<?php require_once('config.inc'); require_once('service-utils.inc'); define('RADDB', '/usr/local/etc/raddb'); function freeradius_install_command() { global $config; $handle = opendir(RADDB); while (false != ($file = readdir($handle))) { if (false != ($pos = strpos($file, '.sample'))) { $newfile = substr($file, 0, $pos); if (copy(RADDB . "/$file", RADDB . "/$newfile")) unlink(RADDB . "/$file"); } } closedir($handle); freeradius_settings_resync(); $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; $rcfile['start'] = 'radiusd -s &'; $rcfile['stop'] = 'killall radiusd'; write_rcfile($rcfile); start_service("freeradius"); } function freeradius_settings_resync() { global $config; $settings = $config['installedpackages']['freeradiussettings']['config'][0]; $iface = ($settings['interface'] ? $settings['interface'] : 'LAN'); $iface = convert_friendly_interface_to_real_interface_name($iface); $iface_ip = find_interface_ip($iface); $port = ($settings['port'] != '' ? $settings['port'] : 0); // FreeRADIUS's configuration is huge // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). $conf = <<<EOD prefix = /usr/local exec_prefix = \${prefix} sysconfdir = \${prefix}/etc localstatedir = /var sbindir = \${exec_prefix}/sbin logdir = /var/log raddbdir = \${sysconfdir}/raddb radacctdir = \${logdir}/radacct confdir = \${raddbdir} run_dir = \${localstatedir}/run/radiusd log_file = \${logdir}/radius.log libdir = \${exec_prefix}/lib pidfile = \${run_dir}/radiusd.pid #user = nobody #group = nobody max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = $iface_ip port = $port hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = \${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes \$INCLUDE \${confdir}/proxy.conf \$INCLUDE \${confdir}/clients.conf snmp = no \$INCLUDE \${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = \${logdir}/radwtmp } \$INCLUDE \${confdir}/eap.conf mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" start_tls = no #tls_cacertfile = /path/to/cacert.pem #tls_cacertdir = /path/to/ca/dir/ #tls_certfile = /path/to/radius.crt #tls_keyfile = /path/to/radius.key #tls_randfile = /path/to/rnd #tls_require_cert = "demand" access_attr = "dialupAccess" dictionary_mapping = \${raddbdir}/ldap.attrmap ldap_connections_number = 5 #groupname_attribute = cn #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" #groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 #compare_check_items = yes #do_xlat = yes #access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string #notfound-reject = no } preprocess { huntgroups = \${confdir}/huntgroups hints = \${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = \${confdir}/users acctusersfile = \${confdir}/acct_users preproxy_usersfile = \${confdir}/preproxy_users compat = no } detail { detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } \$INCLUDE \${confdir}/sql.conf radutmp { filename = \${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = \${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = \${confdir}/attrs } counter daily { filename = \${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply #packet_type = Access-Accept } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = \${raddbdir}/db.ippool ip-index = \${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr #daily } authorize { preprocess #auth_log #attr_filter chap mschap #digest #IPASS suffix #ntdomain eap files #sql #etc_smbpasswd #ldap #daily #checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } #digest #pam unix #Auth-Type LDAP { # ldap #} eap } preacct { preprocess acct_unique #IPASS suffix #ntdomain files } accounting { detail #daily unix radutmp #sradutmp #main_pool #sql #pgsql-voip } session { radutmp #sql } post-auth { #main_pool #reply_log #sql #ldap #Post-Auth-Type REJECT { # insert-module-name-here #} } pre-proxy { #attr_rewrite #files #pre_proxy_log } post-proxy { #post_proxy_log #attr_rewrite #attr_filter eap } EOD; file_put_contents(RADDB . '/radiusd.conf', $conf); restart_service("freeradius"); } function freeradius_users_resync() { global $config; $conf = ''; $users = $config['installedpackages']['freeradius']['config']; if (is_array($users)) { foreach ($users as $user) $conf .= "{$user['username']}\tUser-Password == \"{$user['password']}\"\n"; } $filename = RADDB . '/users'; file_put_contents($filename, $conf); chmod($filename, 0600); restart_service('freeradius'); } function freeradius_clients_resync() { global $config; $conf = ''; $clients = $config['installedpackages']['freeradiusclients']['config']; if (is_array($clients) && !empty($clients)) { foreach ($clients as $item) { $client = $item['client']; $secret = $item['sharedsecret']; $shortname = $item['shortname']; $conf .= <<<EOD client $client { secret = $secret shortname = $shortname } EOD; } } else { $conf .= <<<EOD client 127.0.0.1 { secret = pfsense shortname = localhost } EOD; } file_put_contents(RADDB . '/clients.conf', $conf); restart_service("freeradius"); } ?>