upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

net/freeradius: merge 1.2.0 with EAP support

Browse source
This commit is contained in:
Franco Fichtner 2017-10-22 11:46:11 +02:00
parent 821e362f69
commit 220f40e768
11 changed files with 404 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/freeradius/Makefile
View file

@ -1,5 +1,5 @@
PLUGIN_NAME= freeradius
PLUGIN_VERSION= 1.1.0
PLUGIN_VERSION= 1.2.0
PLUGIN_COMMENT= RADIUS Authentication, Authorization and Accounting Server
PLUGIN_DEPENDS= freeradius3
PLUGIN_MAINTAINER= m.muenz@gmail.com

76
net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php Normal file
View file

@ -0,0 +1,76 @@
<?php
/**
* Copyright (C) 2015 - 2017 Deciso B.V.
* Copyright (C) 2017 Michael Muenz
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
namespace OPNsense\Freeradius\Api;
use \OPNsense\Base\ApiControllerBase;
use \OPNsense\Freeradius\Eap;
use \OPNsense\Core\Config;
class EapController extends ApiControllerBase
{
public function getAction()
{
// define list of configurable settings
$result = array();
if ($this->request->isGet()) {
$mdlEAP = new EAP();
$result['eap'] = $mdlEAP->getNodes();
}
return $result;
}
public function setAction()
{
$result = array("result"=>"failed");
if ($this->request->isPost()) {
// load model and update with provided data
$mdlEAP = new EAP();
$mdlEAP->setNodes($this->request->getPost("eap"));
// perform validation
$valMsgs = $mdlEAP->performValidation();
foreach ($valMsgs as $field => $msg) {
if (!array_key_exists("validations", $result)) {
$result["validations"] = array();
}
$result["validations"]["eap.".$msg->getField()] = $msg->getMessage();
}
// serialize model to config and save
if ($valMsgs->count() == 0) {
$mdlEAP->serializeToConfig();
Config::getInstance()->save();
$result["result"] = "saved";
}
}
return $result;
}
}

38
net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/EapController.php Normal file
View file

@ -0,0 +1,38 @@
<?php
/*
Copyright (C) 2017 Michael Muenz
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
namespace OPNsense\Freeradius;
class EapController extends \OPNsense\Base\IndexController
{
public function indexAction()
{
$this->view->title = gettext("EAP Settings");
$this->view->eapForm = $this->getForm("eap");
$this->view->pick('OPNsense/Freeradius/eap');
}
}

32
net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml Normal file
View file

@ -0,0 +1,32 @@
<form>
<field>
<id>eap.default_eap_type</id>
<label>Default EAP Type</label>
<type>dropdown</type>
<help>Set the default EAP type.</help>
</field>
<field>
<id>eap.enable_client_cert</id>
<label>Enable Client Certficate Authentication</label>
<type>checkbox</type>
<help>This will activate certificate based authentication. Please choose CA and Certificate below and do not forget to roll out certificates to the clients.</help>
</field>
<field>
<id>eap.ca</id>
<label>Root Certificate</label>
<type>dropdown</type>
<help>Choose the Root CA.</help>
</field>
<field>
<id>eap.certificate</id>
<label>Server Certificate</label>
<type>dropdown</type>
<help>Choose the certificate the Radius service should use.</help>
</field>
<field>
<id>eap.crl</id>
<label>CRL</label>
<type>dropdown</type>
<help>This enables CRL checking, please restart this service with every change to the CRL.</help>
</field>
</form>

34
net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php Normal file
View file

@ -0,0 +1,34 @@
<?php
namespace OPNsense\Freeradius;
use OPNsense\Base\BaseModel;
/*
Copyright (C) 2017 Michael Muenz
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
class Eap extends BaseModel
{
}

37
net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml Normal file
View file

@ -0,0 +1,37 @@
<model>
<mount>//OPNsense/freeradius/eap</mount>
<description>EAP configuration</description>
<version>1.0.0</version>
<items>
<default_eap_type type="OptionField">
<default>MD5</default>
<Required>Y</Required>
<multiple>N</multiple>
<OptionValues>
<md5>MD5</md5>
<mschapv2>MSCHAPv2</mschapv2>
<peap>PEAP</peap>
<ttls>TTLS</ttls>
</OptionValues>
</default_eap_type>
<enable_client_cert type="BooleanField">
<default>0</default>
<Required>Y</Required>
</enable_client_cert>
<ca type="CertificateField">
<default></default>
<Type>ca</Type>
<Required>N</Required>
</ca>
<certificate type="CertificateField">
<default></default>
<Type>cert</Type>
<Required>N</Required>
</certificate>
<crl type="CertificateField">
<default></default>
<Type>crl</Type>
<Required>N</Required>
</crl>
</items>
</model>

1
net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
View file

@ -4,6 +4,7 @@
<General url="/ui/freeradius/general/index" order="10"/>
<User url="/ui/freeradius/user/index" order="20"/>
<Client url="/ui/freeradius/client/index" order="30"/>
<EAP url="/ui/freeradius/eap/index" order="40"/>
</FreeRADIUS>
</Services>
</menu>

62
net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/eap.volt Normal file
View file

