  The following policies are for the Chargeable-User-Identity
+	#  (CUI) configuration.
+	#
+
+	#
+	#  The client indicates it can do CUI by sending a CUI attribute	
+	#  containing one zero byte
+	#
+	cui_authorize {
+		update request {
+			Chargeable-User-Identity:='\\\\000'
+		}
+	}
+
+	#
+	#  Add a CUI attribute based on the User-Name, and a secret key
+	#  known only to this server.
+	#
+	cui_postauth {
+		if (FreeRadius-Proxied-To == 127.0.0.1) {
+			if (outer.request:Chargeable-User-Identity) {
+				update outer.reply {
+					Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
+				}
+			}
+		}
+		else {
+			if (Chargeable-User-Identity) {
+				update reply {
+					Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
+				}
+			}
+		}
+	}
+
+	#
+	#  If there is a CUI attribute in the reply, add it to the DB.
+	#
+	cui_updatedb {
+		if (reply:Chargeable-User-Identity) {
+			cui
+		}
+	}
+
+	#
+	#  If we had stored a CUI for the User, add it to the request.
+	#
+	cui_accounting {
+		#
+		#  If the CUI isn't in the packet, see if we can find it
+		#  in the DB.
+		#
+		if (!Chargeable-User-Identity) {
+			update control {
+				Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
+			}
+		}
+
+		#
+		#  If it exists now, then write out when we last saw
+		#  this CUI.
+		#
+		if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
+			cui
+		}
+	}
+
+	#
+	#  Normalize the MAC Addresses in the Calling/Called-Station-Id
+	#
+	mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
+
+	#  Add "rewrite.called_station_id" in the "authorize" and "preacct"
+	#  sections.
+	rewrite.called_station_id {
+		if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?\$/i) {
+			update request {
+				Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+			}
+
+			# SSID component?
+			if ("%{8}") {
+				update request {
+					Called-Station-Id := "%{Called-Station-Id}:%{8}"
+				}
+			}
+			updated
+		}
+		else {
+			noop
+		}
+	}
+
+	#  Add "rewrite.calling_station_id" in the "authorize" and "preacct"
+	#  sections.
+	rewrite.calling_station_id {
+		if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}\$/i) {
+			update request {
+				Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+			}
+			updated
+		}
+		else {
+			noop
+		}
+	}
+	
+	#####  MODIFIED FOR http://wiki.freeradius.org/Mac-Auth#Mac-Auth+or+802.1x #####
+	#  Add "rewrite_calling_station_id" in the "authorize" and "preacct"
+	#  sections.
+	rewrite_calling_station_id {
+        if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
+                update request {
+                        Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+                }
+        }
+        else {
+                noop
+		}
+	}
+}
+	
+EOD;
+
+	$filename = RADDB . '/policy.conf';
+	conf_mount_rw();
+	file_put_contents($filename, $conf);
+	chmod($filename, 0600);
+	conf_mount_ro();
+
+}
+
 ?>
\ No newline at end of file
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index f2cd3dcf..313495f2 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -67,6 +67,10 @@
 			<url>/pkg.php?xml=freeradius.xml</url>
 			<active/>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php
index 218a9abb..6bda5f3e 100644
--- a/config/freeradius2/freeradius_view_config.php
+++ b/config/freeradius2/freeradius_view_config.php
@@ -37,6 +37,7 @@ function get_file($file){
 	$files['sql']="/usr/local/etc/raddb/sql.conf";
 	$files['clients']="/usr/local/etc/raddb/clients.conf";
 	$files['users']="/usr/local/etc/raddb/users";
+	$files['macs']="/usr/local/etc/raddb/authorized_macs";
 	$files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default";
 	$files['ca']="/usr/local/etc/raddb/certs/ca.cnf";
 	$files['server']="/usr/local/etc/raddb/certs/server.cnf";
@@ -81,6 +82,7 @@ else{
 	<?php
 		$tab_array = array();
 		$tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=freeradius.xml");
+		$tab_array[] = array(gettext("MACs"), false, "/pkg.php?xml=freeradiusauthorizedmacs.xml");
 		$tab_array[] = array(gettext("NAS / Clients"), false, "/pkg.php?xml=freeradiusclients.xml");
 		$tab_array[] = array(gettext("Interfaces"), false, "/pkg.php?xml=freeradiusinterfaces.xml");
 		$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0");
@@ -109,6 +111,7 @@ else{
 							<input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf">&nbsp;
 							<input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf">&nbsp;
 							<input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users">&nbsp;
+							<input type="button" onClick="get_freeradius_file('macs');" id='btn_macs' value="macs">&nbsp;
 							<input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default">&nbsp;
 							<input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf">&nbsp;
 							<input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf">&nbsp;
@@ -150,6 +153,7 @@ else{
 			$('btn_sql').value="sql.conf";
 			$('btn_clients').value="clients.conf";
 			$('btn_users').value="users";
+			$('btn_macs').value="macs";
 			$('btn_virtual').value="virtual-server-default";
 			$('btn_ca').value="ca.cnf";
 			$('btn_server').value="server.cnf";
diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml
new file mode 100644
index 00000000..021f8772
--- /dev/null
+++ b/config/freeradius2/freeradiusauthorizedmacs.xml
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+	<copyright>
+<![CDATA[	
+/* $Id$ */
+/* ========================================================================== */
+/*
+	freeradius.xml
+	part of pfSense (http://www.pfSense.com)
+	Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+	All rights reserved.
+
+	Based on m0n0wall (http://m0n0.ch/wall)
+	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+	All rights reserved.
