<?php
/* copyright */
/* ========================================================================== */
/*
	freeradius.inc
	part of pfSense (http://www.pfSense.com)
	Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
	Copyright (C) 2013 Marcello Coutinho
	All rights reserved.

	Based on m0n0wall (http://m0n0.ch/wall)
	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
	All rights reserved.
									      */
/* ========================================================================== */
/*
	Redistribution and use in source and binary forms, with or without
	modification, are permitted provided that the following conditions are met:

	1. Redistributions of source code must retain the above copyright notice,
	   this list of conditions and the following disclaimer.

	2. Redistributions in binary form must reproduce the above copyright
	   notice, this list of conditions and the following disclaimer in the
	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	POSSIBILITY OF SUCH DAMAGE.
									      */
/* ========================================================================== */

require_once('config.inc');
require_once('service-utils.inc');
require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
require_once("filter.inc");
require_once("services.inc");

// Check pfSense version
$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m"));
$bash_path = FREERADIUS_BASE . "/bin/bash";

if ($pfs_version == "2.1") {
	define('FREERADIUS_LIB', FREERADIUS_BASE . '/lib');
	define('FREERADIUS_ETC', FREERADIUS_BASE . '/etc');
} else {
	define('FREERADIUS_LIB', FREERADIUS_BASE . '/local/lib');
	define('FREERADIUS_ETC', FREERADIUS_BASE . '/local/etc');
}

// Check freeradius lib version
	$frlib="";
	if (file_exists(FREERADIUS_LIB)) {
		$libfiles = scandir(FREERADIUS_LIB);
		foreach ($libfiles as $libfile){
			if (preg_match("/freeradius-/",$libfile))
				$frlib=FREERADIUS_BASE . "/lib/{$libfile}";
		}
	}
	if ($frlib == ""){
		log_error("freeRADIUS - No freeradius lib found on ".FREERADIUS_BASE."/lib");
	}
	
function freeradius_deinstall_command() {
	return;
}

function freeradius_install_command() {
	global $config, $frlib;
	conf_mount_rw();
	
	// We create here different folders for different counters.
	@mkdir("/var/log/radacct/datacounter/daily", 0755, true);
	@mkdir("/var/log/radacct/datacounter/weekly", 0755, true);
	@mkdir("/var/log/radacct/datacounter/monthly", 0755, true);
	@mkdir("/var/log/radacct/datacounter/forever", 0755, true);
	@mkdir("/var/log/radacct/timecounter", 0755, true);
	@mkdir(FREERADIUS_ETC . "/raddb/scripts", 0755, true);

	unlink_if_exists("/usr/local/etc/raddb");
	@symlink(FREERADIUS_ETC . "/raddb", "/usr/local/etc/raddb");
	if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp");	}
	if (!file_exists("/var/log/radwtmp")) {	exec("touch /var/log/radwtmp");	}
	exec("chown -R root:wheel " . FREERADIUS_ETC . "/raddb && chown -R root:wheel {$frlib} && chown -R root:wheel /var/log/radacct");

	// creating a backup file of the original policy.conf no matter if user checked this or not
	if (!file_exists(FREERADIUS_ETC . "/raddb/policy.conf.backup")) {
		log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/policy.conf.backup");
		copy(FREERADIUS_ETC . "/raddb/policy.conf", FREERADIUS_ETC . "/raddb/policy.conf.backup");
	}

	// creating a backup file of the original /modules/files no matter if user checked this or not
	if (!file_exists(FREERADIUS_ETC . "/raddb/files.backup")) {
		log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/files.backup");
		copy(FREERADIUS_ETC . "/raddb/modules/files", FREERADIUS_ETC . "/raddb/files.backup");
	}

	// Disable virtual-server we do not need by default
	if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); }
	if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel"); }

	// We run this here just to suppress some warnings on syslog if file doesn't exist
	freeradius_authorizedmacs_resync();

	// These two functions create the module and the dictionary entry for Mobile-One-Time-Password
	freeradius_dictionary_resync();
	freeradius_modulesmotp_resync();

	// Here we create the modules and scripts for the datacounter
	freeradius_modulesdatacounter_resync();
	freeradius_datacounter_acct_resync();
	freeradius_datacounter_auth_resync();

	// Some initial module configuration
	freeradius_modulesmschap_resync();
	freeradius_modulesrealm_resync();
	freeradius_modulescounter_resync();

	// Initialize some config files - the functions below call other functions
	freeradius_sqlconf_resync();
	freeradius_eapconf_resync();
	freeradius_clients_resync();

	$rcfile = array();
	$rcfile['file'] = 'radiusd.sh';
	$rcfile['start'] = FREERADIUS_ETC . '/rc.d/radiusd onestart';
	$rcfile['stop'] = FREERADIUS_ETC . '/rc.d/radiusd onestop';
	write_rcfile($rcfile);
		conf_mount_ro();
	start_service("radiusd");
}

function freeradius_settings_resync() {
	global $config;
	$conf = '';

	// put the constant to a variable
	$varFREERADIUS_BASE = FREERADIUS_BASE;

	// We do some checks of some folders which will be deleted after reboot on nanobsd systems
	if (!file_exists("/var/log/radacct/")) { exec("mkdir /var/log/radacct"); }
	if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); }
	if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter"); }
	if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp");	}
	if (!file_exists("/var/log/radwtmp")) {	exec("touch /var/log/radwtmp");	}
	if (!file_exists("/var/log/radacct/")) { exec("chown -R root:wheel /var/log/radacct"); }

	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
	
	// Variables: General configuration
	$varsettingsmaxrequests = ($varsettings['varsettingsmaxrequests']?$varsettings['varsettingsmaxrequests']:'1024');
	$varsettingsmaxrequesttime = ($varsettings['varsettingsmaxrequesttime']?$varsettings['varsettingsmaxrequesttime']:'30');
	$varsettingscleanupdelay = ($varsettings['varsettingscleanupdelay']?$varsettings['varsettingscleanupdelay']:'5');
	$varsettingshostnamelookups = ($varsettings['varsettingshostnamelookups']?$varsettings['varsettingshostnamelookups']:'no');
	$varsettingsallowcoredumps = ($varsettings['varsettingsallowcoredumps']?$varsettings['varsettingsallowcoredumps']:'no');
	$varsettingsregularexpressions = ($varsettings['varsettingsregularexpressions']?$varsettings['varsettingsregularexpressions']:'yes');
	$varsettingsextendedexpressions = ($varsettings['varsettingsextendedexpressions']?$varsettings['varsettingsextendedexpressions']:'yes');
	
	// Variables: Logging options
	$varsettingslogdir = ($varsettings['varsettingslogdir']?$varsettings['varsettingslogdir']:'syslog');
	$varsettingsauth = ($varsettings['varsettingsauth']?$varsettings['varsettingsauth']:'yes');
	$varsettingsauthbadpass = ($varsettings['varsettingsauthbadpass']?$varsettings['varsettingsauthbadpass']:'no');
	$varsettingsauthbadpassmessage = ($varsettings['varsettingsauthbadpassmessage']?$varsettings['varsettingsauthbadpassmessage']:'');
	$varsettingsauthgoodpass = ($varsettings['varsettingsauthgoodpass']?$varsettings['varsettingsauthgoodpass']:'no');
	$varsettingsauthgoodpassmessage = ($varsettings['varsettingsauthgoodpassmessage']?$varsettings['varsettingsauthgoodpassmessage']:'');
	$varsettingsstrippednames = ($varsettings['varsettingsstrippednames']?$varsettings['varsettingsstrippednames']:'no');
	
	// Variables: Security
	$varsettingsmaxattributes = ($varsettings['varsettingsmaxattributes']?$varsettings['varsettingsmaxattributes']:'200');
	$varsettingsrejectdelay = ($varsettings['varsettingsrejectdelay']?$varsettings['varsettingsrejectdelay']:'1');
	
	// Variables: Thread Pool
	$varsettingsstartservers = ($varsettings['varsettingsstartservers']?$varsettings['varsettingsstartservers']:'5');
	$varsettingsmaxservers = ($varsettings['varsettingsmaxservers']?$varsettings['varsettingsmaxservers']:'32');
	$varsettingsminspareservers = ($varsettings['varsettingsminspareservers']?$varsettings['varsettingsminspareservers']:'3');
	$varsettingsmaxspareservers = ($varsettings['varsettingsmaxspareservers']?$varsettings['varsettingsmaxspareservers']:'10');
	$varsettingsmaxqueuesize = ($varsettings['varsettingsmaxqueuesize']?$varsettings['varsettingsmaxqueuesize']:'65536');
	$varsettingsmaxrequestsperserver = ($varsettings['varsettingsmaxrequestsperserver']?$varsettings['varsettingsmaxrequestsperserver']:'0');
	
	// For more details look at "freeradius_sqlconf_resync"
	$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
		
	// Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 2
	if ($sqlconf['varsqlconf2includeenable'] == 'on') {
		$varsqlconf2instantiate = 'sql2';
	}
	else {
		$varsqlconf2instantiate = '### sql2 DISABLED ###';
	}
	
	$varsqlconf2failover = ($varsettings['varsqlconf2failover']?$varsettings['varsqlconf2failover']:'redundant');
	
	// Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 1
	if ($sqlconf['varsqlconfincludeenable'] == 'on') {
		$varsqlconfinclude = '$INCLUDE sql.conf';
		$varsqlconfincludecounter = '$INCLUDE sql/mysql/counter.conf';
		$varsqlconfinstantiate = "$varsqlconf2failover {" . "\n\t\tsql" . "\n\t\t$varsqlconf2instantiate" . "\n\t}";
	}
	else {
		$varsqlconfinclude = '#$INCLUDE sql.conf';
		$varsqlconfincludecounter = '#$INCLUDE sql/mysql/counter.conf';
		$varsqlconf2failover = '';
		$varsqlconfinstantiate = '#sql';
	}


	$conf .= <<<EOD
prefix = $varFREERADIUS_BASE
exec_prefix = \${prefix}
sysconfdir = \${prefix}/etc
localstatedir = /var
sbindir = \${exec_prefix}/sbin
logdir = \${localstatedir}/log
raddbdir = \${sysconfdir}/raddb
radacctdir = \${logdir}/radacct
confdir = \${raddbdir}
run_dir = \${localstatedir}/run
libdir = {$frlib}
pidfile = \${run_dir}/radiusd.pid
db_dir = \${raddbdir}
name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius

###############################################################################
### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ###
### delete_blocked_requests = no                                            ###
### usercollide = no                                                        ###
### lower_user = no                                                         ###
### lower_pass = no                                                         ###
### nospace_user = no                                                       ###
### nospace_pass = no                                                       ###
###############################################################################

max_request_time = $varsettingsmaxrequesttime
cleanup_delay = $varsettingscleanupdelay
max_requests = $varsettingsmaxrequests
hostname_lookups = $varsettingshostnamelookups
allow_core_dumps = $varsettingsallowcoredumps
regular_expressions = $varsettingsregularexpressions
extended_expressions = $varsettingsextendedexpressions

EOD;

// Deletes virtual-server coa by default. Will be re-enabled if there is an interface-type "coa"
exec("rm -f " . FREERADIUS_ETC . "/raddb/sites-enabled/coa");

$arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config'];
	if (is_array($arrinterfaces)  && !empty($arrinterfaces)) {
		foreach ($arrinterfaces as $item) {
			$varinterfaceip = $item['varinterfaceip'];
			$varinterfaceport = $item['varinterfaceport'];
			$varinterfacetype = $item['varinterfacetype'];
			$varinterfaceipversion = $item['varinterfaceipversion'];

			// Begin "if" for interface-type = detail
			if ($item['varinterfacetype'] == 'detail') {
			$conf .= <<<EOD
listen {
		type = $varinterfacetype
		$varinterfaceipversion = $varinterfaceip
		port = $varinterfaceport
		filename = \${radacctdir}/detail-%Y%m%d:%H
		load_factor = 10
}

EOD;
			}	// End "if" for interface-type = detail

			// Begin "if" for interface-type = coa
			if ($item['varinterfacetype'] == 'coa') {
			// Enables virtual-server coa because interface-type is coa
			exec("ln -s " . FREERADIUS_ETC . "/raddb/sites-available/coa " . FREERADIUS_ETC . "/raddb/sites-enabled/");
			$conf .= <<<EOD
listen {
		type = $varinterfacetype
		$varinterfaceipversion = $varinterfaceip
		port = $varinterfaceport
		server = coa
}

EOD;
			}	// End "if" for interface-type = coa

			// Begin "if" for interface-type = auth, acct, proxy, status
			if (($item['varinterfacetype'] == 'auth') || ($item['varinterfacetype'] == 'acct') || ($item['varinterfacetype'] == 'proxy') || ($item['varinterfacetype'] == 'status')) {
			$conf .= <<<EOD
listen {
		type = $varinterfacetype
		$varinterfaceipversion = $varinterfaceip
		port = $varinterfaceport
}

EOD;
			}	// End "if" for interface-type = auth, acct, proxy, status
		}	// end foreach
	}	// end if array


$conf .= <<<EOD

log {
	destination = $varsettingslogdir
	file = \${logdir}/radius.log
	syslog_facility = daemon
	stripped_names = $varsettingsstrippednames
	auth = $varsettingsauth
	auth_badpass = $varsettingsauthbadpass
	auth_goodpass = $varsettingsauthgoodpass
	msg_goodpass = "$varsettingsauthgoodpassmessage"
	msg_badpass = "$varsettingsauthbadpassmessage"
}

checkrad = \${sbindir}/checkrad
security {
	max_attributes = $varsettingsmaxattributes
	reject_delay = $varsettingsrejectdelay
	status_server = no
}

### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
#proxy_requests = yes
#\$INCLUDE  proxy.conf
\$INCLUDE  clients.conf
thread pool {
	start_servers = $varsettingsstartservers
	max_servers = $varsettingsmaxservers
	min_spare_servers = $varsettingsminspareservers
	max_spare_servers = $varsettingsmaxspareservers
	max_queue_size = $varsettingsmaxqueuesize
	max_requests_per_server = $varsettingsmaxrequestsperserver
}

modules {
	\$INCLUDE \${confdir}/modules/
	\$INCLUDE eap.conf
	### Dis-/Enable sql.conf INCLUDE
	$varsqlconfinclude
	
	### Dis-/Enable sql/mysql/counter.conf INCLUDE
	$varsqlconfincludecounter
		
	#\$INCLUDE sqlippool.conf
}

instantiate {

	exec
	expr
	daily
	weekly
	monthly
	forever
	expiration
	logintime
	### Dis-/Enable sql instatiate
	$varsqlconfinstantiate
}
\$INCLUDE policy.conf
\$INCLUDE sites-enabled/
EOD;

	conf_mount_rw();
	file_put_contents(FREERADIUS_ETC . '/raddb/radiusd.conf', $conf);
	conf_mount_ro();
	
	// "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius.
	freeradius_plainmacauth_resync();
	freeradius_motp_resync();
	freeradius_serverdefault_resync();
	
	// This is to fix the mysqlclient.so which gets lost after reboot
	exec("ldconfig -m /usr/local/lib/mysql");
	// Change owner of freeradius created files
	exec("chown -R root:wheel /var/log");
	restart_service("radiusd");
}

function freeradius_users_resync() {
global $config;

$conf = '';

$arrusers = $config['installedpackages']['freeradius']['config'];

if (is_array($arrusers) && !empty($arrusers)) {
	foreach ($arrusers as $users) {
	
	// Variables for users file defined parameters
	
	$varusersusername = $users['varusersusername'];
	$varuserspassword = $users['varuserspassword'];
	

	// Check password encryption
	$varuserspasswordencryption = ($users['varuserspasswordencryption']?$users['varuserspasswordencryption']:'Cleartext-Password');
		switch ($varuserspasswordencryption) {
			case "MD5-Password":
				$varuserspassword = md5($varuserspassword);
				break;
			default:
				$varuserspassword = $users['varuserspassword'];
		}
	
		
	$varusersmotpinitsecret = $users['varusersmotpinitsecret'];
	$varusersmotppin = $users['varusersmotppin'];
	$varusersmotpoffset = ($users['varusersmotpoffset']?$users['varusersmotpoffset']:'0');
	
	$varuserssimultaneousconnect = ($users['varuserssimultaneousconnect']?$users['varuserssimultaneousconnect']:'');
	$varuserswisprredirectionurl = $users['varuserswisprredirectionurl'];
	$varusersframedipaddress = $users['varusersframedipaddress'];
	$varusersframedipnetmask = $users['varusersframedipnetmask'];
	$varusersframedroute = $users['varusersframedroute'];
	$varusersexpiration = $users['varusersexpiration'];
	$varuserssessiontimeout = $users['varuserssessiontimeout'];
	$varuserslogintime = $users['varuserslogintime'];
	$varusersvlanid = $users['varusersvlanid'];
	
	// GUI uses minutes but RADIUS needs seconds so we do a multiplication
	$varusersamountoftime = ($users['varusersamountoftime']?$users['varusersamountoftime']:'');
	$varusersamountoftime = $varusersamountoftime * 60;
	$varuserspointoftime = $users['varuserspointoftime'];
	
	// GUI uses MB but RADIUS needs Bytes so we do a multiplication
	$varusersmaxtotaloctets = ($users['varusersmaxtotaloctets']?$users['varusersmaxtotaloctets']:'');
	$varusersmaxtotaloctets = $varusersmaxtotaloctets * 1024 * 1024;
	$varusersmaxtotaloctetstimerange = $users['varusersmaxtotaloctetstimerange'];
	