@ -0,0 +1,62 @@
{#
OPNsense® is Copyright © 2014 2017 by Deciso B.V.
This file is Copyright © 2017 by Michael Muenz
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
#}
<div class="content-box" style="padding-bottom: 1.5em;">
{{ partial("layout_partials/base_form",['fields':eapForm,'id':'frm_eap_settings'])}}
<hr />
<div class="col-md-12">
<button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress" class=""></i></button>
</div>
</div>
<script type="text/javascript">
$( document ).ready(function () {
var data_get_map = {'frm_eap_settings':"/api/freeradius/eap/get"};
mapDataToFormUI(data_get_map).done(function (data) {
formatTokenizersUI();
$('.selectpicker').selectpicker('refresh');
});
ajaxCall(url="/api/freeradius/service/status", sendData={}, callback=function (data, status) {
updateServiceStatusUI(data['status']);
});
// link save button to API set action
$("#saveAct").click(function () {
saveFormToEndpoint(url="/api/freeradius/eap/set", formid='frm_eap_settings',callback_ok=function () {
$("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
ajaxCall(url="/api/freeradius/service/reconfigure", sendData={}, callback=function (data,status) {
ajaxCall(url="/api/freeradius/service/status", sendData={}, callback=function (data,status) {
updateServiceStatusUI(data['status']);
});
$("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
});
});
});
});
</script>

102
net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php Executable file
View file

@ -0,0 +1,102 @@
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2015 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
// use legacy code to generate certs and ca's
// eventually we need to replace this.
require_once("config.inc");
require_once("certs.inc");
require_once("legacy_bindings.inc");
use OPNsense\Core\Config;
$cert_pem_filename = '/usr/local/etc/raddb/certs/cert_opn.pem';
$cert_pem_content = '';
$ca_pem_filename = '/usr/local/etc/raddb/certs/ca_opn.pem';
$ca_pem_content = '';
// traverse Freeradius plugin for certficiates
$configObj = Config::getInstance()->object();
if (isset($configObj->OPNsense->freeradius)) {
foreach ($configObj->OPNsense->freeradius->children() as $find_cert) {
$cert_refid = (string)$find_cert->certificate;
// if eap has a certificate attached, search for its contents
if ($cert_refid != "") {
foreach ($configObj->cert as $cert) {
if ($cert_refid == (string)$cert->refid) {
// generate cert pem file
$pem_content = trim(str_replace("\n\n", "\n", str_replace(
"\r",
"",
base64_decode((string)$cert->crt)
)));
$pem_content .= "\n";
$pem_content .= trim(str_replace(
"\n\n",
"\n",
str_replace("\r", "", base64_decode((string)$cert->prv))
));
$pem_content .= "\n";
$cert_pem_content .= $pem_content;
// generate ca pem file
if (!empty($cert->caref)) {
$cert = (array)$cert;
$ca_pem_content .= ca_chain($cert);
}
}
}
}
$cert_refid = (string)$find_cert->crl;
// if eap has a certificate attached, search for its contents
if ($cert_refid != "") {
foreach ($configObj->crl as $crl) {
if ($cert_refid == (string)$crl->refid && !empty((string)$crl->text)) {
// generate cert pem file
$pem_content = trim(str_replace("\n\n", "\n", str_replace(
"\r",
"",
base64_decode((string)$crl->text)
)));
$pem_content .= "\n";
$ca_pem_content .= $pem_content;
}
}
}
}
}
file_put_contents($cert_pem_filename, $cert_pem_content);
chmod($cert_pem_filename, 0600);
echo "Certificates generated $cert_pem_filename\n";
file_put_contents($ca_pem_filename, $ca_pem_content);
chmod($ca_pem_filename, 0600);
echo "Certificates generated $ca_pem_filename\n";

2
net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
View file

@ -15,3 +15,5 @@ for FILE in ${RADIUS_FILES}; do
touch ${FILE}
chmod 700 ${FILE}
done
/usr/local/opnsense/scripts/Freeradius/generate_certs.php

25
net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
View file

@ -26,7 +26,9 @@ eap {
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
{% if helpers.exists('OPNsense.freeradius.eap.default_eap_type') and OPNsense.freeradius.eap.default_eap_type != '' %}
default_eap_type = {{ OPNsense.freeradius.eap.default_eap_type }}
{% endif %}
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
@ -172,9 +174,14 @@ eap {
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls-config tls-common {
{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
{% if helpers.exists('OPNsense.freeradius.eap.certificate') and OPNsense.freeradius.eap.certificate != '' %}
private_key_password =
private_key_file = ${certdir}/cert_opn.pem
certificate_file = ${certdir}/cert_opn.pem
{% else %}
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
@ -186,7 +193,7 @@ eap {
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
{% endif %}
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
@ -197,8 +204,11 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
{% if helpers.exists('OPNsense.freeradius.eap.ca') and OPNsense.freeradius.eap.ca != '' %}
ca_file = ${certdir}/ca_opn.pem
{% else %}
ca_file = ${cadir}/ca.pem
{% endif %}
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
# it sometimes gets the chains right from a certificate
@ -280,8 +290,11 @@ eap {
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the lines below.
# 5) Restart radiusd
{% if helpers.exists('OPNsense.freeradius.eap.crl') and OPNsense.freeradius.eap.crl != '' %}
check_crl = yes
{% else %}
# check_crl = yes
{% endif %}
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
@ -557,7 +570,7 @@ eap {
# softfail = no
}
}
{% endif %}
## EAP-TLS
#
# As of Version 3.0, the TLS configuration for TLS-based