<?php
require_once('config.inc');
require_once('service-utils.inc');

define('RADDB', '/usr/local/etc/raddb');

function freeradius_install_command() {
	global $config;

	$handle = opendir(RADDB);
	while (false != ($file = readdir($handle))) {
		if (false != ($pos = strpos($file, '.sample'))) {
			$newfile = substr($file, 0, $pos);
			if (copy(RADDB . "/$file", RADDB . "/$newfile"))
				unlink(RADDB . "/$file");
		}
	}
	closedir($handle);

	freeradius_settings_resync();

	$rcfile = array();
	$rcfile['file'] = 'radiusd.sh';
	$rcfile['start'] = 'radiusd -s &';
	$rcfile['stop'] = 'killall radiusd';
	write_rcfile($rcfile);
	start_service("freeradius");
}

function freeradius_settings_resync() {
	global $config;

	$settings = $config['installedpackages']['freeradiussettings']['config'][0];

	$iface = ($settings['interface'] ? $settings['interface'] : 'LAN');
	$iface = convert_friendly_interface_to_real_interface_name($iface);
	$iface_ip = find_interface_ip($iface);
	$port = ($settings['port'] != '' ? $settings['port'] : 0);

	// FreeRADIUS's configuration is huge
	// This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here).
	$conf = <<<EOD
prefix = /usr/local
exec_prefix = \${prefix}
sysconfdir = \${prefix}/etc
localstatedir = /var
sbindir = \${exec_prefix}/sbin
logdir = /var/log
raddbdir = \${sysconfdir}/raddb
radacctdir = \${logdir}/radacct
confdir = \${raddbdir}
run_dir = \${localstatedir}/run/radiusd
log_file = \${logdir}/radius.log
libdir = \${exec_prefix}/lib
pidfile = \${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = $iface_ip
port = $port
hostname_lookups = no
allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = \${sbindir}/checkrad
 
security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}
 
proxy_requests = yes
\$INCLUDE  \${confdir}/proxy.conf
 
\$INCLUDE  \${confdir}/clients.conf
 
snmp = no
\$INCLUDE  \${confdir}/snmp.conf
 
thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}
 
modules {
	pap {
		encryption_scheme = crypt
	}
 
	chap {
		authtype = CHAP
	}
 
	pam {
		pam_auth = radiusd
	}
 
	unix {
		cache = no
		cache_reload = 600
		radwtmp = \${logdir}/radwtmp
	}
 
	\$INCLUDE \${confdir}/eap.conf
 
	mschap {
		authtype = MS-CHAP
		#use_mppe = no
		#require_encryption = yes
		#require_strong = yes
		#with_ntdomain_hack = no
		#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
	}
 
	ldap {
		server = "ldap.your.domain"
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		#base_filter = "(objectclass=radiusprofile)"
		start_tls = no
		#tls_cacertfile = /path/to/cacert.pem
		#tls_cacertdir = /path/to/ca/dir/
		#tls_certfile = /path/to/radius.crt
		#tls_keyfile = /path/to/radius.key
		#tls_randfile = /path/to/rnd
		#tls_require_cert = "demand"
		access_attr = "dialupAccess"
		dictionary_mapping = \${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		#groupname_attribute = cn
		#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		#groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		#compare_check_items = yes
		#do_xlat = yes
		#access_attr_used_for_allow = yes
	}
 
	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}
 
	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}
 
	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}
 
	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}
 
	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
		#notfound-reject = no
	}
 
	preprocess {
		huntgroups = \${confdir}/huntgroups
		hints = \${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
 
	files {
		usersfile = \${confdir}/users
		acctusersfile = \${confdir}/acct_users
		preproxy_usersfile = \${confdir}/preproxy_users
		compat = no
	}
 
	detail {
		detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
 
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}
 
	\$INCLUDE  \${confdir}/sql.conf
 
	radutmp {
		filename = \${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes
		perm = 0600
		callerid = "yes"
	}
 
	radutmp sradutmp {
		filename = \${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
 
	attr_filter {
		attrsfile = \${confdir}/attrs
	}
 
	counter daily {
		filename = \${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
 
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
 
	expr {
	}
 
	digest {
	}
 
	exec {
		wait = yes
		input_pairs = request
	}
 
	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
		#packet_type = Access-Accept
	}
 
	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = \${raddbdir}/db.ippool
		ip-index = \${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}
}
 
instantiate {
	exec
	expr
	#daily
}
 
authorize {
	preprocess
	#auth_log
	#attr_filter
	chap
	mschap
	#digest
	#IPASS
	suffix
	#ntdomain
	eap
	files
	#sql
	#etc_smbpasswd
	#ldap
	#daily
	#checkval
}
 
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	#digest
	#pam
	unix
	#Auth-Type LDAP {
	#	ldap
	#}
	eap
}
 
preacct {
	preprocess
	acct_unique
	#IPASS
	suffix
	#ntdomain
	files
}
 
accounting {
	detail
	#daily
	unix
	radutmp
	#sradutmp
	#main_pool
	#sql
	#pgsql-voip
}
 
session {
	radutmp
	#sql
}
 
post-auth {
	#main_pool
	#reply_log
	#sql
	#ldap
	#Post-Auth-Type REJECT {
	#	insert-module-name-here
	#}
}
 
pre-proxy {
	#attr_rewrite
	#files
	#pre_proxy_log
}
 
post-proxy {
	#post_proxy_log
	#attr_rewrite
	#attr_filter
	eap
}

EOD;
	file_put_contents(RADDB . '/radiusd.conf', $conf);
	restart_service("freeradius");
}

function freeradius_users_resync() {
	global $config;

	$conf = '';
	$users = $config['installedpackages']['freeradius']['config'];
	if (is_array($users)) {
		foreach ($users as $user)
			$conf .= "{$user['username']}\tUser-Password == \"{$user['password']}\"\n";
	}
	$filename = RADDB . '/users';
	file_put_contents($filename, $conf);
	chmod($filename, 0600);

	restart_service('freeradius');
}

function freeradius_clients_resync() {
	global $config;

	$conf = '';
	$clients = $config['installedpackages']['freeradiusclients']['config'];
	if (is_array($clients) && !empty($clients)) {
		foreach ($clients as $item) {
			$client = $item['client'];
			$secret = $item['sharedsecret'];
			$shortname = $item['shortname'];
			$conf .= <<<EOD
client $client {
	secret = $secret
	shortname = $shortname
}

EOD;
		}
	}
	else {
		$conf .= <<<EOD
client 127.0.0.1 {
	secret = pfsense
	shortname = localhost
}

EOD;
	}

	file_put_contents(RADDB . '/clients.conf', $conf);
	restart_service("freeradius");
}
?>