	// GUI uses KiloBit but RADIUS needs Bits so we do a multiplication
	$varusersmaxbandwidthup = ($users['varusersmaxbandwidthup']?$users['varusersmaxbandwidthup']:'');
	$varusersmaxbandwidthup = $varusersmaxbandwidthup * 1024;
	$varusersmaxbandwidthdown = ($users['varusersmaxbandwidthdown']?$users['varusersmaxbandwidthdown']:'');
	$varusersmaxbandwidthdown = $varusersmaxbandwidthdown * 1024;
	
	// Accounting-Interim-Interval - Must not be smaller than 60 and should be bigger than 600s
	if (($users['varusersacctinteriminterval'] >= '0') && ($users['varusersacctinteriminterval'] < '60')) {
		$varusersacctinteriminterval = 60;
	} else {
		$varusersacctinteriminterval = $users['varusersacctinteriminterval'];
	}
	
	// Clear variables for next user foreach additional options TOP
	$varuserstopadditionaloptions = '';
	$varusersadditionaloptionstop = '';
	
	if(!empty($users['varuserstopadditionaloptions'])) {
		$varuserstopadditionaloptions = explode("|", ($users['varuserstopadditionaloptions']));
		foreach ($varuserstopadditionaloptions as $toptmp) {
			$varusersadditionaloptionstop .= $toptmp . "\n";
		}
	}
	
	// Clear variables for next user foreach additional options: CHECK-ITEMS
	$varuserscheckitemsadditionaloptions = '';
	$varusersadditionaloptionscheckitems = '';
	
	if(!empty($users['varuserscheckitemsadditionaloptions'])) {
		$varuserscheckitemsadditionaloptions = explode("|", ($users['varuserscheckitemsadditionaloptions']));
		$varusersadditionaloptionscheckitems .= '';
		foreach ($varuserscheckitemsadditionaloptions as $checkitemtmp) {
			$varusersadditionaloptionscheckitems .= "$checkitemtmp" . " ";
		}
	}
		
	// Clear variables for next user foreach additional options: REPLY-ITEMS
	$varusersreplyitemsadditionaloptions = '';
	$varusersadditionaloptionsreplyitems = '';
	
	if(!empty($users['varusersreplyitemsadditionaloptions'])) {
		$varusersreplyitemsadditionaloptions = explode("|", ($users['varusersreplyitemsadditionaloptions']));
		$varusersadditionaloptionsreplyitems .= '';
		foreach ($varusersreplyitemsadditionaloptions as $replyitemtmp) {
			$varusersadditionaloptionsreplyitems .= $replyitemtmp . "\n\t";
		}
	}

	// Empty variable
	$varuserscheckitem = '';
	$varusersreplyitem = '';
	
		// check if mobile otp is disabled
		if ($users['varusersmotpenable'] == '') {
			// If someone does not want to use username/password but entry "DEFAULT" instead then we can disable this
			if (($users['varusersusername'] == '') && ($users['varuserspassword'] == '')) {
				$varuserscheckitem = '';
			}
			else {
				// Add the user attributes to each user.
				$varuserscheckitem = '"' . $varusersusername . '"' . " $varuserspasswordencryption := " . '"' . $varuserspassword .'"';
			}
		} // end of check if otp is enabled
	
		// if otp is enabled we need to set Auth-Type to accept because password will be checked when the otp script gets executed in reply-item list
		else {
			$varuserscheckitem = '"' . $varusersusername . '"' . " Auth-Type = motp";
		}
	
	// Add additional CHECK-ITEMS here. Different formatting in "users" file needed.
	if ($varuserssimultaneousconnect != '') {
	$varuserscheckitem .= ", Simultaneous-Use := " . '"' . $varuserssimultaneousconnect . '"';
	}
	if ($varusersexpiration != '') {
	$varuserscheckitem .= ", Expiration := " . '"' . $varusersexpiration . '"';
	}
	if ($varuserslogintime != '') {
	$varuserscheckitem .= ", Login-Time := " . '"' . $varuserslogintime . '"';
	}	
	if ($varusersamountoftime != '') {
	$varuserscheckitem .= ", Max-" . "$varuserspointoftime" . "-Session := " . "$varusersamountoftime";
	}
	if ($varusersadditionaloptionscheckitems != '') {
	$varuserscheckitem .= ", $varusersadditionaloptionscheckitems";
	}

		// this is the part for mobile otp
		if ($users['varusersmotpenable'] == 'on') {
			$varusersreplyitem .= "MOTP-Init-Secret = $varusersmotpinitsecret," . "\n\tMOTP-PIN = $varusersmotppin," . "\n\tMOTP-Offset = $varusersmotpoffset";
		}
		else {
			$varusersreplyitem .= '';
		}
		
	// Add additional REPLY-ITEMS here. Different formatting in "users" file needed.
	if ($varusersframedipaddress != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tFramed-IP-Address = $varusersframedipaddress";
	}
	if ($varusersframedipnetmask != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tFramed-IP-Netmask = $varusersframedipnetmask";
	}
	if ($varusersframedroute != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tFramed-Route = " . '"' . $varusersframedroute . '"';
	}
	if ($varuserssessiontimeout != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tSession-Timeout := $varuserssessiontimeout";
	}
	if ($varusersvlanid != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varusersvlanid . '"';
	}
	if ($varusersmaxbandwidthup != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tWISPr-Bandwidth-Max-Up := $varusersmaxbandwidthup";
	}
	if ($varusersmaxbandwidthdown != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varusersmaxbandwidthdown";
	}
	if ($varusersacctinteriminterval != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tAcct-Interim-Interval := $varusersacctinteriminterval";
	}
	if ($varuserswisprredirectionurl != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\tWISPr-Redirection-URL := $varuserswisprredirectionurl";
	}
	// If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not
	if ($varusersmaxtotaloctets != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		//create exec script
		$varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_ETC . '/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"';
		// create limit file - will be always overwritten so we can increase limit from GUI
		exec("`echo $varusersmaxtotaloctets > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`");
		// if used-octets file exist we do NOT overwrite this file!!!
		if (!file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { exec("echo 0 > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); }
	}
	// If an octet limit is NOT set we delete the files for the limit and the counter.
	else {
		if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername"); }
		if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); }
	}
	if ($varusersadditionaloptionsreplyitems != '') {
		if ($varusersreplyitem != '') { $varusersreplyitem .=","; }
		$varusersreplyitem .= "\n\t$varusersadditionaloptionsreplyitems";
	}
	
	// Cosmetic fix - This is just to make a blank new line after each user entry
	$varusersreplyitem .= "\n\n";
	
	
	$conf .= <<<EOD
$varusersadditionaloptionstop
$varuserscheckitem
	$varusersreplyitem
EOD;
	} //end foreach
} // end if

	$filename = FREERADIUS_ETC . '/raddb/users';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();
	
	freeradius_sync_on_changes();
	restart_service('radiusd');
}


function freeradius_authorizedmacs_resync() {
global $config;

$conf = '';
$arrmacs = $config['installedpackages']['freeradiusauthorizedmacs']['config'];

if (is_array($arrmacs) && !empty($arrmacs)) {
	foreach ($arrmacs as $macs) {
	
	// Variables for authorized_macs file defined parameters
	$varmacsaddress = $macs['varmacsaddress'];
	// We don't need a password but we need this field to make syntac correct for CHECK-ITEMS
	$varmacspassword = $macs['varmacsaddress'];

	$varmacssimultaneousconnect = ($macs['varmacssimultaneousconnect']?$macs['varmacssimultaneousconnect']:'');
	$varmacsswisprredirectionurl = $macs['varmacsswisprredirectionurl'];
	$varmacsframedipaddress = $macs['varmacsframedipaddress'];
	$varmacsframedipnetmask = $macs['varmacsframedipnetmask'];
	$varmacsframedroute = $macs['varmacsframedroute'];
	$varmacsexpiration = $macs['varmacsexpiration'];
	$varmacssessiontimeout = $macs['varmacssessiontimeout'];
	$varmacslogintime = $macs['varmacslogintime'];
	$varmacsvlanid = $macs['varmacsvlanid'];
	
	// GUI uses minutes but RADIUS needs seconds so we do a multiplication
	$varmacsamountoftime = ($macs['varmacsamountoftime']?$macs['varmacsamountoftime']:'');
	$varmacsamountoftime = $varmacsamountoftime * 60;
	$varmacspointoftime = $macs['varmacspointoftime'];
	
	// GUI uses MB but RADIUS needs Bytes so we do a multiplication
	$varmacsmaxtotaloctets = ($macs['varmacsmaxtotaloctets']?$macs['varmacsmaxtotaloctets']:'');
	$varmacsmaxtotaloctets = $varmacsmaxtotaloctets * 1024 * 1024;
	$varmacsmaxtotaloctetstimerange = $macs['varmacsmaxtotaloctetstimerange'];
	
	// GUI uses KiloBit but RADIUS needs Bits so we do a multiplication
	$varmacsmaxbandwidthup = ($macs['varmacsmaxbandwidthup']?$macs['varmacsmaxbandwidthup']:'');
	$varmacsmaxbandwidthup = $varmacsmaxbandwidthup * 1024;
	$varmacsmaxbandwidthdown = ($macs['varmacsmaxbandwidthdown']?$macs['varmacsmaxbandwidthdown']:'');
	$varmacsmaxbandwidthdown = $varmacsmaxbandwidthdown * 1024;
	
		
	// Accounting-Interim-Interval
	if (($users['varmacsacctinteriminterval'] >= '0') && ($users['varmacsacctinteriminterval'] < '60')) {
		$varmacsacctinteriminterval = 60;
	} else {
		$varmacsacctinteriminterval = $users['varmacsacctinteriminterval'];
	}
	
	
	// Clear variables for next mac foreach additional options TOP
	$varmacstopadditionaloptions = '';
	$varmacsadditionaloptionstop = '';
	
	if(!empty($macs['varmacstopadditionaloptions'])) {
		$varmacstopadditionaloptions = explode("|", ($macs['varmacstopadditionaloptions']));
		foreach ($varmacstopadditionaloptions as $toptmp) {
			$varmacsadditionaloptionstop .= $toptmp . "\n";
		}
	}
	
	// Clear variables for next mac foreach additional options: CHECK-ITEMS
	$varmacscheckitemsadditionaloptions = '';
	$varmacsadditionaloptionscheckitems = '';
	
	if(!empty($macs['varmacscheckitemsadditionaloptions'])) {
		$varmacscheckitemsadditionaloptions = explode("|", ($macs['varmacscheckitemsadditionaloptions']));
		$varmacsadditionaloptionscheckitems .= '';
		foreach ($varmacscheckitemsadditionaloptions as $checkitemtmp) {
			$varmacsadditionaloptionscheckitems .= "$checkitemtmp" . " ";
		}
	}
		
	// Clear variables for next mac foreach additional options: REPLY-ITEMS
	$varmacsreplyitemsadditionaloptions = '';
	$varmacsadditionaloptionsreplyitems = '';
	
	if(!empty($macs['varmacsreplyitemsadditionaloptions'])) {
		$varmacsreplyitemsadditionaloptions = explode("|", ($macs['varmacsreplyitemsadditionaloptions']));
		$varmacsadditionaloptionsreplyitems .= '';
		foreach ($varmacsreplyitemsadditionaloptions as $replyitemtmp) {
			$varmacsadditionaloptionsreplyitems .= $replyitemtmp . "\n\t";
		}
	}

	// Empty variable
	$varmacscheckitem = '';
	$varmacsreplyitem = '';
	
	// If someone does not want to use MAC address but entry "DEFAULT" instead then we can disable this
	if ($macs['varmacsaddress'] == '') {
			$varmacscheckitem = '';
	}
	else {
		// Add the user attributes to each user.
		$varmacscheckitem = "$varmacsaddress" . " Cleartext-Password := " . '"' . $varmacspassword . '"';
	}
	
	// Add additional CHECK-ITEMS here. Different formatting in "authorized_macs" file needed.
	if ($varmacssimultaneousconnect != '') {
	$varmacscheckitem .= ", Simultaneous-Use := " . '"' . $varmacssimultaneousconnect . '"';
	}
	if ($varmacsexpiration != '') {
	$varmacscheckitem .= ", Expiration := " . '"' . $varmacsexpiration . '"';
	}
	if ($varmacslogintime != '') {
	$varmacscheckitem .= ", Login-Time := " . '"' . $varmacslogintime . '"';
	}	
	if ($varmacsamountoftime != '') {
	$varmacscheckitem .= ", Max-" . "$varmacspointoftime" . "-Session := " . "$varmacsamountoftime";
	}
	if ($varmacsadditionaloptionscheckitems != '') {
	$varmacscheckitem .= ", $varmacsadditionaloptionscheckitems";
	}

	// Add additional REPLY-ITEMS here. Different formatting in "authorized_macs" file needed.
	if ($varmacsframedipaddress != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tFramed-IP-Address = $varmacsframedipaddress";
	}
	if ($varmacsframedipnetmask != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tFramed-IP-Netmask = $varmacsframedipnetmask";
	}
	if ($varmacsframedroute != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tFramed-Route = " . '"' . $varmacsframedroute . '"';
	}
	if ($varmacssessiontimeout != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tSession-Timeout := $varmacssessiontimeout";
	}
	if ($varmacsvlanid != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tTunnel-Type = VLAN,\n\tTunnel-Medium-Type = IEEE-802,\n\tTunnel-Private-Group-ID = " . '"' . $varmacsvlanid . '"';
	}
	if ($varmacsmaxbandwidthup != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tWISPr-Bandwidth-Max-Up := $varmacsmaxbandwidthup";
	}
	if ($varmacsmaxbandwidthdown != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varmacsmaxbandwidthdown";
	}
	if ($varmacsacctinteriminterval != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tAcct-Interim-Interval := $varmacsacctinteriminterval";
	}
	if ($varmacswisprredirectionurl != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\tWISPr-Redirection-URL := $varmacsswisprredirectionurl";
	}
	// If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not
	if ($varmacsmaxtotaloctets != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		//create exec script
		$varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_ETC . '/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"';
		// create limit file - will be always overwritten so we can increase limit from GUI
		exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`");
		// if used-octets file exist we do NOT overwrite this file!!!
		if (!file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { exec("echo 0 > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); }
	}
	// If an octet limit is NOT set we delete the files for the limit and the counter.
	else {
		if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress"); }
		if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); }
	}
	if ($varmacsadditionaloptionsreplyitems != '') {
		if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; }
		$varmacsreplyitem .= "\n\t$varmacsadditionaloptionsreplyitems";
	}
	
	// Cosmetic fix - This is just to make a blank new line after each macs entry
	$varmacsreplyitem .= "\n\n";
	
	
	$conf .= <<<EOD
$varmacsadditionaloptionstop
$varmacscheckitem
	$varmacsreplyitem
EOD;
	} //end foreach
} // end if

	$filename = FREERADIUS_ETC . '/raddb/authorized_macs';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();
	
	freeradius_sync_on_changes();
	restart_service('radiusd');
}

function freeradius_clients_resync() {
	global $config;

	$conf = '';
	$arrclients = $config['installedpackages']['freeradiusclients']['config'];
	if (is_array($arrclients) && !empty($arrclients)) {
		foreach ($arrclients as $item) {
			$varclientip = $item['varclientip'];
			$varclientsharedsecret = $item['varclientsharedsecret'];
			$varclientipversion = $item['varclientipversion'];
			$varclientshortname = $item['varclientshortname'];
			$varclientproto = $item['varclientproto'];
			$varrequiremessageauthenticator = $item['varrequiremessageauthenticator'];
			$varclientnastype = $item['varclientnastype'];
			$varclientmaxconnections = $item['varclientmaxconnections'];
			$varclientlogininput = ($item['varclientlogininput']?$item['varclientlogininput']:'### login = !root ###');
			$varclientpasswordinput = ($item['varclientpasswordinput']?$item['varclientpasswordinput']:'### password = someadminpass ###');
			
			if ($item['varclientlogininput'] == '') {
				$varclientlogin = '### login = !root ###';
			}
			else {
				$varclientlogin = "login = $varclientlogininput";
			}
			if ($item['varclientpasswordinput'] == '') {
				$varclientpassword = '### password = someadminpass ###';
			}
			else {
				$varclientpassword = "password = $varclientpasswordinput";
			}
			
			
			$conf .= <<<EOD

client "$varclientshortname" {
	$varclientipversion = $varclientip
	proto = $varclientproto
	secret = $varclientsharedsecret
	require_message_authenticator = $varrequiremessageauthenticator
	max_connections = $varclientmaxconnections
	shortname = $varclientshortname
	nastype = $varclientnastype
	$varclientlogin
	$varclientpassword
}

EOD;
		}
	}
	else {
		$conf .= <<<EOD
client pfsense {
	ipaddr = 127.0.0.1
	secret = pfsense
	shortname = pfsense
}

EOD;
	}

	conf_mount_rw();
	file_put_contents(FREERADIUS_ETC . '/raddb/clients.conf', $conf);
	conf_mount_ro();
	
	freeradius_sync_on_changes();
	restart_service("radiusd");
}



function freeradius_eapconf_resync() {
	global $config;
		// We make this write enabled here because embedded systems need to write certs in ../raddb/certs/ folder
		conf_mount_rw();
	$conf = '';