+									      */
+/* ========================================================================== */
+/*
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+									      */
+/* ========================================================================== */
+]]>	</copyright>
+	<description><![CDATA[Describe your package here]]></description>
+	<requirements>Describe your package requirements here</requirements>
+	<faq>Currently there are no FAQ items provided.</faq>
+	<name>freeradiusauthorizedmacs</name>
+	<version>2.1.12</version>
+	<title>FreeRADIUS: MACs</title>
+	<include_file>/usr/local/pkg/freeradius.inc</include_file>
+	<menu>
+		<name>FreeRADIUS</name>
+		<tooltiptext>Modify FreeRADIUS macs, clients, and settings.</tooltiptext>
+		<section>Services</section>
+		<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+	</menu>
+	<service>
+		<name>radiusd</name>
+		<rcfile>radiusd.sh</rcfile>
+		<executable>radiusd</executable>
+		<description><![CDATA[FreeRADIUS Server]]></description>
+	</service>
+
+	<tabs>
+		<tab>
+			<text>Users</text>
+			<url>/pkg.php?xml=freeradius.xml</url>
+		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+			<active/>
+		</tab>
+		<tab>
+			<text>NAS / Clients</text>
+			<url>/pkg.php?xml=freeradiusclients.xml</url>
+		</tab>
+		<tab>
+			<text>Interfaces</text>
+			<url>/pkg.php?xml=freeradiusinterfaces.xml</url>
+		</tab>
+		<tab>
+			<text>Settings</text>
+			<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>EAP</text>
+			<url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>SQL</text>
+			<url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>LDAP</text>
+			<url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+		</tab>
+		<tab>
+			<text>View config</text>
+			<url>/freeradius_view_config.php</url>
+		</tab>
+		<tab>
+			<text>XMLRPC Sync</text>
+			<url>/pkg_edit.php?xml=freeradiussync.xml&amp;id=0</url>
+		</tab>
+	</tabs>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/www/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item>
+	</additional_files_needed>	
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusclients.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiussync.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0755</chmod>
+		<item>http://www.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item>
+	</additional_files_needed>
+	<adddeleteeditpagefields>
+		<columnitem>
+			<fielddescr>MAC Address</fielddescr>
+			<fieldname>varmacaddress</fieldname>
+		</columnitem>
+		<columnitem>
+			<fielddescr>Description</fielddescr>
+			<fieldname>description</fieldname>
+		</columnitem>
+	</adddeleteeditpagefields>
+	<fields>
+		<field>
+			<name>GENERAL CONFIGURATION</name>
+			<type>listtopic</type>
+		</field>	
+		<field>
+			<fielddescr>MAC Address</fielddescr>
+			<fieldname>varmacaddress</fieldname>
+			<description><![CDATA[Enther the MAC Address of the host. Format is:  00-11-22-33-44-55]]></description>
+			<type>input</type>
+			<required/>
+		</field>
+		<field>
+			<fielddescr>Description</fielddescr>
+			<fieldname>description</fieldname>			
+			<description><![CDATA[Enter any description for this MAC you like.]]></description>
+			<type>input</type>
+		</field>
+	</fields>
+	<custom_delete_php_command>
+		freeradius_authorizedmacs_resync();
+	</custom_delete_php_command>
+	<custom_php_resync_config_command>
+		freeradius_authorizedmacs_resync();
+	</custom_php_resync_config_command>
+</packagegui>
\ No newline at end of file
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 1393dea8..e3f6365d 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -54,6 +54,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 57ad1b7d..be066937 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -53,6 +53,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index b319f198..309066f0 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -54,6 +54,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index f15e998f..fd51f800 100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -53,6 +53,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
index 317054d2..06a990e7 100644
--- a/config/freeradius2/freeradiusmodulesldap.xml
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -54,6 +54,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 8115945a..611db03f 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -54,6 +54,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
@@ -93,6 +97,17 @@
 		</tab>
 	</tabs>
 	<fields>
+		<field>
+			<name>PLAIN MAC AUTHORIZATION</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>Enable Plain MAC Auth</fielddescr>
+			<fieldname>varsettingsenablemacauth</fieldname>
+			<description><![CDATA[This enables plain MAC auth. If the request contains not 802.1X like credentials than it will be checked against the MAC.<br>
+								Some NAS are not able to convert the MAC in a 802.1X format then you could enable this. If you doo not need this leave this disabled. It could have unknown side-effects. (Default: unchecked)]]></description>
+			<type>checkbox</type>
+		</field>
 		<field>
 			<name>GENERAL CONFIGURATION</name>
 			<type>listtopic</type>
@@ -284,7 +299,7 @@
 			<description><![CDATA[You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)]]></description>
 			<type>input</type>
 			<default_value>0</default_value>
-		</field>		
+		</field>
 	</fields>
 	<custom_delete_php_command>
 		freeradius_settings_resync();
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index 538ad45d..a5bc4d2e 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -54,6 +54,10 @@
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml
index 66a2701f..27f4fe80 100644
--- a/config/freeradius2/freeradiussync.xml
+++ b/config/freeradius2/freeradiussync.xml
@@ -67,6 +67,10 @@ POSSIBILITY OF SUCH DAMAGE.
 			<text>Users</text>
 			<url>/pkg.php?xml=freeradius.xml</url>
 		</tab>
+		<tab>
+			<text>MACs</text>
+			<url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url>
+		</tab>
 		<tab>
 			<text>NAS / Clients</text>
 			<url>/pkg.php?xml=freeradiusclients.xml</url>
@@ -114,7 +118,7 @@ POSSIBILITY OF SUCH DAMAGE.
 			<fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr>
 			<fieldname>varsyncenablexmlrpc</fieldname>
 			<description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br>
-						<b>Important:</b> Only <b>Users</b> and <b>NAS / Clients</b> will be synced.]]></description>
+						<b>Important:</b> Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.]]></description>
 			<type>checkbox</type>
 		</field>
 		<field>
-- 
cgit v1.2.3