From 833ecef10a0e8492142faa9daf0a75ede9a86db6 Mon Sep 17 00:00:00 2001 From: Charlie Root Date: Sat, 10 Dec 2011 21:12:14 +0000 Subject: adding features and syntax --- config/freeradius2/freeradius.inc | 326 +++++++++++++++++------------- config/freeradius2/freeradius.xml | 11 +- config/freeradius2/freeradiusclients.xml | 156 ++++++++++---- config/freeradius2/freeradiussettings.xml | 204 ++++++++++--------- 4 files changed, 430 insertions(+), 267 deletions(-) mode change 100644 => 100755 config/freeradius2/freeradius.xml (limited to 'config') diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 2408e91c..d5e49883 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -6,10 +6,9 @@ define('RADDB', '/usr/local/etc/raddb'); function freeradius_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep python`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep libltdl`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep gdbm`"); + exec("rm -rf /usr/local/etc/raddb/"); + exec("rm -rf /var/log/raddb/"); + exec("rm -rf /var/log/radacct/"); } function freeradius_install_command() { @@ -26,7 +25,8 @@ function freeradius_install_command() { exec("chown -R root:wheel /usr/local/etc/raddb"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); - exec("chown -R root:wheel /var/run/radiusd"); + exec("chown -R root:wheel /var/log/raddb"); + exec("chown -R root:wheel /var/log/radacct"); closedir($handle); @@ -44,22 +44,23 @@ function freeradius_install_command() { function freeradius_settings_resync() { global $config; - $settings = $config['installedpackages']['freeradiussettings']['config'][0]; - $iface = ($settings['interface'] ? $settings['interface'] : 'LAN'); - $iface = convert_friendly_interface_to_real_interface_name($iface); - $iface_ip = find_interface_ip($iface); - $interface_ip = $settings['interface_ip']; - $port = ($settings['port'] != '' ? $settings['port'] : 0); - $radiuslogging = $settings['radiuslogging']; - $radiuslogbadpass = $settings['radiuslogbadpass']; - $radiusloggoodpass = $settings['radiusloggoodpass']; - $max_requests_var = $settings['max_requests_var']; - $max_request_time_var = $settings['max_request_time_var']; - $cleanup_delay_var = $settings['cleanup_delay_var']; - $logdir_var = $settings['logdir_var']; - - // FreeRADIUS's configuration is huge - // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). + $conf = ''; + + // Definition variables for freeradiussettings + $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; + $varsettingsmaxrequesttime = $varsettings['varsettingsmaxrequesttime']; + $varsettingscleanupdelay = $varsettings['varsettingscleanupdelay']; + $varsettingsmaxrequests = $varsettings['varsettingsmaxrequests']; + $varsettingslogdir = $varsettings['varsettingslogdir']; + $varsettingsstrippednames = $varsettings['varsettingsstrippednames']; + $varsettingsauth = $varsettings['varsettingsauth']; + $varsettingsauthbadpass = $varsettings['varsettingsauthbadpass']; + $varsettingsauthgoodpass = $varsettings['varsettingsauthgoodpass']; + $varsettingshostnamelookups = $varsettings['varsettingshostnamelookups']; + $varsettingsallowcoredumps = $varsettings['varsettingsallowcoredumps']; + $varsettingsregularexpressions = $varsettings['varsettingsregularexpressions']; + $varsettingsextendedexpressions = $varsettings['varsettingsextendedexpressions']; + $conf = << '') { - $head .=", Simultaneous-Use := $multiconnect"; - } - if ($userexpiration <> '') { - $head .=", Expiration := ".'"'.$userexpiration.'"'; - } - if ($subnetmask<> '') { - $head .=", Framed-IP-Netmask = $subnetmask"; - } - if ($gateway<> '') { - $head .=", Framed-Route = $gateway"; - } - if ($onlinetime <> '') { - $head .=", Login-Time := ". '"' . $onlinetime .'"'; - } - if ($ip <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tFramed-IP-Address = $ip"; - } - if ($sessiontime <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tSession-Timeout := $sessiontime"; - } - if ($vlanid <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; - } - if ($additionaloptions <> '') { - if ($atrib <> '') { $atrib .=","; } - $atrib .