	$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
	
	// Disable weak EAP types like MD5, GTC, LEAP
	if ($eapconf['vareapconfdisableweakeaptypes'] == '') {
		$vareapconfweakeaptypes = "md5 {" . "\n\t\t}" . "\n\t\tleap {" . "\n\t\t}" . "\n\t\tgtc {" . "\n\t\t\t#challenge = " . '"Password: "' . "\n\t\t\tauth_type = PAP" . "\n\t\t}";
	}
	else {
		$vareapconfweakeaptypes = '### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###';
	}
	
	// Variables: EAP
	$vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5');
	$vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60');
	$vareapconfignoreunknowneaptypes = ($eapconf['vareapconfignoreunknowneaptypes']?$eapconf['vareapconfignoreunknowneaptypes']:'no');
	$vareapconfciscoaccountingusernamebug = ($eapconf['vareapconfciscoaccountingusernamebug']?$eapconf['vareapconfciscoaccountingusernamebug']:'no');
	$vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096');
	
	// Variables: EAP-TLS
	$vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever');
	$vareapconffragmentsize = ($eapconf['vareapconffragmentsize']?$eapconf['vareapconffragmentsize']:'1024');
	$vareapconfincludelength = ($eapconf['vareapconfincludelength']?$eapconf['vareapconfincludelength']:'yes');
	$vareapconfcountry = ($eapconf['vareapconfcountry']?$eapconf['vareapconfcountry']:'US');
	$vareapconfstate = ($eapconf['vareapconfstate']?$eapconf['vareapconfstate']:'Texas');
	$vareapconfcity = ($eapconf['vareapconfcity']?$eapconf['vareapconfcity']:'Austin');
	$vareapconforganization = ($eapconf['vareapconforganization']?$eapconf['vareapconforganization']:'My Company Ltd');
	$vareapconfemail = ($eapconf['vareapconfemail']?$eapconf['vareapconfemail']:'admin@mycompany.com');
	$vareapconfcommonname = ($eapconf['vareapconfcommonname']?$eapconf['vareapconfcommonname']:'internal-ca');
		
	// Variables: Cache
	$vareapconfcacheenablecache = ($eapconf['vareapconfcacheenablecache']?$eapconf['vareapconfcacheenablecache']:'no');
	$vareapconfcachelifetime = ($eapconf['vareapconfcachelifetime']?$eapconf['vareapconfcachelifetime']:'24');
	$vareapconfcachemaxentries = ($eapconf['vareapconfcachemaxentries']?$eapconf['vareapconfcachemaxentries']:'255');
	
	// Variables OSCP	
	$vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no');
	$vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no');
	$vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/');
	
	// Variables: EAP-TTLS
	$vareapconfttlsdefaulteaptype = ($eapconf['vareapconfttlsdefaulteaptype']?$eapconf['vareapconfttlsdefaulteaptype']:'md5');
	$vareapconfttlscopyrequesttotunnel = ($eapconf['vareapconfttlscopyrequesttotunnel']?$eapconf['vareapconfttlscopyrequesttotunnel']:'no');
	$vareapconfttlsusetunneledreply = ($eapconf['vareapconfttlsusetunneledreply']?$eapconf['vareapconfttlsusetunneledreply']:'no');
	$vareapconfttlsincludelength = ($eapconf['vareapconfttlsincludelength']?$eapconf['vareapconfttlsincludelength']:'yes');
	
	// Variables: EAP-PEAP with MSCHAPv2
	$vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2');
	$vareapconfpeapcopyrequesttotunnel = ($eapconf['vareapconfpeapcopyrequesttotunnel']?$eapconf['vareapconfpeapcopyrequesttotunnel']:'no');
	$vareapconfpeapusetunneledreply = ($eapconf['vareapconfpeapusetunneledreply']?$eapconf['vareapconfpeapusetunneledreply']:'no');
	$vareapconfpeapsohenable = ($eapconf['vareapconfpeapsohenable']?$eapconf['vareapconfpeapsohenable']:'Disable');
	
	// This is for enable/disbable MS SoH in EAP-PEAP and the virtuial-server "soh-server"
	if ($eapconf['vareapconfpeapsohenable'] == 'Enable') {
		$vareapconfpeapsoh = 'soh = yes' . "\n\t\t\tsoh_virtual_server = " . '"' . "soh-server" . '"';
		exec("ln -s " . FREERADIUS_ETC . "/raddb/sites-available/soh " . FREERADIUS_ETC . "/raddb/sites-enabled/");
	}
	else {
		$vareapconfpeapsoh = '### MS SoH Server is disabled ###';
			if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/soh")) {
			exec("rm -f " . FREERADIUS_ETC . "/raddb/sites-enabled/soh");
			}
	}
		

// The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time.
// This is for the pfsense cert manager
// Depends on "freeradius_get_server_certs" and "freeradius_get_ca_certs"

if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
		
		$ca_cert = lookup_ca($eapconf["ssl_ca_cert"]);
		if ($ca_cert != false) {
			if(base64_decode($ca_cert['prv'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_key.pem", 
					base64_decode($ca_cert['prv']));
				$conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_key.pem';
			}


			if(base64_decode($ca_cert['crt'])) {
				$crl_cert = lookup_crl($eapconf["ssl_ca_crl"]);
				if ($crl_cert != false){
					$crl=base64_decode($crl_cert['text']);
					$check_crl="check_crl = yes";
				}
				else{
					$check_crl="check_crl = no";
				}
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_cert.pem", 
					base64_decode($ca_cert['crt']). $crl);
				$conf['ssl_ca_cert'] = FREERADIUS_ETC . "/raddb/certs/ca_cert.pem";
			}
			$svr_cert = lookup_cert($eapconf["ssl_server_cert"]);
			if ($svr_cert != false) {
				if(base64_decode($svr_cert['prv'])) {
					file_put_contents(FREERADIUS_ETC . "/raddb/certs/server_key.pem", 
						base64_decode($svr_cert['prv']));
					$conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/server_key.pem';
				}
			}


			if(base64_decode($svr_cert['crt'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/server_cert.pem", 
					base64_decode($svr_cert['crt']));
				$conf['ssl_server_cert'] = FREERADIUS_ETC . "/raddb/certs/server_cert.pem";
			}
			
			/* Not needed anymore because pfsense can do this by default
			if ($eapconf['vareapconfenableclientp12'] == 'on') {
				$svr_cert = lookup_cert($eapconf["ssl_client_cert"]);
				if ($svr_cert != false) {
					if(base64_decode($svr_cert['prv'])) {
						file_put_contents(FREERADIUS_ETC . "/raddb/certs/client_key.pem", 
							base64_decode($svr_cert['prv']));
						$conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/client_key.pem';
					}
				}


				if(base64_decode($svr_cert['crt'])) {
					file_put_contents(FREERADIUS_ETC . "/raddb/certs/client_cert.pem", 
						base64_decode($svr_cert['crt']));
					$conf['ssl_client_cert'] = FREERADIUS_ETC . "/raddb/certs/client_cert.pem";
				}
			
			exec("openssl pkcs12 -export -in " . FREERADIUS_ETC . "/raddb/certs/client_cert.pem -inkey " . FREERADIUS_ETC . "/raddb/certs/client_key.pem -out " . FREERADIUS_ETC . "/raddb/certs/client_cert.p12 -passout pass\:");	
			}
			*/
			$conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs';
		}

	$vareapconfprivatekeyfile = 'server_key.pem';
	$vareapconfcertificatefile = 'server_cert.pem';
	$vareapconfcafile = 'ca_cert.pem';
	
	// generate new DH and RANDOM file
	// We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files
	if (!file_exists(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr")) {
		log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in " . FREERADIUS_ETC . "/raddb/certs");
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && openssl dhparam -out dh 1024");
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && dd if=/dev/urandom of=./random count=10");
		exec("touch " . FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr");
	}
}

// This is for freeradius cert manager
else {
	$vareapconfprivatekeyfile = 'server.pem';
	$vareapconfcertificatefile = 'server.pem';
	$vareapconfcafile = 'ca.pem';
}

// check if the common name of the certificate must match the username
if($eapconf['vareapconfenablecheckcertcn'] == 'on') {
	$vareapconfcheckcertcn = 'check_cert_cn = %{User-Name}';
}
else {
	$vareapconfcheckcertcn = '### check_cert_cn = %{User-Name} ###';
}

// check if cert issuer of CA and certs match
if($eapconf['vareapconfenablecheckcertissuer'] == 'on') {
	$vareapconfcheckcertissuer = "check_cert_issuer = " . '"' . "/C=$vareapconfcountry/ST=$vareapconfstate/L=$vareapconfcity/O=$vareapconforganization/emailAddress=$vareapconfemail/CN=$vareapconfcommonname" . '"';
}
else {
	$vareapconfcheckcertissuer = '### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###';
}

	$conf .= <<<EOD
	### EAP
	eap {
		default_eap_type = $vareapconfdefaulteaptype
		timer_expire     = $vareapconftimerexpire
		ignore_unknown_eap_types = $vareapconfignoreunknowneaptypes
		cisco_accounting_username_bug = $vareapconfciscoaccountingusernamebug
		max_sessions = $vareapconfmaxsessions
		
		$vareapconfweakeaptypes


		### EAP-TLS and EAP-TLS with OCSP support
		tls {
			certdir = \${confdir}/certs
			cadir = \${confdir}/certs
			private_key_password = $vareapconfprivatekeypassword
			private_key_file = \${certdir}/$vareapconfprivatekeyfile
			certificate_file = \${certdir}/$vareapconfcertificatefile
			CA_file = \${cadir}/$vareapconfcafile
			dh_file = \${certdir}/dh
			random_file = \${certdir}/random
			fragment_size = $vareapconffragmentsize
			include_length = $vareapconfincludelength
			{$check_crl}
			CA_path = \${cadir}
			$vareapconfcheckcertissuer
			$vareapconfcheckcertcn
			cipher_list = "DEFAULT"
			ecdh_curve = "prime256v1"
			cache {
			      enable = $vareapconfcacheenablecache
			      lifetime = $vareapconfcachelifetime
			      max_entries = $vareapconfcachemaxentries
			}
			verify {
		#     		tmpdir = /tmp/radiusd
		#    		client = "/path/to/openssl verify -CApath ${CA_path} %{TLS-Client-Cert-Filename}"
			}
			ocsp {
			      enable = $vareapconfocspenable
			      override_cert_url = $vareapconfocspoverridecerturl
			      url = "$vareapconfocspurl"
			}
		}
	
		### EAP-TTLS
		ttls {
			default_eap_type = $vareapconfttlsdefaulteaptype
			copy_request_to_tunnel = $vareapconfttlscopyrequesttotunnel
			use_tunneled_reply = $vareapconfttlsusetunneledreply
			include_length = $vareapconfttlsincludelength
		}	### end ttls	
	
		### EAP-PEAP
		peap {
			default_eap_type = $vareapconfpeapdefaulteaptype
			copy_request_to_tunnel = $vareapconfpeapcopyrequesttotunnel
			use_tunneled_reply = $vareapconfpeapusetunneledreply
		#	proxy_tunneled_request_as_eap = yes
			$vareapconfpeapsoh
		}
		mschapv2 {
		#	send_error = no
		}	
	}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/eap.conf';
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

	restart_service('radiusd');
}

// Gets started from freeradiuseapconf.xml
function freeradius_get_ca_certs() {
	global $config;
	$ca_arr = array();
	$ca_arr[] = array('refid' => 'none', 'descr' => 'none');

	foreach ($config['ca'] as $ca) {
		$ca_arr[] = array('refid' => $ca['refid'], 'descr' => $ca['descr']);
	}
	return $ca_arr;
}

// Gets started from freeradiuseapconf.xml
function freeradius_get_ca_crl() {
	global $config;
	$crl_arr = array();
	$crl_arr[] = array('refid' => 'none', 'descr' => 'none');

	foreach ($config['crl'] as $crl) {
		$crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']);
	}
	return $crl_arr;
}

// Gets started from freeradiuseapconf.xml
function freeradius_get_server_certs() {
	global $config;
	$cert_arr = array();
	$cert_arr[] = array('refid' => 'none', 'descr' => 'none');

	foreach ($config['cert'] as $cert) {
		$cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']);
	}
	return $cert_arr;
}

function freeradius_sqlconf_resync() {
	global $config;
	$conf = '';

	$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
	
	// Variables: SQL DATABASE 1
	$varsqlconfdatabase = ($sqlconf['varsqlconfdatabase']?$sqlconf['varsqlconfdatabase']:'mysql');
	$varsqlconfserver = ($sqlconf['varsqlconfserver']?$sqlconf['varsqlconfserver']:'localhost');
	$varsqlconfport = ($sqlconf['varsqlconfport']?$sqlconf['varsqlconfport']:'3306');
	$varsqlconflogin = ($sqlconf['varsqlconflogin']?$sqlconf['varsqlconflogin']:'radius');
	$varsqlconfpassword = ($sqlconf['varsqlconfpassword']?$sqlconf['varsqlconfpassword']:'radpass');
	$varsqlconfradiusdb = ($sqlconf['varsqlconfradiusdb']?$sqlconf['varsqlconfradiusdb']:'radius');
	$varsqlconfaccttable1 = ($sqlconf['varsqlconfaccttable1']?$sqlconf['varsqlconfaccttable1']:'radacct');
	$varsqlconfaccttable2 = ($sqlconf['varsqlconfaccttable2']?$sqlconf['varsqlconfaccttable2']:'radacct');
	$varsqlconfpostauthtable = ($sqlconf['varsqlconfpostauthtable']?$sqlconf['varsqlconfpostauthtable']:'radpostauth');
	$varsqlconfauthchecktable = ($sqlconf['varsqlconfauthchecktable']?$sqlconf['varsqlconfauthchecktable']:'radcheck');
	$varsqlconfauthreplytable = ($sqlconf['varsqlconfauthreplytable']?$sqlconf['varsqlconfauthreplytable']:'radreply');
	$varsqlconfgroupchecktable = ($sqlconf['varsqlconfgroupchecktable']?$sqlconf['varsqlconfgroupchecktable']:'radgroupcheck');
	$varsqlconfgroupreplytable = ($sqlconf['varsqlconfgroupreplytable']?$sqlconf['varsqlconfgroupreplytable']:'radgroupreply');
	$varsqlconfusergrouptable = ($sqlconf['varsqlconfusergrouptable']?$sqlconf['varsqlconfusergrouptable']:'radusergroup');
	$varsqlconfreadgroups = ($sqlconf['varsqlconfreadgroups']?$sqlconf['varsqlconfreadgroups']:'yes');
	$varsqlconfdeletestalesessions = ($sqlconf['varsqlconfdeletestalesessions']?$sqlconf['varsqlconfdeletestalesessions']:'yes');
	$varsqlconfsqltrace = ($sqlconf['varsqlconfsqltrace']?$sqlconf['varsqlconfsqltrace']:'no');
	$varsqlconfnumsqlsocks = ($sqlconf['varsqlconfnumsqlsocks']?$sqlconf['varsqlconfnumsqlsocks']:'5');
	$varsqlconfconnectfailureretrydelay = ($sqlconf['varsqlconfconnectfailureretrydelay']?$sqlconf['varsqlconfconnectfailureretrydelay']:'60');
	$varsqlconflifetime = ($sqlconf['varsqlconflifetime']?$sqlconf['varsqlconflifetime']:'0');
	$varsqlconfmaxqueries = ($sqlconf['varsqlconfmaxqueries']?$sqlconf['varsqlconfmaxqueries']:'0');
	$varsqlconfreadclients = ($sqlconf['varsqlconfreadclients']?$sqlconf['varsqlconfreadclients']:'yes');
	$varsqlconfnastable = ($sqlconf['varsqlconfnastable']?$sqlconf['varsqlconfnastable']:'nas');
	
	// Additional changes were made in "freeradius_settings_resync"

	// Variables: SQL DATABASE 2
	$varsqlconf2database = ($sqlconf['varsqlconf2database']?$sqlconf['varsqlconf2database']:'mysql');
	$varsqlconf2server = ($sqlconf['varsqlconf2server']?$sqlconf['varsqlconf2server']:'localhost');
	$varsqlconf2port = ($sqlconf['varsqlconf2port']?$sqlconf['varsqlconf2port']:'3306');
	$varsqlconf2login = ($sqlconf['varsqlconf2login']?$sqlconf['varsqlconf2login']:'radius');
	$varsqlconf2password = ($sqlconf['varsqlconf2password']?$sqlconf['varsqlconf2password']:'radpass');
	$varsqlconf2radiusdb = ($sqlconf['varsqlconf2radiusdb']?$sqlconf['varsqlconf2radiusdb']:'radius');
	$varsqlconf2accttable1 = ($sqlconf['varsqlconf2accttable1']?$sqlconf['varsqlconf2accttable1']:'radacct');
	$varsqlconf2accttable2 = ($sqlconf['varsqlconf2accttable2']?$sqlconf['varsqlconf2accttable2']:'radacct');
	$varsqlconf2postauthtable = ($sqlconf['varsqlconf2postauthtable']?$sqlconf['varsqlconf2postauthtable']:'radpostauth');
	$varsqlconf2authchecktable = ($sqlconf['varsqlconf2authchecktable']?$sqlconf['varsqlconf2authchecktable']:'radcheck');
	$varsqlconf2authreplytable = ($sqlconf['varsqlconf2authreplytable']?$sqlconf['varsqlconf2authreplytable']:'radreply');
	$varsqlconf2groupchecktable = ($sqlconf['varsqlconf2groupchecktable']?$sqlconf['varsqlconf2groupchecktable']:'radgroupcheck');
	$varsqlconf2groupreplytable = ($sqlconf['varsqlconf2groupreplytable']?$sqlconf['varsqlconf2groupreplytable']:'radgroupreply');
	$varsqlconf2usergrouptable = ($sqlconf['varsqlconf2usergrouptable']?$sqlconf['varsqlconf2usergrouptable']:'radusergroup');
	$varsqlconf2readgroups = ($sqlconf['varsqlconf2readgroups']?$sqlconf['varsqlconf2readgroups']:'yes');
	$varsqlconf2deletestalesessions = ($sqlconf['varsqlconf2deletestalesessions']?$sqlconf['varsqlconf2deletestalesessions']:'yes');
	$varsqlconf2sqltrace = ($sqlconf['varsqlconf2sqltrace']?$sqlconf['varsqlconf2sqltrace']:'no');
	$varsqlconf2numsqlsocks = ($sqlconf['varsqlconf2numsqlsocks']?$sqlconf['varsqlconf2numsqlsocks']:'5');
	$varsqlconf2connectfailureretrydelay = ($sqlconf['varsqlconf2connectfailureretrydelay']?$sqlconf['varsqlconf2connectfailureretrydelay']:'60');
	$varsqlconf2lifetime = ($sqlconf['varsqlconf2lifetime']?$sqlconf['varsqlconf2lifetime']:'0');
	$varsqlconf2maxqueries = ($sqlconf['varsqlconf2maxqueries']?$sqlconf['varsqlconf2maxqueries']:'0');
	$varsqlconf2readclients = ($sqlconf['varsqlconf2readclients']?$sqlconf['varsqlconf2readclients']:'yes');
	$varsqlconf2nastable = ($sqlconf['varsqlconf2nastable']?$sqlconf['varsqlconf2nastable']:'nas');
	
	// Additional changes were made in "freeradius_settings_resync"
	
	
	$conf .= <<<EOD

sql {
	database = "$varsqlconfdatabase"
	driver = "rlm_sql_\${database}"
	server = "$varsqlconfserver"
	port = $varsqlconfport
	login = "$varsqlconflogin"
	password = "$varsqlconfpassword"
	radius_db = "$varsqlconfradiusdb"
	acct_table1 = "$varsqlconfaccttable1"
	acct_table2 = "$varsqlconfaccttable2"
	postauth_table = "$varsqlconfpostauthtable"
	authcheck_table = "$varsqlconfauthchecktable"
	authreply_table = "$varsqlconfauthreplytable"
	groupcheck_table = "$varsqlconfgroupchecktable"
	groupreply_table = "$varsqlconfgroupreplytable"
	usergroup_table = "$varsqlconfusergrouptable"
	read_groups = $varsqlconfreadgroups
	deletestalesessions = $varsqlconfdeletestalesessions
	sqltrace = $varsqlconfsqltrace
	sqltracefile = \${logdir}/sqltrace.sql
	num_sql_socks = $varsqlconfnumsqlsocks
	connect_failure_retry_delay = $varsqlconfconnectfailureretrydelay
	lifetime = $varsqlconflifetime
	max_queries = $varsqlconfmaxqueries
	readclients = $varsqlconfreadclients
	nas_table = "$varsqlconfnastable"
	\$INCLUDE sql/\${database}/dialup.conf
}

sql sql2 {
	database = "$varsqlconf2database"
	driver = "rlm_sql_\${database}"
	server = "$varsqlconf2server"
	port = $varsqlconf2port
	login = "$varsqlconf2login"
	password = "$varsqlconf2password"
	radius_db = "$varsqlconf2radiusdb"
	acct_table1 = "$varsqlconf2accttable1"
	acct_table2 = "$varsqlconf2accttable2"
	postauth_table = "$varsqlconf2postauthtable"
	authcheck_table = "$varsqlconf2authchecktable"
	authreply_table = "$varsqlconf2authreplytable"
	groupcheck_table = "$varsqlconf2groupchecktable"
	groupreply_table = "$varsqlconf2groupreplytable"
	usergroup_table = "$varsqlconf2usergrouptable"
	read_groups = $varsqlconf2readgroups
	deletestalesessions = $varsqlconf2deletestalesessions
	sqltrace = $varsqlconf2sqltrace
	sqltracefile = \${logdir}/sqltrace.sql
	num_sql_socks = $varsqlconf2numsqlsocks
	connect_failure_retry_delay = $varsqlconf2connectfailureretrydelay
	lifetime = $varsqlconf2lifetime
	max_queries = $varsqlconf2maxqueries
	readclients = $varsqlconf2readclients
	nas_table = "$varsqlconf2nastable"
	\$INCLUDE sql/\${database}/dialup.conf
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/sql.conf';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();
	
	// We don't need a restart at this time because there are additional changes needed in:
	// "freeradius_settings_resync" and "freeradius_serverdefault_resync".
	// restart_service('radiusd');
	freeradius_settings_resync();
}

function freeradius_serverdefault_resync() {
	global $config;
	$conf = '';
		
	// Get Variables from freeradiusmodulesldap.xml
	$arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
	// failover/loadbalancing mode
	$varmodulesldap2failover = ($arrmodulesldap['varmodulesldap2failover']?$arrmodulesldap['varmodulesldap2failover']:'redundant');
	
	// If unchecked then disable authorize ldap2
	if (!$arrmodulesldap['varmodulesldap2enableauthorize']) {
		$varmodulesldap2enableauthorize = '### ldap2 disabled ###';
	}
	else {
		$varmodulesldap2enableauthorize = 'ldap2';
	}
	
	// If unchecked then disable authorize ldap1
	if (!$arrmodulesldap['varmodulesldapenableauthorize']) {
		$varmodulesldapenableauthorize = '### ldap ###';
	}
	else {
		$varmodulesldapenableauthorize = '';
		$varmodulesldapenableauthorize .= "$varmodulesldap2failover {";
		$varmodulesldapenableauthorize .= "\n\t\tldap";
		// this line adds ldap2 when activated
		$varmodulesldapenableauthorize .= "\n\t\t$varmodulesldap2enableauthorize";
		$varmodulesldapenableauthorize .= "\n\t}";
	}
	
	// If unchecked then disable authenticate for ldap1
	if (!$arrmodulesldap['varmodulesldap2enableauthenticate']) {
		$varmodulesldap2enableauthenticate = "### ldap2 disabled ###";
	}
	else {
		$varmodulesldap2enableauthenticate = "ldap2";
	}
	
	// If unchecked then disable authenticate ldap2
	if (!$arrmodulesldap['varmodulesldapenableauthenticate']) {
		$varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t#}";
	}
	else {
		$varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";
	}
	
	// Get Variables from freeradiussqlconf.xml for DATABASE 1
	$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
	$varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable');
	$varsqlconfenableaccounting = ($sqlconf['varsqlconfenableaccounting']?$sqlconf['varsqlconfenableaccounting']:'Disable');
	$varsqlconfenablesession = ($sqlconf['varsqlconfenablesession']?$sqlconf['varsqlconfenablesession']:'Disable');
	$varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable');
	
	// Get Variables from freeradiussqlconf.xml for DATABASE 2
	$varsqlconf2enableauthorize = ($sqlconf['varsqlconf2enableauthorize']?$sqlconf['varsqlconf2enableauthorize']:'Disable');
	$varsqlconf2enableaccounting = ($sqlconf['varsqlconf2enableaccounting']?$sqlconf['varsqlconf2enableaccounting']:'Disable');
	$varsqlconf2enablesession = ($sqlconf['varsqlconf2enablesession']?$sqlconf['varsqlconf2enablesession']:'Disable');
	$varsqlconf2enablepostauth = ($sqlconf['varsqlconf2enablepostauth']?$sqlconf['varsqlconf2enablepostauth']:'Disable');
	
	// authorize section DATABASE 2
	if ($sqlconf['varsqlconf2enableauthorize'] == 'Enable') {
		$varsqlconf2authorize = 'sql2';
	}
	else {
		$varsqlconf2authorize = '### sql2 DISABLED ###';
	}
	// accounting section DATABASE 2
	if ($sqlconf['varsqlconf2enableaccounting'] == 'Enable') {
		$varsqlconf2accounting = 'sql2';
	}
	else {
		$varsqlconf2accounting = '### sql2 DISABLED ###';
	}
	// session section DATABASE 2
	if ($sqlconf['varsqlconf2enablesession'] == 'Enable') {
		$varsqlconf2session = 'sql2';
	}
	else {
		$varsqlconf2session = '### sql2 DISABLED ###';
	}
	// post-auth section DATABASE 2
	if ($sqlconf['varsqlconf2enablepostauth'] == 'Enable') {
		$varsqlconf2postauth = 'sql2';
	}
	else {
		$varsqlconf2postauth = '### sql2 DISABLED ###';
	}	
	
	// Failover mode
	$varsqlconf2failover = ($sqlconf['varsqlconf2failover']?$sqlconf['varsqlconf2failover']:'redundant');

	// authorize section DATABASE 1
	if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) {
		$varsqlconfauthorize = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2authorize" . "\n\t}";
	}
	else {
		$varsqlconfauthorize = '### sql DISABLED ###';
	}
	
	// accounting section DATABASE 1
	if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) {
		$varsqlconfaccounting = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2accounting" . "\n\t}";
	}
	else {
		$varsqlconfaccounting = '### sql DISABLED ###';
	}
	
	// session section DATABASE 1
	if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) {
		$varsqlconfsession = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2session" . "\n\t}";
	}
	else {
		$varsqlconfsession = 'radutmp';
	}

	// post-auth section DATABASE 1
	if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) {
		$varsqlconfpostauth = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2postauth" . "\n\t}";
	}
	else {
		$varsqlconfpostauth = '### sql DISABLED ###';
	}
	
	// Changing authorize section for plain mac auth
	// Variables: If not using 802.1x, mac address must be known
	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
	
	// If unchecked we need the normal EAP section.
	if (!$varsettings['varsettingsenablemacauth']) {
		$varplainmacauthenable = '##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####';

		$varplainmacpreacctenable = '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####';
	}
	// If checked we need to check if it is plain mac or eap
	else {
		$varplainmacauthenable = '';
		$varplainmacauthenable .= "### FIRST check MAC address in authorized_macs and if that fails proceed with other checks below in else-section ###";
		$varplainmacauthenable .= "\n\t### if cleaning up the Calling-Station-Id...###";
		$varplainmacauthenable .= "\n\trewrite_calling_station_id";
		$varplainmacauthenable .= "\n\t";
		$varplainmacauthenable .= "\n\t# now check against the authorized_macs file";
		$varplainmacauthenable .= "\n\tauthorized_macs";
		$varplainmacauthenable .= "\n\tif (ok) {";
		$varplainmacauthenable .= "\n\t\t\tupdate control {";
		$varplainmacauthenable .= "\n\t\t\tAuth-Type := Accept";
		$varplainmacauthenable .= "\n\t\t}";
		$varplainmacauthenable .= "\n\t}";
		$varplainmacauthenable .= "\n\t### Here we have to place all other authorize modules which should be check when MAC fails ###";

		$varplainmacpreacctenable = '';
		$varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH ENABLED #####';
		$varplainmacpreacctenable .= "\n\trewrite_calling_station_id";
	}
	
	// Disable acct_unique in preacct section
	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];

	if ($varsettings['varsettingsenableacctunique'] == 'on') {
		$varsettingsacctuniqueenabled = '##### DISABLE acct_unique DISABLE #####';
	}
	else {
		$varsettingsacctuniqueenabled = 'acct_unique';
	}
	
	$conf .= <<<EOD
######################################################################
#
#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
#	"server" section, and configuration directives.
#
#	Virtual hosts should be put into the "sites-available"
#	directory.  Soft links should be created in the "sites-enabled"
#	directory to these files.  This is done in a normal installation.
#
#	If you are using 802.1X (EAP) authentication, please see also
#	the "inner-tunnel" virtual server.  You wll likely have to edit
#	that, too, for authentication to work.
#
#	$Id$
#
######################################################################
#
#	Read "man radiusd" before editing this file.  See the section
#	titled DEBUGGING.  It outlines a method where you can quickly
#	obtain the configuration you want, without running into
#	trouble.  See also "man unlang", which documents the format
#	of this file.
#
#	This configuration is designed to work in the widest possible
#	set of circumstances, with the widest possible number of
#	authentication methods.  This means that in general, you should
#	need to make very few changes to this file.
#
#	The best way to configure the server for your local system
#	is to CAREFULLY edit this file.  Most attempts to make large
#	edits to this file will BREAK THE SERVER.  Any edits should
#	be small, and tested by running the server with "radiusd -X".
#	Once the edits have been verified to work, save a copy of these
#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
#	make more edits, and test, as above.
#
#	There are many "commented out" references to modules such
#	as ldap, sql, etc.  These references serve as place-holders.
#	If you need the functionality of that module, then configure
#	it in radiusd.conf, and un-comment the references to it in
#	this file.  In most cases, those small changes will result
#	in the server being able to connect to the DB, and to
#	authenticate users.
#
######################################################################

#
#	In 1.x, the "authorize", etc. sections were global in
#	radiusd.conf.  As of 2.0, they SHOULD be in a server section.
#
#	The server section with no virtual server name is the "default"
#	section.  It is used when no server name is specified.
#
#	We don't indent the rest of this file, because doing so
#	would make it harder to read.
#

#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  Any changes made here should also be made to the "inner-tunnel"
#  virtual server.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you 
#  need to setup hints for the remote radius server
authorize {
	#
	#  Security settings.  Take a User-Name, and do some simple
	#  checks on it, for spaces and other invalid characters.  If
	#  it looks like the user is trying to play games, reject it.
	#
	#  This should probably be enabled by default.
	#
	#  See policy.conf for the definition of the filter_username policy.
	#
#	filter_username

	#
	#  The preprocess module takes care of sanitizing some bizarre
	#  attributes in the request, and turning them into attributes
	#  which are more standard.
	#
	#  It takes care of processing the 'raddb/hints' and the
	#  'raddb/huntgroups' files.
	preprocess
	
	#
	#
	$varplainmacauthenable
	
	#
	#  If you want to have a log of authentication requests,
	#  un-comment the following line, and the 'detail auth_log'
	#  section, above.
#	auth_log

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authenticate' section.
	digest

	#
	#  The WiMAX specification says that the Calling-Station-Id
	#  is 6 octets of the MAC.  This definition conflicts with
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
	#  the "wimax" module here means that it will fix the
	#  Calling-Station-Id attribute to the normal format as
	#  specified in RFC 3580 Section 3.21
#	wimax

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	
	suffix
	ntdomain
	
	#
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
	#  authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	#
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
	#  this change is compatible with older configurations.
	#
	#  The example below uses module failover to avoid querying all
	#  of the following modules if the EAP module returns "ok".
	#  Therefore, your LDAP and/or SQL servers will not be queried
	#  for the many packets that go back and forth to set up TTLS
	#  or PEAP.  The load on those servers will therefore be reduced.
	#
	#
	
	eap {
		ok = return
	}
	
	#
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
	#  using the system API's to get the password.  If you want
	#  to read /etc/passwd or /etc/shadow directly, see the
	#  passwd module in radiusd.conf.
	#
#	unix

	#
	#  Read the 'users' file
	files

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in sql.conf
	$varsqlconfauthorize

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  configure the 'etc_smbpasswd' module, above.
#	etc_smbpasswd

	#
	#  The ldap module will set Auth-Type to LDAP if it has not
	#  already been set
	
	$varmodulesldapenableauthorize

	#
	#  Enforce daily limits on time spent logged in.
	daily
	weekly
	monthly
	forever

	#
	# Use the checkval module
	checkval

	expiration
	logintime

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap
	
	#
	#  If "status_server = yes", then Status-Server messages are passed
	#  through the following section, and ONLY the following section.
	#  This permits you to do DB queries, for example.  If the modules
	#  listed here return "fail", then NO response is sent.
	#
	Autz-Type Status-Server {

	}
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user (Auth-Type := Reject),
#  or to or forcibly accept the user (Auth-Type := Accept).
#
#  Note that Auth-Type := Accept will NOT work with EAP.
#
#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
#
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	#
	#  Mobile-One-Time-Password (MOTP) authentication.
	Auth-Type MOTP {
		motp
	}
	
	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authorize' section.
	digest

	#
	#  Pluggable Authentication Modules.
#	pam

	#
	#  See 'man getpwent' for information on how the 'unix'
	#  module checks the users password.  Note that packets
	#  containing CHAP-Password attributes CANNOT be authenticated
	#  against /etc/passwd!  See the FAQ for details.
	#
	#  For normal "crypt" authentication, the "pap" module should
	#  be used instead of the "unix" module.  The "unix" module should
	#  be used for authentication ONLY for compatibility with legacy
	#  FreeRADIUS configurations.
	#
	unix

	# Uncomment it if you want to use ldap for authentication
	#
	# Note that this means "check plain-text password against
	# the ldap database", which means that EAP won't work,
	# as it does not supply a plain-text password.
	$varmodulesldapenableauthenticate

	#
	#  Allow EAP authentication.
	eap

	#
	#  The older configurations sent a number of attributes in
	#  Access-Challenge packets, which wasn't strictly correct.
	#  If you want to filter out these attributes, uncomment
	#  the following lines.
	#
#	Auth-Type eap {
#		eap {
#			handled = 1  
#		}
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
#			attr_filter.access_challenge.post-auth
#			handled  # override the "updated" code from attr_filter
#		}
#	}
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
	preprocess
	