="\r\n\t$additionaloptions"; - } +$conf = ''; +$users = $config['installedpackages']['freeradius']['config']; +if (is_array($users)) { + foreach ($users as $user) { + $username = $user['username']; + $password = $user['password']; + $multiconnect = $user['multiconnect']; + $ip = $user['ip']; + $subnetmask = $user['subnetmask']; + $gateway = $user['gateway']; + $userexpiration=$user['expiration']; + $sessiontime=$user['sessiontime']; + $onlinetime=$user['onlinetime']; + $vlanid=$user['vlanid']; + $additionaloptions=$user['additionaloptions']; + $atrib=''; + $head="$username User-Password == ".'"'.$password.'"'; + if ($multiconnect <> '') { + $head .=", Simultaneous-Use := $multiconnect"; + } + if ($userexpiration <> '') { + $head .=", Expiration := ".'"'.$userexpiration.'"'; + } + if ($subnetmask<> '') { + $head .=", Framed-IP-Netmask = $subnetmask"; + } + if ($gateway<> '') { + $head .=", Framed-Route = $gateway"; + } + if ($onlinetime <> '') { + $head .=", Login-Time := ". '"' . $onlinetime .'"'; + } + if ($ip <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tFramed-IP-Address = $ip"; + } + if ($sessiontime <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tSession-Timeout := $sessiontime"; + } + if ($vlanid <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\tTunnel-Type = VLAN,\r\n\tTunnel-Medium-Type = IEEE-802,\r\n\tTunnel-Private-Group-ID = \"$vlanid\""; + } + if ($additionaloptions <> '') { + if ($atrib <> '') { $atrib .=","; } + $atrib .="\r\n\t$additionaloptions"; + } $conf .= << +?> \ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml old mode 100644 new mode 100755 index 79787e56..40685657 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -69,9 +69,13 @@ - Clients + NAS / Clients /pkg.php?xml=freeradiusclients.xml + + Interfaces + /pkg.php?xml=freeradiusinterfaces.xml + Settings /pkg_edit.php?xml=freeradiussettings.xml&id=0 @@ -126,6 +130,11 @@ 0775 http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml + + /usr/local/pkg/ + 0775 + http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml + /usr/local/pkg/ 0775 diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index ce6abfdb..6719c6b4 100755 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -2,8 +2,8 @@ - - + - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. freeradiusclients none FreeRADIUS: Clients /usr/local/pkg/freeradius.inc - - Users - /pkg.php?xml=freeradius.xml - - - Clients - /pkg.php?xml=freeradiusclients.xml + + Users + /pkg.php?xml=freeradius.xml + + + NAS / Clients + /pkg.php?xml=freeradiusclients.xml - - - Settings - /pkg_edit.php?xml=freeradiussettings.xml&id=0 - - + + + Interfaces + /pkg.php?xml=freeradiusinterfaces.xml + + + Settings + /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + - Client - client + Client IP Address + varclientip - Shortname - shortname + Client IP Version + varclientipversion + + + Client Shortname + varclientshortname + + + Client Protocol + varclientproto + + + Client NAS Type + varclientnastype + + + Require Message Authenticator + varrequiremessageauthenticator + + + Max Connections + varclientmaxconnections Description @@ -80,30 +104,92 @@ - Client - client - Enter the client's IP address. + Client IP Address + varclientip + Enter the IP address of the client. This is in general the IP of the NAS (switch,accesspoint). input - Shortname - shortname - Enter the client's shortname. + Client IP Version + varclientipversion + select + ipaddr + + + + + + + + Client Shortname + varclientshortname + Enter shortname of the client. This is in general the IP of the NAS (switch,accesspoint). input - Shared Secret - sharedsecret - Enter the client's shared secret here + Client Shared Secret + varclientsharedsecret + Enter the shared secret of the client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server. password + + Client Protocol + varclientproto + Enter the protocol the client uses. (Default: udp) + select + udp + + + + + + + + Client NAS Type + varclientnastype + Enter the NAS type of the client. This is used by checkrad.pl for simultaneous use checks. (Default: other) + select + other + + + + + + + + + + + + + + + + + Require Message Authenticator + varrequiremessageauthenticator + RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or accesspoints) do not include that. (Default: no) + select + no + + + + + + + Max Connections + varclientmaxconnections + Takes only effect if you use TCP as protocol. This is the mirror of "Max Requests Server" from "Settings" tab. (Default 16) + input + 16 + Description description - Enter the description of the user here + Enter any description you like for this client. input @@ -113,4 +199,4 @@ freeradius_clients_resync(); - + \ No newline at end of file diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 0ea8ae50..bab82e72 100755 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -2,8 +2,8 @@ - - + - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. freeradiussettings none FreeRADIUS: Settings pkg_edit.php?xml=freeradiussettings.xml&id=0 /usr/local/pkg/freeradius.inc - - Users - /pkg.php?xml=freeradius.xml - - - Clients - /pkg.php?xml=freeradiusclients.xml - - - Settings - /pkg_edit.php?xml=freeradiussettings.xml&id=0 + + Users + /pkg.php?xml=freeradius.xml + + + NAS / Clients + /pkg.php?xml=freeradiusclients.xml + + + Interfaces + /pkg.php?xml=freeradiusinterfaces.xml + + + Settings + /pkg_edit.php?xml=freeradiussettings.xml&id=0 - - + + - Listening Interface(s) - interface_ip - Enter the desired listening interface IP here ( 192.168.1.0 ) or use "*" (without "") for any interface. - input - * - + Logging Destination of RADIUS + varsettingslogdir + Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log) + select + files + + + + + + - Port - port - Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1812. - input - 1812 + RADIUS Logging + varsettingsauth + Choose if you want to enable logging. (Default: Disabled) + select + no + + + + + + + Log Bad Authentication Attempts + varsettingsauthbadpass + Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no) + select + no + + + + + + + Log good authentication attempts? + varsettingsauthgoodpass + Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no) + select + no + + + + - Maximum requests server - max_requests_var - The maximum number of requests the RADIUS server can handle. Default is 1024. It should be 256 * number of clients e.g.: 4 Switches * 256 = 1024. + Log Stripped Names + varsettingsstrippednames + Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no) + select + no + + + + + + + Maximum Requests Server + varsettingsmaxrequests + The maximum number of requests the server could handle at a time until "Cleanup Delay" deletes them. Useful range 256 * NAS. If it is set to low it will make the server busy. A higher value is better (but increased RAM usage) but it shouldn't be higher than 1000 * NAS. (Default: 1024) input 1024 - Max request time - max_request_time_var - The maximum time (in seconds) to handle a request. Default is 30. Useful range of values: 5 to 120. + Max Request Timeout + varsettingsmaxrequesttime + The maximum time to handle a request in seconds. (Default: 30) input 30 - Cleanup delay - cleanup_delay_var - The time to wait (in seconds) before cleaning up a reply which was sent to the NAS. Default is 5. Useful range of values: 2 to 10. + Cleanup Delay + varsettingscleanupdelay + The time to wait before cleaning up a reply which was sent to the NAS in seconds. (Default: 5) input 5 - Radius Logging Destination - logdir_var - Logging to "syslog" or "/var/log/radius.log" ? + NAS Hostname Lookup + varsettingshostnamelookups + Log the names of NAS instead of IP addresses. Turning this on can result in lock ups of the RADIUS Server. (Default: no) select - /var/log + no - - + + - + - Radius Logging - radiuslogging - Enable logging? + Allow Core Dumps + varsettingsallowcoredumps + Only turn this on if you need to debug the RADIUS server! (Default: no) select no - - + + - + - Log bad authentication attempts? - radiuslogbadpass - Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work. + Regular Expressions + varsettingsregularexpressions + Allows regular expressions. (Default: yes) select - no + yes - - + + - Log good authentication attempts? - radiusloggoodpass - Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work. + Extended Expressions + varsettingsextendedexpressions + Allows extended expressions. (Default: yes) select - no + yes - - + + - + freeradius_settings_resync(); @@ -177,4 +199,4 @@ freeradius_settings_resync(); - + \ No newline at end of file -- cgit v1.2.3