	$varplainmacpreacctenable
	
	#
	#  Session start times are *implied* in RADIUS.
	#  The NAS never sends a "start time".  Instead, it sends
	#  a start packet, *possibly* with an Acct-Delay-Time.
	#  The server is supposed to conclude that the start time
	#  was "Acct-Delay-Time" seconds in the past.
	#
	#  The code below creates an explicit start time, which can
	#  then be used in other modules.
	#
	#  The start time is: NOW - delay - session_length
	#

	update request {
		FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
	}

	#
	#  Ensure that we have a semi-unique identifier for every
	#  request, and many NAS boxes are broken.
	$varsettingsacctuniqueenabled

	#
	#  Look for IPASS-style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
	#
	#  Accounting requests are generally proxied to the same
	#  home server as authentication requests.
#	IPASS
	suffix
	ntdomain

	#
	#  Read the 'acct_users' file
	files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
	#
	#  Create a 'detail'ed log of the packets.
	#  Note that accounting requests which are proxied
	#  are also logged in the detail file.
	detail
	daily
	weekly
	monthly
	forever

	### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates
	if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
		datacounterdaily
		datacounterweekly
		datacountermonthly
		datacounterforever
	}
	
	#  Update the wtmp file
	#
	#  If you don't use "radlast", you can delete this line.
	unix

	#
	#  For Simultaneous-Use tracking.
	#
	#  Due to packet losses in the network, the data here
	#  may be incorrect.  There is little we can do about it.
	radutmp
#	sradutmp

	#  Return an address to the IP Pool when we see a stop record.
#	main_pool

	#
	#  Log traffic to an SQL database.
	#
	#  See "Accounting queries" in sql.conf
	$varsqlconfaccounting

	#
	#  If you receive stop packets with zero session length,
	#  they will NOT be logged in the database.  The SQL module
	#  will print a message (only in debugging mode), and will
	#  return "noop".
	#
	#  You can ignore these packets by uncommenting the following
	#  three lines.  Otherwise, the server will not respond to the
	#  accounting request, and the NAS will retransmit.
	#
#	if (noop) {
#		ok
#	}

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#  Cisco VoIP specific bulk accounting
#	pgsql-voip

	# For Exec-Program and Exec-Program-Wait
	exec

	#  Filter attributes from the accounting response.
	attr_filter.accounting_response

	#
	#  See "Autz-Type Status-Server" for how this works.
	#
	Acct-Type Status-Server {

	}
}


#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
	### choose radutmp or sql
	$varsqlconfsession
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
	#  Get an address from the IP Pool.
#	main_pool

	#
	#  If you want to have a log of authentication replies,
	#  un-comment the following line, and the 'detail reply_log'
	#  section, above.
#	reply_log

	#
	#  After authenticating the user, do another SQL query.
	#
	#  See "Authentication Logging Queries" in sql.conf
	$varsqlconfpostauth

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#
	#  Un-comment the following if you have set
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
	#  the 'modules' section.
	#
#	ldap

	# For Exec-Program and Exec-Program-Wait
	exec

	#
	#  Calculate the various WiMAX keys.  In order for this to work,
	#  you will need to define the WiMAX NAI, usually via
	#
	#	update request {
	#	       WiMAX-MN-NAI = "%{User-Name}"
	#	}
	#
	#  If you want various keys to be calculated, you will need to
	#  update the reply with "template" values.  The module will see
	#  this, and replace the template values with the correct ones
	#  taken from the cryptographic calculations.  e.g.
	#
	# 	update reply {
	#		WiMAX-FA-RK-Key = 0x00
	#		WiMAX-MSK = "%{EAP-MSK}"
	#	}
	#
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
	#  as some WiMAX clients behave badly when those attributes
	#  are included.  See "raddb/modules/wimax", configuration
	#  entry "delete_mppe_keys" for more information.
	#
#	wimax

	#  If there is a client certificate (EAP-TLS, sometimes PEAP
	#  and TTLS), then some attributes are filled out after the
	#  certificate verification has been performed.  These fields
	#  MAY be available during the authentication, or they may be
	#  available only in the "post-auth" section.
	#
	#  The first set of attributes contains information about the
	#  issuing certificate which is being used.  The second
	#  contains information about the client certificate (if
	#  available).
#
#	update reply {
#	       Reply-Message += "%{TLS-Cert-Serial}"
#	       Reply-Message += "%{TLS-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Cert-Subject}"
#	       Reply-Message += "%{TLS-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
#
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#	}


	#  If the WiMAX module did it's work, you may want to do more
	#  things here, like delete the MS-MPPE-*-Key attributes.
	#
	#	if (updated) {
	#		update reply {
	#			MS-MPPE-Recv-Key !* 0x00
	#			MS-MPPE-Send-Key !* 0x00
	#		}
	#	}

	#
	#  Access-Reject packets are sent through the REJECT sub-section of the
	#  post-auth section.
	#
	#  Add the ldap module name (or instance) if you have set 
	#  'edir_account_policy_check = yes' in the ldap module configuration
	#
	Post-Auth-Type REJECT {

		# log failed authentications in SQL, too.
		# sql
		attr_filter.access_reject
	}
}
#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
#	attr_rewrite

	#  Uncomment the following line if you want to change attributes
	#  as defined in the preproxy_users file.
#	files

	#  Uncomment the following line if you want to filter requests
	#  sent to remote servers based on the rules defined in the
	#  'attrs.pre-proxy' file.
	attr_filter.pre-proxy

	#  If you want to have a log of packets proxied to a home
	#  server, un-comment the following line, and the
	#  'detail pre_proxy_log' section, above.
#	pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

	#  If you want to have a log of replies from a home server,
	#  un-comment the following line, and the 'detail post_proxy_log'
	#  section, above.
#	post_proxy_log

#	attr_rewrite

	#  Uncomment the following line if you want to filter replies from
	#  remote proxies based on the rules defined in the 'attrs' file.
	attr_filter.post-proxy

	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap

	#
	#  If the server tries to proxy a request and fails, then the
	#  request is processed through the modules in this section.
	#
	#  The main use of this section is to permit robust proxying
	#  of accounting packets.  The server can be configured to
	#  proxy accounting packets as part of normal processing.
	#  Then, if the home server goes down, accounting packets can
	#  be logged to a local "detail" file, for processing with
	#  radrelay.  When the home server comes back up, radrelay
	#  will read the detail file, and send the packets to the
	#  home server.
	#
	#  With this configuration, the server always responds to
	#  Accounting-Requests from the NAS, but only writes
	#  accounting packets to disk if the home server is down.
	#
#	Post-Proxy-Type Fail {
#			detail
#	}
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/sites-available/default';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();
	
	// No need to restart here because the restart of the service will be done in "freeradius_settings_resync"
	// restart_service('radiusd');
}

function freeradius_cacertcnf_resync() {
	global $config;
	$conf = '';

	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
	
	// General variables: CA, Server, Client
	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');

	// Variables: Only for CA
	$varcertscaemailaddress = ($arrcerts['varcertscaemailaddress']?$arrcerts['varcertscaemailaddress']:'admin@mycompany.com');
	$varcertscacommonname = ($arrcerts['varcertscacommonname']?$arrcerts['varcertscacommonname']:'internal-ca');
	
	
	

	$conf .= <<<EOD
[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= \$dir
crl_dir			= \$dir/crl
database		= \$dir/index.txt
new_certs_dir		= \$dir
certificate		= \$dir/ca.pem
serial			= \$dir/serial
crl			= \$dir/crl.pem
private_key		= \$dir/ca.key
RANDFILE		= \$dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= $varcertsdefaultdays
default_crl_days	= 30
default_md		= $varcertsdefaultmd
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= certificate_authority
default_bits		= $varcertsdefaultbits
input_password		= $varcertspassword
output_password		= $varcertspassword
x509_extensions		= v3_ca

[certificate_authority]
countryName		= $varcertscountryname
stateOrProvinceName	= $varcertsstateorprovincename
localityName		= $varcertslocalityname
organizationName	= $varcertsorganizationname
emailAddress		= $varcertscaemailaddress
commonName		= "$varcertscacommonname"

[v3_ca]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints	= CA:true
EOD;

	$filename = FREERADIUS_ETC . '/raddb/certs/ca.cnf';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_servercertcnf_resync() {
	global $config;
	$conf = '';

	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
	
	// General variables: CA, Server, Client
	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');

	// Variables: Only for Server
	$varcertsserveremailaddress = ($arrcerts['varcertsserveremailaddress']?$arrcerts['varcertsserveremailaddress']:'webadmin@mycompany.com');
	$varcertsservercommonname = ($arrcerts['varcertsservercommonname']?$arrcerts['varcertsservercommonname']:'server-cert');
	

	$conf .= <<<EOD
[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= \$dir
crl_dir			= \$dir/crl
database		= \$dir/index.txt
new_certs_dir		= \$dir
certificate		= \$dir/server.pem
serial			= \$dir/serial
crl			= \$dir/crl.pem
private_key		= \$dir/server.key
RANDFILE		= \$dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= $varcertsdefaultdays
default_crl_days	= 30
default_md		= $varcertsdefaultmd
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= server
default_bits		= $varcertsdefaultbits
input_password		= $varcertspassword
output_password		= $varcertspassword

[server]
countryName		= $varcertscountryname
stateOrProvinceName	= $varcertsstateorprovincename
localityName		= $varcertslocalityname
organizationName	= $varcertsorganizationname
emailAddress		= $varcertsserveremailaddress
commonName		= "$varcertsservercommonname"
EOD;

	$filename = FREERADIUS_ETC . '/raddb/certs/server.cnf';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_clientcertcnf_resync() {
	global $config;
	$conf = '';

	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
	
	// General variables: CA, Server, Client
	$varcertsdefaultdays = ($arrcerts['varcertsdefaultdays']?$arrcerts['varcertsdefaultdays']:'3650');
	$varcertsdefaultmd = ($arrcerts['varcertsdefaultmd']?$arrcerts['varcertsdefaultmd']:'md5');
	$varcertsdefaultbits = ($arrcerts['varcertsdefaultbits']?$arrcerts['varcertsdefaultbits']:'2048');
	$varcertspassword = ($arrcerts['varcertspassword']?$arrcerts['varcertspassword']:'whatever');
	$varcertscountryname = ($arrcerts['varcertscountryname']?$arrcerts['varcertscountryname']:'US');
	$varcertsstateorprovincename = ($arrcerts['varcertsstateorprovincename']?$arrcerts['varcertsstateorprovincename']:'Texas');
	$varcertslocalityname = ($arrcerts['varcertslocalityname']?$arrcerts['varcertslocalityname']:'Austin');
	$varcertsorganizationname = ($arrcerts['varcertsorganizationname']?$arrcerts['varcertsorganizationname']:'My Company Inc');

	// Variables: Only for Client
	$varcertsclientemailaddress = ($arrcerts['varcertsclientemailaddress']?$arrcerts['varcertsclientemailaddress']:'user@mycompany.com');
	$varcertsclientcommonname = ($arrcerts['varcertsclientcommonname']?$arrcerts['varcertsclientcommonname']:'client-cert');
	

	$conf .= <<<EOD
[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= \$dir
crl_dir			= \$dir/crl
database		= \$dir/index.txt
new_certs_dir		= \$dir
certificate		= \$dir/server.pem
serial			= \$dir/serial
crl			= \$dir/crl.pem
private_key		= \$dir/server.key
RANDFILE		= \$dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= $varcertsdefaultdays
default_crl_days	= 30
default_md		= $varcertsdefaultmd
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= client
default_bits		= $varcertsdefaultbits
input_password		= $varcertspassword
output_password		= $varcertspassword

[client]
countryName		= $varcertscountryname
stateOrProvinceName	= $varcertsstateorprovincename
localityName		= $varcertslocalityname
organizationName	= $varcertsorganizationname
emailAddress		= $varcertsclientemailaddress
commonName		= "$varcertsclientcommonname"
EOD;

	$filename = FREERADIUS_ETC . '/raddb/certs/client.cnf';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_allcertcnf_resync() {
	global $config;
		// We need to make this write enabled for embedded systems to write certs
		conf_mount_rw();
	
	
// Only proceed these steps if freeRADIUS Cert-Manager is activated. if pfSense cert manager is used skip this.
$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
if ($eapconf['vareapconfchoosecertmanager'] == '') {
	

	$arrcerts = $config['installedpackages']['freeradiuscerts']['config'][0];
	
	// General variable for deleting and generation of further Client-Cert
	$varcertscreateclient = ($arrcerts['varcertscreateclient']?$arrcerts['varcertscreateclient']:'no');
	
	// General variables for deleting: CA, Server, Client
	$varcertsdeleteall = ($arrcerts['varcertsdeleteall']?$arrcerts['varcertsdeleteall']:'no');
		
	// If all certs should be deleted, we do not need to delete and recreate client-certs first.
	if ($arrcerts['varcertsdeleteall'] == 'no') {

		if ($arrcerts['varcertscreateclient'] == 'yes') {
		
		// delete all old certificates and keys
		log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in " . FREERADIUS_ETC . "/raddb/certs");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.csr");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.crt");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.key");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.pem");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.tar");
				
			
		// run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml
		freeradius_clientcertcnf_resync();
	
	
		// make bootstrap executable and run to create cert based on client.cnf files
		exec("chmod 0770 " . FREERADIUS_ETC . "/raddb/certs/bootstrap");
		exec(FREERADIUS_ETC . "/raddb/certs/bootstrap");
			
		// rename client generated XX.pem to client.pem // use regex to replace spaces and so on.
		$varserial = preg_replace("/\s/","",file_get_contents(FREERADIUS_ETC . '/raddb/certs/serial.old'));
		if (file_exists(FREERADIUS_ETC . "/raddb/certs/$varserial.pem"))
		rename(FREERADIUS_ETC . "/raddb/certs/$varserial.pem",FREERADIUS_ETC . "/raddb/certs/client.pem");
		
		
		// tar client-cert files
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
		
		// Make all files in certs folder read/write only for root
		exec("chmod -R 0600 " . FREERADIUS_ETC . "/raddb/certs/");
		log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in " . FREERADIUS_ETC . "/raddb/certs/client.tar");
		}
	}
	else {
		
		if ($arrcerts['varcertsdeleteall'] == 'yes') {
	
		// delete all old certificates and keys - deletes certs from pfsense cert-manager IN THIS FOLDER, too.
		log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in " . FREERADIUS_ETC . "/raddb/certs");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.pem && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.pem && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.pem");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.der && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.der && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.der");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.csr && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.csr && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.csr");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.crt && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.crt && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.crt");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.key && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.key && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.key");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.p12 && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.p12 && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.p12");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/serial*");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/index*");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/dh");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/random");
		exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.tar");
		
	
		// run fuctions to create new .cnf files based on user input from freeradiuscert.xml
		freeradius_cacertcnf_resync();
		freeradius_servercertcnf_resync();
		freeradius_clientcertcnf_resync();
		
		// this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created
		if (file_exists(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr")) {
			unlink(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr");
		}
		
		// generate new DH and RANDOM file
		log_error("freeRADIUS: Creating new DH and random file in " . FREERADIUS_ETC . "/raddb/certs");
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && openssl dhparam -out dh 1024");
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && dd if=/dev/urandom of=./random count=10");
		
		log_error("freeRADIUS: Creating new CA, Server and Client certs in " . FREERADIUS_ETC . "/raddb/certs");
		// make bootstrap executable and run to create certs based on .cnf files
		exec("chmod 0770 " . FREERADIUS_ETC . "/raddb/certs/bootstrap");
		exec(FREERADIUS_ETC . "/raddb/certs/bootstrap");
		
		// rename client generated 02.pem to client.pem
		if (file_exists(FREERADIUS_ETC . "/raddb/certs/02.pem"))
		rename(FREERADIUS_ETC . "/raddb/certs/02.pem",FREERADIUS_ETC . "/raddb/certs/client.pem");
		
		// tar client-cert files
		exec("cd " . FREERADIUS_ETC . "/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem");
		exec("chmod -R 0600 " . FREERADIUS_ETC . "/raddb/certs/");
		log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in " . FREERADIUS_ETC . "/raddb/certs/client.tar");
		
		// If there were changes on the certificates we need to restart freeradius
		restart_service('radiusd');
		}
	}
} //end choose pfSense cert-manager
else {
	return;
}
// Read-only because of embedded systems
conf_mount_ro();
} //end of function

// ##### The following part is based on the code of pfblocker #####

/* Uses XMLRPC to synchronize the changes to a remote node */
function freeradius_sync_on_changes() {
	global $config, $g;
	if (is_array($config['installedpackages']['freeradiussync'])){
		$synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];
		$varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];
		}
	else
	{
		return;
	}

	// if checkbox is NOT checked do nothing
	switch ($synconchanges){
		case "manual":
			if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])){
				$rs=$config['installedpackages']['freeradiussync']['config'][0]['row'];
				}
			else{
				log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no hosts to push on FreeRADIUS config.");
				return;
				}
			break;
		case "auto":
				if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){
					$system_carp=$config['installedpackages']['carpsettings']['config'][0];
					$rs[0]['varsyncdestinenable']="on";
					$rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https");
					$rs[0]['varsyncipaddress']=$system_carp['synchronizetoip'];
					$rs[0]['varsyncpassword']=$system_carp['password'];
					$rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443");
					if (! is_ipaddr($system_carp['synchronizetoip'])){
						log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config.");
						return;
						}
				}
				else{
					log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config.");
					return;
				}
			break;		
		default:
			return;
		break;
		}
		if (is_array($rs)){
			log_error("[FreeRADIUS]: xmlrpc sync is starting with timeout {$varsynctimeout} seconds.");
			foreach($rs as $sh){
				if($sh['varsyncdestinenable']){
					$varsyncprotocol 	= $sh['varsyncprotocol'];
					$sync_to_ip 		= $sh['varsyncipaddress'];
					$password   		= $sh['varsyncpassword'];
					$varsyncport 		= $sh['varsyncport'];
					if($password && $sync_to_ip)
						freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout);
					else
						log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!");
				}
				else {
				log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled");
				}
			}
			log_error("[FreeRADIUS]: xmlrpc sync is ending.");
			}
}

/* Do the actual XMLRPC sync */
function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) {
	global $config, $g;

	if($varsynctimeout == '' || $varsynctimeout == 0)
		$varsynctimeout = 150;

	if(!$password)
		return;

	if(!$sync_to_ip)
		return;
	
	if(!$varsyncport)
		return;

	if(!$varsyncprotocol)
		return;
	
	// Check and choose correct protocol type, port number and IP address
	$synchronizetoip .= "$varsyncprotocol" . '://';
	$port = "$varsyncport";

	$synchronizetoip .= $sync_to_ip;

	/* xml will hold the sections to sync */
	$xml = array();
	$xml['freeradius'] = $config['installedpackages']['freeradius'];
	$xml['freeradiusauthorizedmacs'] = $config['installedpackages']['freeradiusauthorizedmacs'];
	$xml['freeradiusclients'] = $config['installedpackages']['freeradiusclients'];
	
	/* assemble xmlrpc payload */
	$params = array(
		XML_RPC_encode($password),
		XML_RPC_encode($xml)
	);

	/* set a few variables needed for sync code borrowed from filter.inc */
	$url = $synchronizetoip;
	log_error("[FreeRADIUS]: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}.");
	$method = 'pfsense.merge_installedpackages_section_xmlrpc';
	$msg = new XML_RPC_Message($method, $params);
	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
	$cli->setCredentials('admin', $password);
		if($g['debug'])
			$cli->setDebug(1);
		/* send our XMLRPC message and timeout after $varsynctimeout seconds */
		$resp = $cli->send($msg, $varsynctimeout);
		if(!$resp) {
			$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}.";
			log_error("[FreeRADIUS]: $error");
			file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
		} elseif($resp->faultCode()) {
			$cli->setDebug(1);
			$resp = $cli->send($msg, $varsynctimeout);
			$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
			log_error("[FreeRADIUS]: $error");
			file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
		} else {
			log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}.");
		}
	
	/* tell FreeRADIUS to reload our settings on the destionation sync host. */
	$method = 'pfsense.exec_php';
	$execcmd  = "require_once('/usr/local/pkg/freeradius.inc');\n";
	// pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions
	$execcmd .= "freeradius_all_after_XMLRPC_resync();";
	
	/* assemble xmlrpc payload */
	$params = array(
		XML_RPC_encode($password),
		XML_RPC_encode($execcmd)
	);

	log_error("[FreeRADIUS]: XMLRPC is reloading data on {$url}:{$port}.");
	$msg = new XML_RPC_Message($method, $params);
	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
	$cli->setCredentials('admin', $password);
		$resp = $cli->send($msg, $varsynctimeout);
		if(!$resp) {
			$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php).";
			log_error($error);
			file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
		} elseif($resp->faultCode()) {
			$cli->setDebug(1);
			$resp = $cli->send($msg, $varsynctimeout);
			$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
			log_error($error);
			file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
		} else {
			log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php).");
		}

}

// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files (clients.conf, users)
// Adding more functions will increase the to sync
function freeradius_all_after_XMLRPC_resync() {
	
	freeradius_users_resync();
	freeradius_authorizedmacs_resync();
	freeradius_clients_resync();
	
	log_error("FreeRADIUS: Finished XMLRPC process. It should be OK. For more information look at the host which started sync.");
	
	exec(FREERADIUS_ETC . "/rc.d/radiusd onerestart");
}

function freeradius_modulescounter_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
# -*- text -*-
#
#  $Id$

#  counter module:
#  This module takes an attribute (count-attribute).
#  It also takes a key, and creates a counter for each unique
#  key.  The count is incremented when accounting packets are
#  received by the server.  The value of the increment depends
#  on the attribute type.
#  If the attribute is Acct-Session-Time or of an integer type we add
#  the value of the attribute. If it is anything else we increase the
#  counter by one.
#
#  The 'reset' parameter defines when the counters are all reset to
#  zero.  It can be hourly, daily, weekly, monthly or never.
#
#  hourly: Reset on 00:00 of every hour
#  daily: Reset on 00:00:00 every day
#  weekly: Reset on 00:00:00 on sunday
#  monthly: Reset on 00:00:00 of the first day of each month
#
#  It can also be user defined. It should be of the form:
#  num[hdwm] where:
#  h: hours, d: days, w: weeks, m: months
#  If the letter is ommited days will be assumed. In example:
#  reset = 10h (reset every 10 hours)
#  reset = 12  (reset every 12 days)
#
#
#  The check-name attribute defines an attribute which will be
#  registered by the counter module and can be used to set the
#  maximum allowed value for the counter after which the user
#  is rejected.
#  Something like:
#
#  DEFAULT Max-Daily-Session := 36000
#          Fall-Through = 1
#
#  You should add the counter module in the instantiate
#  section so that it registers check-name before the files
#  module reads the users file.
#
#  If check-name is set and the user is to be rejected then we
#  send back a Reply-Message and we log a Failure-Message in
#  the radius.log
#
#  If the count attribute is Acct-Session-Time then on each
#  login we send back the remaining online time as a
#  Session-Timeout attribute ELSE and if the reply-name is
#  set, we send back that attribute.  The reply-name attribute
#  MUST be of an integer type.
#
#  The counter-name can also be used instead of using the check-name
#  like below:
#
#  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
#      Reply-Message = "You've used up more than one hour today"
#
#  The allowed-servicetype attribute can be used to only take
#  into account specific sessions. For example if a user first
#  logs in through a login menu and then selects ppp there will
#  be two sessions. One for Login-User and one for Framed-User
#  service type. We only need to take into account the second one.
#
#  The module should be added in the instantiate, authorize and
#  accounting sections.  Make sure that in the authorize
#  section it comes after any module which sets the
#  'check-name' attribute.
#
counter daily {
	filename = /var/log/radacct/timecounter/db.daily
	key = User-Name
	count-attribute = Acct-Session-Time
	reset = daily
	counter-name = Daily-Session-Time
	check-name = Max-Daily-Session
	reply-name = Session-Timeout
	cache-size = 5000
}

counter weekly {
	filename = /var/log/radacct/timecounter/db.weekly
	key = User-Name
	count-attribute = Acct-Session-Time
	reset = weekly
	counter-name = Weekly-Session-Time
	check-name = Max-Weekly-Session
	reply-name = Session-Timeout
	cache-size = 5000
}

counter monthly {
	filename = /var/log/radacct/timecounter/db.monthly
	key = User-Name
	count-attribute = Acct-Session-Time
	reset = monthly
	counter-name = Monthly-Session-Time
	check-name = Max-Monthly-Session
	reply-name = Session-Timeout
	cache-size = 5000
}

counter forever {
	filename = /var/log/radacct/timecounter/db.forever
	key = User-Name
	count-attribute = Acct-Session-Time
	reset = never
	counter-name = Forever-Session-Time
	check-name = Max-Forever-Session
	reply-name = Session-Timeout
	cache-size = 5000
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/counter';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_modulesmschap_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
# -*- text -*-
#
#  $Id$

# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
        #
        #  If you are using /etc/smbpasswd, see the 'passwd'
        #  module for an example of how to use /etc/smbpasswd

        # if use_mppe is not set to no mschap will
        # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
        # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
        #
#       use_mppe = no

        # if mppe is enabled require_encryption makes
        # encryption moderate
        #
#       require_encryption = yes

        # require_strong always requires 128 bit key
        # encryption
        #
#       require_strong = yes

        # Windows sends us a username in the form of
        # DOMAIN\user, but sends the challenge response
        # based on only the user portion.  This hack
        # corrects for that incorrect behavior.
        #
		with_ntdomain_hack = yes

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
        # directive tells the module to call the ntlm_auth
        # program, which will do the authentication, and return
        # the NT-Key.  Note that you MUST have "winbindd" and
        # "nmbd" running on the local machine for ntlm_auth
        # to work.  See the ntlm_auth program documentation
        # for details.
        #
        # If ntlm_auth is configured below, then the mschap
        # module will call ntlm_auth for every MS-CHAP
        # authentication request.  If there is a cleartext
        # or NT hashed password available, you can set
        # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
        # and the mschap module will do the authentication itself,
        # without calling ntlm_auth.
        #
        # Be VERY careful when editing the following line!
        #
        # You can also try setting the user name as:
        #
        #       ... --username=%{mschap:User-Name} ...
        #
        # In that case, the mschap module will look at the User-Name
        # attribute, and do prefix/suffix checks in order to obtain
        # the "best" user name for the request.
        #
#       ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --
nt-response=%{%{mschap:NT-Response}:-00}"

        # For Apple Server, when running on the same machine as
        # Open Directory.  It has no effect on other systems.
        #
#       use_open_directory = yes

        # On failure, set (or not) the MS-CHAP error code saying
        # "retries allowed".
#       allow_retry = yes

        # An optional retry message.
#       retry_msg = "Re-enter (or reset) the password"
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/mschap';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_modulesrealm_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
#  'realm/username'
#  Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_null = yes
		ignore_default = no
}
#  'username@realm'
realm suffix {
		format = suffix
		delimiter = "@"
		ignore_null = yes
		ignore_default = no
}
#  'username%realm'
realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_null = yes
		ignore_default = no
}
#  'domain\user'
realm ntdomain {
		format = prefix
		### 3 backslash in .inc will be 2 backslash in file and after starting radiusd just only one
		delimiter = "\\\"
		ignore_null = yes
		ignore_default = no
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/realm';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_modulesldap_resync() {
	global $config;
	$conf = '';
	
	$arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
	
	// Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync"
	// redundatnt-load-balancing will there be done, too
	
	
	// Variables for General Configuration ldap1
	$varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain');
	$varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport']?$arrmodulesldap['varmodulesldapserverport']:'389');
	$varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA');
	$varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass');
	$varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA');
	$varmodulesldapfilter = ($arrmodulesldap['varmodulesldapfilter']?$arrmodulesldap['varmodulesldapfilter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
	$varmodulesldapbasefilter = ($arrmodulesldap['varmodulesldapbasefilter']?$arrmodulesldap['varmodulesldapbasefilter']:'(objectclass=radiusprofile)');
	$varmodulesldapldapconnectionsnumber = ($arrmodulesldap['varmodulesldapldapconnectionsnumber']?$arrmodulesldap['varmodulesldapldapconnectionsnumber']:'5');
	$varmodulesldaptimeout = ($arrmodulesldap['varmodulesldaptimeout']?$arrmodulesldap['varmodulesldaptimeout']:'4');
	$varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3');
	$varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1');
	
	// Variables for General Configuration ldap2
	$varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain');
	$varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport']?$arrmodulesldap['varmodulesldap2serverport']:'389');
	$varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA');
	$varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass');
	$varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA');
	$varmodulesldap2filter = ($arrmodulesldap['varmodulesldap2filter']?$arrmodulesldap['varmodulesldap2filter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
	$varmodulesldap2basefilter = ($arrmodulesldap['varmodulesldap2basefilter']?$arrmodulesldap['varmodulesldap2basefilter']:'(objectclass=radiusprofile)');
	$varmodulesldap2ldapconnectionsnumber = ($arrmodulesldap['varmodulesldap2ldapconnectionsnumber']?$arrmodulesldap['varmodulesldap2ldapconnectionsnumber']:'5');
	$varmodulesldap2timeout = ($arrmodulesldap['varmodulesldap2timeout']?$arrmodulesldap['varmodulesldap2timeout']:'4');
	$varmodulesldap2timelimit = ($arrmodulesldap['varmodulesldap2timelimit']?$arrmodulesldap['varmodulesldap2timelimit']:'3');
	$varmodulesldap2nettimeout = ($arrmodulesldap['varmodulesldap2nettimeout']?$arrmodulesldap['varmodulesldap2nettimeout']:'1');	
	
	// Variables for TLS / Certificates - ldap1
	$varmodulesldaprequirecert = ($arrmodulesldap['varmodulesldaprequirecert']?$arrmodulesldap['varmodulesldaprequirecert']:'never');

// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap1 module
if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') {
		
		$ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]);
		if ($ca_cert != false) {
			if(base64_decode($ca_cert['prv'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap1_key.pem", 
					base64_decode($ca_cert['prv']));
				$conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_ldap1_key.pem';
			}


			if(base64_decode($ca_cert['crt'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap1_cert.pem", 
					base64_decode($ca_cert['crt']));
				$conf['ssl_ca_cert1'] = FREERADIUS_ETC . "/raddb/certs/ca_ldap1_cert.pem";
			}


			$svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]);
			if ($svr_cert != false) {
				if(base64_decode($svr_cert['prv'])) {
					file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.key", 
						base64_decode($svr_cert['prv']));
					$conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/radius_ldap1_cert.key';
				}
			}


			if(base64_decode($svr_cert['crt'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.crt", 
					base64_decode($svr_cert['crt']));
				$conf['ssl_server_cert1'] = FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.crt";
			}


			$conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs';
		}
	$varmodulesldapstarttls = "yes";
}
else {
	$varmodulesldapstarttls = "no";
}
	
	// Variables for TLS / Certificates - ldap2
	$varmodulesldap2requirecert = ($arrmodulesldap['varmodulesldap2requirecert']?$arrmodulesldap['varmodulesldap2requirecert']:'never');

// if enabled then create the certs in ../raddb/certs/ and enable "Start_tls" in ldap2 module
if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') {	
		
		$ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]);
		if ($ca_cert != false) {
			if(base64_decode($ca_cert['prv'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap2_key.pem", 
					base64_decode($ca_cert['prv']));
				$conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_ldap2_key.pem';
			}


			if(base64_decode($ca_cert['crt'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap2_cert.pem", 
					base64_decode($ca_cert['crt']));
				$conf['ssl_ca_cert2'] = FREERADIUS_ETC . "/raddb/certs/ca_ldap2_cert.pem";
			}


			$svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]);
			if ($svr_cert != false) {
				if(base64_decode($svr_cert['prv'])) {
					file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.key", 
						base64_decode($svr_cert['prv']));
					$conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/radius_ldap2_cert.key';
				}
			}


			if(base64_decode($svr_cert['crt'])) {
				file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.crt", 
					base64_decode($svr_cert['crt']));
				$conf['ssl_server_cert2'] = FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.crt";
			}


			$conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs';
		}
	$varmodulesldap2starttls = "yes";
}
else {
	$varmodulesldap2starttls = "no";
}	

	// Miscellaneous Configuration + MS Active Directory Compatibility ldap1
	$varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable');
	if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') {
		$varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###';
	}
	else {
		$varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes";
	}
	
	// Miscellaneous Configuration + MS Active Directory Compatibility ldap2
	$varmodulesldap2msadcompatibilityenable = ($arrmodulesldap['varmodulesldap2msadcompatibilityenable']?$arrmodulesldap['varmodulesldap2msadcompatibilityenable']:'Disable');
	if ($arrmodulesldap['varmodulesldap2msadcompatibilityenable'] == 'Disable') {
		$varmodulesldap2msadcompatibility = '### MS Active Directory Compatibility is disabled ###';
	}
	else {
		$varmodulesldap2msadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes";
	}

	// When disabled we put this in the file but commented (#) like in the default installation ldap1
	if (!$arrmodulesldap['varmodulesldapdmiscenable']) {
		$varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###';
		$varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###';
		$varmodulesldapaccessattr = '### access_attr = "dialupAccess" ###';
	}
	// When enabled we put in the default values so there is no empty entry if there is not input from GUI
	else {
		$varmodulesldapdefaultprofile = ($arrmodulesldap['varmodulesldapdefaultprofile']?$arrmodulesldap['varmodulesldapdefaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA');
		$varmodulesldapdefaultprofile = "default_profile = " . '"' . "$varmodulesldapdefaultprofile" . '"';
		$varmodulesldapprofileattribute = ($arrmodulesldap['varmodulesldapprofileattribute']?$arrmodulesldap['varmodulesldapprofileattribute']:'radiusProfileDn');
		$varmodulesldapprofileattribute = "profile_attribute = " . '"' . "$varmodulesldapprofileattribute" . '"';
		$varmodulesldapaccessattr = ($arrmodulesldap['varmodulesldapaccessattr']?$arrmodulesldap['varmodulesldapaccessattr']:'dialupAccess');
		$varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"';
	}

	// When disabled we put this in the file but commented (#) like in the default installation ldap2
	if (!$arrmodulesldap['varmodulesldap2dmiscenable']) {
		$varmodulesldap2defaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###';
		$varmodulesldap2profileattribute = '### profile_attribute = "radiusProfileDn" ###';
		$varmodulesldap2accessattr = '### access_attr = "dialupAccess" ###';
	}
	// When enabled we put in the default values so there is no empty entry if there is not input from GUI
	else {
		$varmodulesldap2defaultprofile = ($arrmodulesldap['varmodulesldap2defaultprofile']?$arrmodulesldap['varmodulesldap2defaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA');
		$varmodulesldap2defaultprofile = "default_profile = " . '"' . "$varmodulesldap2defaultprofile" . '"';
		$varmodulesldap2profileattribute = ($arrmodulesldap['varmodulesldap2profileattribute']?$arrmodulesldap['varmodulesldap2profileattribute']:'radiusProfileDn');
		$varmodulesldap2profileattribute = "profile_attribute = " . '"' . "$varmodulesldap2profileattribute" . '"';
		$varmodulesldap2accessattr = ($arrmodulesldap['varmodulesldap2accessattr']?$arrmodulesldap['varmodulesldap2accessattr']:'dialupAccess');
		$varmodulesldap2accessattr = "access_attr = " . '"' . "$varmodulesldap2accessattr" . '"';
	}	
	
	// Group membership checking
	// When disabled we put this in the file but commented (#) like in the default installation ldap1
	if (!$arrmodulesldap['varmodulesldapgroupenable']) {
		$varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###';
		$varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###';
		$varmodulesldapgroupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###';
		$varmodulesldapcomparecheckitems = '### compare_check_items = yes ###';
		$varmodulesldapdoxlat = '### do_xlat = yes ###';
		$varmodulesldapaccessattrusedforallow = '### access_attr_used_for_allow = yes ###';
	}

	// When enabled we put in the default values so there is no empty entry if there is not input from GUI
	else {
		$varmodulesldapgroupnameattribute = ($arrmodulesldap['varmodulesldapgroupnameattribute']?$arrmodulesldap['varmodulesldapgroupnameattribute']:'cn');
		$varmodulesldapgroupnameattribute = "groupname_attribute = $varmodulesldapgroupnameattribute";
		$varmodulesldapgroupmembershipfilter = ($arrmodulesldap['varmodulesldapgroupmembershipfilter']?$arrmodulesldap['varmodulesldapgroupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))');
		$varmodulesldapgroupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldapgroupmembershipfilter" . '"';
		$varmodulesldapgroupmembershipattribute = ($arrmodulesldap['varmodulesldapgroupmembershipattribute']?$arrmodulesldap['varmodulesldapgroupmembershipattribute']:'radiusGroupName');
		$varmodulesldapgroupmembershipattribute = "groupmembership_attribute = $varmodulesldapgroupmembershipattribute";
		
		$varmodulesldapcomparecheckitems = ($arrmodulesldap['varmodulesldapcomparecheckitems']?$arrmodulesldap['varmodulesldapcomparecheckitems']:'yes');
		$varmodulesldapcomparecheckitems = "compare_check_items = $varmodulesldapcomparecheckitems";
		$varmodulesldapdoxlat = ($arrmodulesldap['varmodulesldapdoxlat']?$arrmodulesldap['varmodulesldapdoxlat']:'yes');
		$varmodulesldapdoxlat = "do_xlat = $varmodulesldapdoxlat";
		$varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes');	
		$varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow";
	}
	
	// Group membership checking
	// When disabled we put this in the file but commented (#) like in the default installation ldap2
	if (!$arrmodulesldap['varmodulesldap2groupenable']) {
		$varmodulesldap2groupnameattribute = '### groupname_attribute = cn ###';
		$varmodulesldap2groupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###';
		$varmodulesldap2groupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###';
		$varmodulesldap2comparecheckitems = '### compare_check_items = yes ###';
		$varmodulesldap2doxlat = '### do_xlat = yes ###';
		$varmodulesldap2accessattrusedforallow = '### access_attr_used_for_allow = yes ###';
	}

	// When enabled we put in the default values so there is no empty entry if there is not input from GUI
	else {
		$varmodulesldap2groupnameattribute = ($arrmodulesldap['varmodulesldap2groupnameattribute']?$arrmodulesldap['varmodulesldap2groupnameattribute']:'cn');
		$varmodulesldap2groupnameattribute = "groupname_attribute = $varmodulesldap2groupnameattribute";
		$varmodulesldap2groupmembershipfilter = ($arrmodulesldap['varmodulesldap2groupmembershipfilter']?$arrmodulesldap['varmodulesldap2groupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))');
		$varmodulesldap2groupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldap2groupmembershipfilter" . '"';
		$varmodulesldap2groupmembershipattribute = ($arrmodulesldap['varmodulesldap2groupmembershipattribute']?$arrmodulesldap['varmodulesldap2groupmembershipattribute']:'radiusGroupName');
		$varmodulesldap2groupmembershipattribute = "groupmembership_attribute = $varmodulesldap2groupmembershipattribute";
		
		$varmodulesldap2comparecheckitems = ($arrmodulesldap['varmodulesldap2comparecheckitems']?$arrmodulesldap['varmodulesldap2comparecheckitems']:'yes');
		$varmodulesldap2comparecheckitems = "compare_check_items = $varmodulesldap2comparecheckitems";
		$varmodulesldap2doxlat = ($arrmodulesldap['varmodulesldap2doxlat']?$arrmodulesldap['varmodulesldap2doxlat']:'yes');
		$varmodulesldap2doxlat = "do_xlat = $varmodulesldap2doxlat";
		$varmodulesldap2accessattrusedforallow = ($arrmodulesldap['varmodulesldap2accessattrusedforallow']?$arrmodulesldap['varmodulesldap2accessattrusedforallow']:'yes');	
		$varmodulesldap2accessattrusedforallow = "access_attr_used_for_allow = $varmodulesldap2accessattrusedforallow";
	}	

	// Keepalive variables ldap1
	$varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60');
	$varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3');
	$varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3');

	// Keepalive variables ldap2
	$varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60');
	$varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3');
	$varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3');
$raddb = FREERADIUS_ETC . '/raddb';
$conf .= <<<EOD
# -*- text -*-
#
#  $Id$

# Lightweight Directory Access Protocol (LDAP)
#
#  This module definition allows you to use LDAP for
#  authorization and authentication.
#
#  See raddb/sites-available/default for reference to the
#  ldap module in the authorize and authenticate sections.
#
#  However, LDAP can be used for authentication ONLY when the
#  Access-Request packet contains a clear-text User-Password
#  attribute.  LDAP authentication will NOT work for any other
#  authentication method.
#
#  This means that LDAP servers don't understand EAP.  If you
#  force "Auth-Type = LDAP", and then send the server a
#  request containing EAP authentication, then authentication
#  WILL NOT WORK.
#
#  The solution is to use the default configuration, which does
#  work.
#
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.
#	
ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "$varmodulesldapserver"
	port = "$varmodulesldapserverport"
	identity = "$varmodulesldapidentity"
	password = $varmodulesldappassword
	basedn = "$varmodulesldapbasedn"
	filter = "$varmodulesldapfilter"
	base_filter = "$varmodulesldapbasefilter"

	#  How many connections to keep open to the LDAP server.
	#  This saves time over opening a new LDAP socket for
	#  every authentication request.
	ldap_connections_number = $varmodulesldapldapconnectionsnumber

	# seconds to wait for LDAP query to finish. default: 20
	timeout = $varmodulesldaptimeout

	#  seconds LDAP server has to process the query (server-side
	#  time limit). default: 20
	#
	#  LDAP_OPT_TIMELIMIT is set to this value.
	timelimit = $varmodulesldaptimelimit

	#
	#  seconds to wait for response of the server. (network
	#   failures) default: 10
	#
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
	net_timeout = $varmodulesldapnettimeout

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.  It contains all of the "tls_*" configuration
	#  entries used in older versions of FreeRADIUS.  Those
	#  configuration entries can still be used, but we recommend
	#  using these.
	#
	tls {
		# Set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		#			
		# The StartTLS operation is supposed to be
		# used with normal ldap connections instead of
		# using ldaps (port 689) connections
		start_tls = $varmodulesldapstarttls

		cacertfile = {$raddb}/certs/ca_ldap1_cert.pem
		cacertdir = {$raddb}/certs/
		certfile = {$raddb}/certs/radius_ldap1_cert.crt
		keyfile = {$raddb}/certs/radius_ldap1_cert.key
		randfile = {$raddb}/certs/random

		#  Certificate Verification requirements.  Can be:
		#    "never" (don't even bother trying)
		#    "allow" (try, but don't fail if the certificate
		#		can't be verified)
		#    "demand" (fail if the certificate doesn't verify.)
		#
		#	The default is "allow"
		require_cert = "$varmodulesldaprequirecert"
	}

	$varmodulesldapdefaultprofile
	$varmodulesldapprofileattribute
	$varmodulesldapaccessattr

	# Mapping of RADIUS dictionary attributes to LDAP
	# directory attributes.
	dictionary_mapping = \${confdir}/ldap.attrmap
	################## THE BELOW IS NOT COMPILED WITH FREERADIUS #################################
	#  Set password_attribute = nspmPassword to get the
	#  user's password from a Novell eDirectory
	#  backend. This will work ONLY IF FreeRADIUS has been
	#  built with the --with-edir configure option.
	#
	#  See also the following links:
	#
	#  http://www.novell.com/coolsolutions/appnote/16745.html
	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
	#
	#  Novell may require TLS encrypted sessions before returning
	#  the user's password.
	#
	# password_attribute = userPassword

	#  Un-comment the following to disable Novell
	#  eDirectory account policy check and intruder
	#  detection. This will work *only if* FreeRADIUS is
	#  configured to build with --with-edir option.
	#
	edir_account_policy_check = no
	################## THE ABOVE IS NOT COMPILED WITH FREERADIUS #################################
	#
	#  Group membership checking.  Disabled by default.
	#
	$varmodulesldapgroupnameattribute
	$varmodulesldapgroupmembershipfilter
	$varmodulesldapgroupmembershipattribute

	$varmodulesldapcomparecheckitems
	$varmodulesldapdoxlat
	$varmodulesldapaccessattrusedforallow

	#
	#  The following two configuration items are for Active Directory
	#  compatibility.  If you see the helpful "operations error"
	#  being returned to the LDAP module, uncomment the next
	#  two lines.
	#

	$varmodulesldapmsadcompatibility

	#
	#  By default, if the packet contains a User-Password,
	#  and no other module is configured to handle the
	#  authentication, the LDAP module sets itself to do
	#  LDAP bind for authentication.
	#
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
	#
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
	#
	#  You can disable this behavior by setting the following
	#  configuration entry to "no".
	#
	#  allowed values: {no, yes}
	# set_auth_type = yes

	#  ldap_debug: debug flag for LDAP SDK
	#  (see OpenLDAP documentation).  Set this to enable
	#  huge amounts of LDAP debugging on the screen.
	#  You should only use this if you are an LDAP expert.
	#
	#	default: 0x0000 (no debugging messages)
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
	#ldap_debug = 0x0028 

	#
	#  Keepalive configuration.  This MAY NOT be supported by your
	#  LDAP library.  If these configuration entries appear in the
	#  output of "radiusd -X", then they are supported.  Otherwise,
	#  they are unsupported, and changing them will do nothing.
	#
	keepalive {
		# LDAP_OPT_X_KEEPALIVE_IDLE
		idle = $varmodulesldapkeepaliveidle

		# LDAP_OPT_X_KEEPALIVE_PROBES
		probes = $varmodulesldapkeepaliveprobes

		# LDAP_OPT_X_KEEPALIVE_INTERVAL
		interval = $varmodulesldapkeepaliveinterval
	}
}

ldap ldap2{
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "$varmodulesldap2server"
	port = "$varmodulesldap2serverport"
	identity = "$varmodulesldap2identity"
	password = $varmodulesldap2password
	basedn = "$varmodulesldap2basedn"
	filter = "$varmodulesldap2filter"
	base_filter = "$varmodulesldap2basefilter"

	#  How many connections to keep open to the LDAP server.
	#  This saves time over opening a new LDAP socket for
	#  every authentication request.
	ldap_connections_number = $varmodulesldap2ldapconnectionsnumber

	# seconds to wait for LDAP query to finish. default: 20
	timeout = $varmodulesldap2timeout

	#  seconds LDAP server has to process the query (server-side
	#  time limit). default: 20
	#
	#  LDAP_OPT_TIMELIMIT is set to this value.
	timelimit = $varmodulesldap2timelimit

	#
	#  seconds to wait for response of the server. (network
	#   failures) default: 10
	#
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
	net_timeout = $varmodulesldap2nettimeout

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.  It contains all of the "tls_*" configuration
	#  entries used in older versions of FreeRADIUS.  Those
	#  configuration entries can still be used, but we recommend
	#  using these.
	#
	tls {
		# Set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		#			
		# The StartTLS operation is supposed to be
		# used with normal ldap connections instead of
		# using ldaps (port 689) connections
		start_tls = $varmodulesldap2starttls

		cacertfile = {$raddb}/certs/ca_ldap2_cert.pem
		cacertdir = {$raddb}/certs/
		certfile = {$raddb}/certs/radius_ldap2_cert.crt
		keyfile = {$raddb}/certs/radius_ldap2_cert.key
		randfile = {$raddb}/certs/random

		#  Certificate Verification requirements.  Can be:
		#    "never" (don't even bother trying)
		#    "allow" (try, but don't fail if the certificate
		#		can't be verified)
		#    "demand" (fail if the certificate doesn't verify.)
		#
		#	The default is "allow"
		require_cert = "$varmodulesldap2requirecert"
	}

	$varmodulesldap2defaultprofile
	$varmodulesldap2profileattribute
	$varmodulesldap2accessattr

	# Mapping of RADIUS dictionary attributes to LDAP
	# directory attributes.
	dictionary_mapping = \${confdir}/ldap.attrmap
	################## THE BELOW IS NOT COMPILED WITH FREERADIUS #################################
	#  Set password_attribute = nspmPassword to get the
	#  user's password from a Novell eDirectory
	#  backend. This will work ONLY IF FreeRADIUS has been
	#  built with the --with-edir configure option.
	#
	#  See also the following links:
	#
	#  http://www.novell.com/coolsolutions/appnote/16745.html
	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
	#
	#  Novell may require TLS encrypted sessions before returning
	#  the user's password.
	#
	# password_attribute = userPassword

	#  Un-comment the following to disable Novell
	#  eDirectory account policy check and intruder
	#  detection. This will work *only if* FreeRADIUS is
	#  configured to build with --with-edir option.
	#
	edir_account_policy_check = no
	################## THE ABOVE IS NOT COMPILED WITH FREERADIUS #################################
	#
	#  Group membership checking.  Disabled by default.
	#
	$varmodulesldap2groupnameattribute
	$varmodulesldap2groupmembershipfilter
	$varmodulesldap2groupmembershipattribute

	$varmodulesldap2comparecheckitems
	$varmodulesldap2doxlat
	$varmodulesldap2accessattrusedforallow

	#
	#  The following two configuration items are for Active Directory
	#  compatibility.  If you see the helpful "operations error"
	#  being returned to the LDAP module, uncomment the next
	#  two lines.
	#

	$varmodulesldap2msadcompatibility

	#
	#  By default, if the packet contains a User-Password,
	#  and no other module is configured to handle the
	#  authentication, the LDAP module sets itself to do
	#  LDAP bind for authentication.
	#
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
	#
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
	#
	#  You can disable this behavior by setting the following
	#  configuration entry to "no".
	#
	#  allowed values: {no, yes}
	# set_auth_type = yes

	#  ldap_debug: debug flag for LDAP SDK
	#  (see OpenLDAP documentation).  Set this to enable
	#  huge amounts of LDAP debugging on the screen.
	#  You should only use this if you are an LDAP expert.
	#
	#	default: 0x0000 (no debugging messages)
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
	#ldap_debug = 0x0028 

	#
	#  Keepalive configuration.  This MAY NOT be supported by your
	#  LDAP library.  If these configuration entries appear in the
	#  output of "radiusd -X", then they are supported.  Otherwise,
	#  they are unsupported, and changing them will do nothing.
	#
	keepalive {
		# LDAP_OPT_X_KEEPALIVE_IDLE
		idle = $varmodulesldap2keepaliveidle

		# LDAP_OPT_X_KEEPALIVE_PROBES
		probes = $varmodulesldap2keepaliveprobes

		# LDAP_OPT_X_KEEPALIVE_INTERVAL
		interval = $varmodulesldap2keepaliveinterval
	}
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/ldap';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();
	
	// We need to rebuild "freeradius_serverdefault_resync" before restart service
	// "freeradius_serverdefault_resync" needs to restart other dependencies so we are pointing directly to "freeradius_settings_resync()"
	freeradius_serverdefault_resync();
	restart_service("radiusd");
	
}

function freeradius_plainmacauth_resync() {
	global $config;
	$conf = '';
	
	// Variables: If not using 802.1x, mac address must be known
	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
	
	// defining variables with filename path
	$filepolicyconf = FREERADIUS_ETC . '/raddb/policy.conf';
	$filepolicyconfbackup = FREERADIUS_ETC . '/raddb/policy.conf.backup';
	$filemodulesfiles = FREERADIUS_ETC . '/raddb/modules/files';
	$filemodulesfilesbackup = FREERADIUS_ETC . '/raddb/files.backup';
	
	// If unchecked then plain mac auth is disabled and backups of the original files will be restored
	if ($varsettings['varsettingsenablemacauth'] == '') {
		// This is a check - only restore files if they aren't already
		if (file_exists(FREERADIUS_ETC . "/raddb/plain_macauth_enabled")) {
			log_error("FreeRADIUS: Plain-MAC-Auth disabled. Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}");
			copy($filepolicyconfbackup, $filepolicyconf);
			copy($filemodulesfilesbackup, $filemodulesfiles);
			unlink(FREERADIUS_ETC . "/raddb/plain_macauth_enabled");
			freeradius_serverdefault_resync();
		}
	}
	// If checked then plain mac auth is enabled
	else {
		// This is a check - only modify files if they aren't already
		if (!file_exists(FREERADIUS_ETC . "/raddb/plain_macauth_enabled")) {
			freeradius_modulesfiles_resync();
			freeradius_policyconf_resync();
			exec("cd " . FREERADIUS_ETC . "/raddb && touch " . FREERADIUS_ETC . "/raddb/plain_macauth_enabled");
			log_error("FreeRADIUS: Plain-MAC-Auth enabled. Modified {$filepolicyconf} and {$filemodulesfiles}");
			freeradius_serverdefault_resync();
		}
	}
}

function freeradius_modulesfiles_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
# -*- text -*-
#
#  \$Id\$

# Livingston-style 'users' file
#
files {
	# The default key attribute to use for matches.  The content
	# of this attribute is used to match the "name" of the
	# entry.
	#key = "%{Stripped-User-Name:-%{User-Name}}"

	usersfile = \${confdir}/users
	acctusersfile = \${confdir}/acct_users
	preproxy_usersfile = \${confdir}/preproxy_users

	#  If you want to use the old Cistron 'users' file
	#  with FreeRADIUS, you should change the next line
	#  to 'compat = cistron'.  You can the copy your 'users'
	#  file from Cistron.
	compat = no
}

#  An example which defines a second instance of the "files" module.
#  This instance is named "second_files".  In order for it to be used
#  in a virtual server, it needs to be listed as "second_files"
#  inside of the "authorize" section (or other section).  If you just
#  list "files", that will refer to the configuration defined above.
#

#  The two names here mean:
#	"files" - this is a configuration for the "rlm_files" module
#	"second_files" - this is a named configuration, which isn't
#			the default configuration.
files authorized_macs {
        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        key = "%{Calling-Station-ID}"

        usersfile = \${confdir}/authorized_macs

        #  If you want to use the old Cistron 'users' file
        #  with FreeRADIUS, you should change the next line
        #  to 'compat = cistron'.  You can the copy your 'users'
        #  file from Cistron.
        compat = no
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/files';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_policyconf_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
# -*- text -*-
##
## policy.conf	-- FreeRADIUS server configuration file.
##
##	http://www.freeradius.org/
##	\$Id\$
##

#
#  Policies are virtual modules, similar to those defined in the
#  "instantate" section of radiusd.conf.
#
#  Defining a policy here means that it can be referenced in multiple
#  places as a *name*, rather than as a series of conditions to match,
#  and actions to take.
#
#  Policies are something like subroutines in a normal language, but
#  they cannot be called recursively.  They MUST be defined in order.
#  If policy A calls policy B, then B MUST be defined before A.
#
policy {
	#
	#	Forbid all EAP types.
	#
	forbid_eap {
		if (EAP-Message) {
			reject
		}
	}

	#
	#	Forbid all non-EAP types outside of an EAP tunnel.
	#
	permit_only_eap {
		if (!EAP-Message) {
			#  We MAY be inside of a TTLS tunnel.
			#  PEAP and EAP-FAST require EAP inside of
			#  the tunnel, so this check is OK.
			#  If so, then there MUST be an outer EAP message.
			if (!"%{outer.request:EAP-Message}") {
				reject
			}
		}
	}

	#
	#	Forbid all attempts to login via realms.
	#
	deny_realms {
		if (User-Name =~ /@|\\\\/) {
			reject
		}
	}

	#
	#	If you want the server to pretend that it is dead,
	#	then use the "do_not_respond" policy.
	#
	do_not_respond {
		update control {
			Response-Packet-Type := Do-Not-Respond
		}

		handled
	}

	#
	#  Force some sanity on User-Name.  This helps to avoid issues
	#  issues where the back-end database is "forgiving" about
	#  what constitutes a user name.
	#
	filter_username {
		# spaces at the start: reject
		if (User-Name =~ /^ /) {
			reject
		}

		# spaces at the end: reject
		if (User-Name =~ / \$\$/) {
			reject
		}

		# Mixed case: reject
		if (User-Name != "%{tolower:%{User-Name}}") {
			reject
		}
	}


	#	
	#  The following policies are for the Chargeable-User-Identity
	#  (CUI) configuration.
	#

	#
	#  The client indicates it can do CUI by sending a CUI attribute	
	#  containing one zero byte
	#
	cui_authorize {
		update request {
			Chargeable-User-Identity:='\\\\000'
		}
	}

	#
	#  Add a CUI attribute based on the User-Name, and a secret key
	#  known only to this server.
	#
	cui_postauth {
		if (FreeRadius-Proxied-To == 127.0.0.1) {
			if (outer.request:Chargeable-User-Identity) {
				update outer.reply {
					Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
				}
			}
		}
		else {
			if (Chargeable-User-Identity) {
				update reply {
					Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
				}
			}
		}
	}

	#
	#  If there is a CUI attribute in the reply, add it to the DB.
	#
	cui_updatedb {
		if (reply:Chargeable-User-Identity) {
			cui
		}
	}

	#
	#  If we had stored a CUI for the User, add it to the request.
	#
	cui_accounting {
		#
		#  If the CUI isn't in the packet, see if we can find it
		#  in the DB.
		#
		if (!Chargeable-User-Identity) {
			update control {
				Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
			}
		}

		#
		#  If it exists now, then write out when we last saw
		#  this CUI.
		#
		if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
			cui
		}
	}

	#
	#  Normalize the MAC Addresses in the Calling/Called-Station-Id
	#
	mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})

	#  Add "rewrite.called_station_id" in the "authorize" and "preacct"
	#  sections.
	rewrite.called_station_id {
		if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?\$/i) {
			update request {
				Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
			}

			# SSID component?
			if ("%{8}") {
				update request {
					Called-Station-Id := "%{Called-Station-Id}:%{8}"
				}
			}
			updated
		}
		else {
			noop
		}
	}

	#  Add "rewrite.calling_station_id" in the "authorize" and "preacct"
	#  sections.
	#rewrite.calling_station_id {
	#	if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}\$/i) {
	#		update request {
	#			Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
	#		}
	#		updated
	#	}
	#	else {
	#		noop
	#	}
	#}
	
	#####  MODIFIED FOR http://wiki.freeradius.org/Mac-Auth#Mac-Auth+or+802.1x #####
	#  Add "rewrite_calling_station_id" in the "authorize" and "preacct"
	#  sections.
	rewrite_calling_station_id {
        if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
                update request {
                        Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                }
        }
        else {
            noop
		}
	}
}
EOD;

	$filename = FREERADIUS_ETC . '/raddb/policy.conf';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_motp_resync() {
	global $config, $bash_path;
	$conf = '';

	$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
	
	$varsettingsmotptimespan = ($varsettings['varsettingsmotptimespan']?$varsettings['varsettingsmotptimespan']:'2');
	$varsettingsmotptimespanbeforeafter = $varsettingsmotptimespan + $varsettingsmotptimespan;
	$varsettingsmotpdeleteoldpasswords = $varsettingsmotptimespanbeforeafter + 1;
	$varsettingsmotppasswordattempts = ($varsettings['varsettingsmotppasswordattempts']?$varsettings['varsettingsmotppasswordattempts']:'5');
	$varsettingsmotpchecksumtype = ($varsettings['varsettingsmotpchecksumtype']?$varsettings['varsettingsmotpchecksumtype']:'md5');
	$varsettingsmotptokenlength = ($varsettings['varsettingsmotptokenlength']?$varsettings['varsettingsmotptokenlength']:'1-6');
	
	// check if disabled then we delete otpverify.sh script
	if ($varsettings['varsettingsmotpenable'] == '') {
		if (file_exists(FREERADIUS_ETC . "/raddb/scripts/otpverify.sh")) {
			@unlink(FREERADIUS_ETC . "/raddb/scripts/otpverify.sh");
		}
	} else {
		$conf .= <<<EOD
#!{$bash_path}
#
# Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME
# written by Matthias Straub, Heilbronn, Germany, 2003
# (c) 2003 by Matthias Straub
# Modified 2012 by Alexander Wilke <nachtfalkeaw@web.de>
#
# Version 1.05a
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
# 
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Library General Public License for more details.
#
# arguments:  \$1 \$2 \$3 \$4 \$5
# \$1 - username
# \$2 - one-time-password that is to be checked 
# \$3 - init-secred from token (to init token: #**#)
# \$4 - user PIN
# \$5 - time difference between token and server in 10s of seconds (360 = 1 hour)
#
# one-time-password must match md5(EPOCHTIME+SECRET+PIN)
# 
#
# otpverify.sh version 1.04b, Feb. 2003
# otpverify.sh version 1.04c, Nov. 2008
#  changed line 1 to ksh because of problems with todays bash an sh
# otpverify.sh version 1.05a, Jan. 2011
#  changed back to bash and added in shopts line to ensure aliases handled
#  correctly (bash is always available on any modern *nix unlike ksh)
#

PATH=\$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

    alias checksum=$varsettingsmotpchecksumtype
    have_md5="true"

# ensure aliases are expanded by bash
shopt -s expand_aliases

function chop
{
	num=`echo -n "\$1" | wc -c | sed 's/ //g' `
	nummin1=`expr \$num "-" 1`
	echo -n "\$1" | cut -b 1-\$nummin1 
}

if [ ! \$# -eq 5 ] ; then
echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"
logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - wrong syntax - USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset";
exit 14
fi

mkdir /var/log/motp 2>/dev/null
mkdir /var/log/motp/cache 2>/dev/null
mkdir /var/log/motp/users 2>/dev/null
chmod og-rxw /var/log/motp 2>/dev/null || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp"; exit 17; }
chmod og-rxw /var/log/motp/cache
chmod og-rxw /var/log/motp/users

USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' `
PASSWD=`echo -n "\$2" | sed 's/[^0-9a-f]/0/g' `
SECRET=`echo -n "\$3" | sed 's/[^0-9a-f]/0/g' `
PIN=`echo -n "\$4" | sed 's/[^0-9]/0/g' `
OFFSET=`echo -n "\$5" | sed 's/[^0-9-]/0/g' `
EPOCHTIME=`date +%s` ; EPOCHTIME=`chop \$EPOCHTIME`

# delete old logins
find /var/log/motp/cache -type f -cmin +$varsettingsmotpdeleteoldpasswords | xargs rm 2>/dev/null

if [ -e "/var/log/motp/cache/\$PASSWD" ]; then
	echo "FAIL"
	logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password \$PASSWD is already used!"
	exit 15
fi

# account locked?
if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "$varsettingsmotppasswordattempts" ]; then
	echo "FAIL"
	logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME"
	exit 13
fi

I=0
EPOCHTIME=`expr \$EPOCHTIME - $varsettingsmotptimespan`
EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET`
while [ \$I -lt $varsettingsmotptimespanbeforeafter ] ; do # `$varsettingsmotptimespan * 10` seconds before and after
	OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b $varsettingsmotptokenlength`
	if [ "\$OTP" = "\$PASSWD" ] ; then
		touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; }
		echo "ACCEPT"
		logger -f /var/log/system.log "FreeRADIUS: Authentication success! Mobile-One-Time-Password \$PASSWD for user \$USERNAME is correct!"
		rm "/var/log/motp/users/\$USERNAME" 2>/dev/null
		exit 0
	fi
	I=`expr \$I + 1`
	EPOCHTIME=`expr \$EPOCHTIME + 1`
done

echo "FAIL"
NUMFAILS=`cat "/var/log/motp/users/\$USERNAME" 2>/dev/null`
if [ "\$NUMFAILS" = "" ]; then
	NUMFAILS=0
fi
NUMFAILS=`expr \$NUMFAILS + 1`
echo \$NUMFAILS > "/var/log/motp/users/\$USERNAME"
NUMFAILSLEFT=`expr $varsettingsmotppasswordattempts - \$NUMFAILS`
logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect. \$NUMFAILSLEFT attempts left. "
exit 11


EOD;
		$filename = FREERADIUS_ETC . '/raddb/scripts/otpverify.sh';
		conf_mount_rw();
		file_put_contents($filename, $conf);
		chmod($filename, 0750);
		conf_mount_ro();
	}

}

function freeradius_modulesmotp_resync() {
	global $config, $bash_path;
	$conf = '';

	// put the constant to a variable
	$varFREERADIUS_ETC = FREERADIUS_ETC;

	$conf .= <<<EOD
exec motp {
		wait = yes
		program = "{$bash_path} {$varFREERADIUS_ETC}/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
	}	
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/motp';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_modulesdatacounter_resync() {
	global $config;
	$conf = '';

	// put the constant to a variable
	$varFREERADIUS_ETC = FREERADIUS_ETC;

	$conf .= <<<EOD
exec datacounterdaily {
		wait = yes
		program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
	}
exec datacounterweekly {
		wait = yes
		program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
	}
exec datacountermonthly {
		wait = yes
		program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
	}
exec datacounterforever {
		wait = yes
		program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
	}	
EOD;

	$filename = FREERADIUS_ETC . '/raddb/modules/datacounter_acct';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

function freeradius_datacounter_auth_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
#!/bin/sh
### USAGE: datacounter_auth.sh USERNAME TIMERANGE
### We need this parameters from freeradius users file and ../raddb/modules/datacounter_acct
USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z._:-]/X/g' `
TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' `


### This is to make sure there is a used-octets file after the cronjob resetted the counter
if [ -e "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME" ] && [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" ]; then
	echo 0 > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"
fi

### The next two lines are just for getting values for logging output
MAXOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"`/1024/1024))
USEDOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`/1024/1024))
	
### We check if MAX-OCTETS-USERNAME is greater than USED-OCTETS-USERNAME and accept or reject the user
if [ `cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"` -gt `cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"` ]; then
	logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!"
	exit 0
else
	logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!"
	exit 99
fi
EOD;

	$filename = FREERADIUS_ETC . '/raddb/scripts/datacounter_auth.sh';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0750);
	conf_mount_ro();

}

function freeradius_datacounter_acct_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD
#!/bin/sh
### USAGE: datacounter_acct.sh USERNAME TIMERANGE ACCTINPUTOCTETS ACCTOUTPUTOCTETS
### We need this from an Accounting-Request packet to count the octets
USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z.:_-]/X/g' `
TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' `
ACCTINPUTOCTETS=`echo -n "\\$3" | sed 's/[^0-9]/0/g' `
ACCTOUTPUTOCTETS=`echo -n "\\$4" | sed 's/[^0-9]/0/g' `

### If we do not get Octets we set some default values
if [ ! \$ACCTINPUTOCTETS ]; then
	ACCTINPUTOCTETS=0
fi
if [ ! \$ACCTOUTPUTOCTETS ]; then
	ACCTOUTPUTOCTETS=0
fi

### We only write this to the file if username exists
### If all counters are activated (daily, weekly, monthly, forever) we need to check which is active for the user
if [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME" ]; then
	exit 0
else
	### If no used-octets file exist then we assume that it was deleted by cron job and we need to create a new file starting from zero
	if [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" ]; then
		echo 0 > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"
	fi
### The following two lines (chose the one or the other) are a bad workaround to make accounting accurate with stop/start accounting on pfsense 2.0.1 - it only works if the session will not be interrupted (host disconnects)
###	USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS))
	USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS+`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`))
	
	echo "\$USEDOCTETS" > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"
	exit 0
fi

EOD;

	$filename = FREERADIUS_ETC . '/raddb/scripts/datacounter_acct.sh';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0750);
	conf_mount_ro();

}

function freeradius_dictionary_resync() {
	global $config;
	$conf = '';

	$conf .= <<<EOD

#
#       This is the master dictionary file, which references the
#       pre-defined dictionary files included with the server.
#
#       Any new/changed attributes MUST be placed in this file, as
#       the pre-defined dictionaries SHOULD NOT be edited.
#
#       \$Id\$
#

#
#  The DHCP dictionary is used only when the server is built with
#  "configure --with-dhcp".  It is not (and should not) be used in
#  other situations.  If you are running just a RADIUS server, this
#  line can be deleted.  If you are using DHCP, the following line
#  should be uncommented.
#
#  Ideally, the "configure" process should automatically enable this
#  dictionary, but we don't yet do that.
#
#\$INCLUDE       /usr/local/dictionary.dhcp

#
#       The filename given here should be an absolute path.
#
\$INCLUDE        /usr/local/share/freeradius/dictionary

#
#       Place additional attributes or \$INCLUDEs here.  They will
#       over-ride the definitions in the pre-defined dictionaries.
#
#       See the 'man' page for 'dictionary' for information on
#       the format of the dictionary files.

#
#       If you want to add entries to the dictionary file,
#       which are NOT going to be placed in a RADIUS packet,
#       add them here.  The numbers you pick should be between
#       3000 and 4000.
#

#ATTRIBUTE      My-Local-String         3000    string
#ATTRIBUTE      My-Local-IPAddr         3001    ipaddr
#ATTRIBUTE      My-Local-Integer        3002    integer

### Attributes for mobile-One-Time-Password
ATTRIBUTE 		MOTP-Init-Secret 		900 	string
ATTRIBUTE 		MOTP-PIN 			901 	string
ATTRIBUTE 		MOTP-Offset 			902 	string



EOD;

	$filename = FREERADIUS_ETC . '/raddb/dictionary';
	conf_mount_rw();
	file_put_contents($filename, $conf);
	chmod($filename, 0640);
	conf_mount_ro();

}

?>