FreeRadius: PPTP - RADIUS and client IP address

sbyoon

Here is vpn_pptp.php

/*
	vpn_pptp.php
	part of m0n0wall (http://m0n0.ch/wall)

	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
	All rights reserved.

	Redistribution and use in source and binary forms, with or without
	modification, are permitted provided that the following conditions are met:

	1\. Redistributions of source code must retain the above copyright notice,
	   this list of conditions and the following disclaimer.

	2\. Redistributions in binary form must reproduce the above copyright
	   notice, this list of conditions and the following disclaimer in the
	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	POSSIBILITY OF SUCH DAMAGE.
*/

require("guiconfig.inc");

if (!is_array($config['pptpd']['radius'])) {
	$config['pptpd']['radius'] = array();
}
$pptpcfg = &$config['pptpd'];

$pconfig['remoteip'] = $pptpcfg['remoteip'];
$pconfig['localip'] = $pptpcfg['localip'];
$pconfig['redir'] = $pptpcfg['redir'];
$pconfig['mode'] = $pptpcfg['mode'];
$pconfig['wins'] = $pptpcfg['wins'];
$pconfig['req128'] = isset($pptpcfg['req128']);
$pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']);
$pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']);
$pconfig['radiusserver'] = $pptpcfg['radius']['server'];
$pconfig['radiussecret'] = $pptpcfg['radius']['secret'];
$pconfig['radiusissueips'] = isset($pptpcfg['radius']['radiusissueips']);

if ($_POST) {

	unset($input_errors);
	$pconfig = $_POST;

	/* input validation */
	if ($_POST['mode'] == "server") {
		$reqdfields = explode(" ", "localip remoteip");
		$reqdfieldsn = explode(",", "Server address,Remote start address");

		if ($_POST['radiusenable']) {
			$reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
			$reqdfieldsn = array_merge($reqdfieldsn, 
				explode(",", "RADIUS server address,RADIUS shared secret"));
		}

		do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);

		if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) {
			$input_errors[] = "A valid server address must be specified.";
		}
		if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) {
			$input_errors[] = "A valid remote start address must be specified.";
		}
		if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) {
			$input_errors[] = "A valid RADIUS server address must be specified.";
		}

		if (!$input_errors) {	
			$_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']);
			$subnet_start = ip2long($_POST['remoteip']);
			$subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1;

			if ((ip2long($_POST['localip']) >= $subnet_start) && 
			    (ip2long($_POST['localip']) <= $subnet_end)) {
				$input_errors[] = "The specified server address lies in the remote subnet.";	
			}
			if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) {
				$input_errors[] = "The specified server address is equal to the LAN interface address.";	
			}
		}
	} else if ($_POST['mode'] == "redir") {
		$reqdfields = explode(" ", "redir");
		$reqdfieldsn = explode(",", "PPTP redirection target address");

		do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);

		if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) {
			$input_errors[] = "A valid target address must be specified.";
		}
	} else {
		/* turning pptp off, lets dump any custom rules */
		$rules = &$config['filter']['rule'];
		for($x=0; $x <count($rules); $x++)="" {<br="">if($rules[$x]['interface'] == "pptp") { 
				unset($rules[$x]);
			}
		}
		unset($config['pptpd']['mode']);
		write_config();
	}

	if (!$input_errors) {
		$pptpcfg['remoteip'] = $_POST['remoteip'];
		$pptpcfg['redir'] = $_POST['redir'];
		$pptpcfg['localip'] = $_POST['localip'];
		$pptpcfg['mode'] = $_POST['mode'];
		$pptpcfg['wins'] = $_POST['wins'];
		$pptpcfg['radius']['server'] = $_POST['radiusserver'];
		$pptpcfg['radius']['secret'] = $_POST['radiussecret'];

		if($_POST['req128'] == "yes") 
			$pptpcfg['req128'] = true;
		else
			unset($pptpcfg['req128']);

		if($_POST['radiusenable'] == "yes") 
			$pptpcfg['radius']['enable'] = true;
		else 
			unset($pptpcfg['radius']['enable']);

		if($_POST['radacct_enable'] == "yes") 
			$pptpcfg['radius']['accounting'] = true;
		else 
			unset($pptpcfg['radius']['accounting']);

        if($_POST['radiusissueips'] == "yes") {
			$pptpcfg['radius']['radiusissueips'] = true;
		} else
			unset($pptpcfg['radius']['radiusissueips']);

		write_config();

		$retval = 0;

		config_lock();
		$retval = vpn_setup();
		config_unlock();

		$savemsg = get_std_save_message($retval);

		filter_configure();
	}
}

$pgtitle = "VPN PPTP";
include("head.inc");

?>

<form action="vpn_pptp.php" method="post" name="iform" id="iform">

| 
	$tab_array = array();
	$tab_array[0] = array("Configuration", true, "vpn_pptp.php");
	$tab_array[1] = array("Users", false, "vpn_pptp_users.php");
	display_top_tabs($tab_array);
?>  
   |

    |  
                    				  	>
                    Off |
    | 
>
                    Redirect incoming PPTP connections to: |
  PPTP redirection |  

                    Enter the IP address of a host which will accept incoming 
                    PPTP connections. |
    | 
>
                    Enable PPTP server |
  Max. concurrent 
                    connections |  

                   |
  Server address |  

                    Enter the IP address the PPTP server should use on its side 
                    for all clients. |
  Remote address 
                    range |  

                    / 

                    Specify the starting address for the client IP address subnet.

                    The PPTP server will assign 

                    addresses, starting at the address entered above, to clients. |
  RADIUS |  
                      >
                      **Use a RADIUS server for authentication** When set, all users will be authenticated using 
                      the RADIUS server specified below. The local user database 
                      will not be used.

                      >
                      **Enable RADIUS accounting** Sends accounting packets to the RADIUS server. |
  RADIUS server  | 

                      Enter the IP address of the RADIUS server. |
  RADIUS shared secret | 

                      Enter the shared secret that will be used to authenticate 
                      to the RADIUS server. |
  RADIUS issued IP's | 
                      >

Issue IP Addresses via RADIUS server.

                   |		
  WINS Server | 

                   |
   |
    |  
                    > 
                    **Require 128-bit encryption**

                    When set, 128-bit encryption will be accepted. Otherwise, 
                    40-bit and 56-bit encryption will be accepted, too. Note that 
                    encryption will always be forced on PPTP connections (i.e. 
                    unencrypted connections will not be accepted). |
    |  

                   |
    | **Note:** don't forget to [add a firewall rule](firewall_rules.php?if=pptp) to permit 
                    traffic from PPTP clients! |

			 |	

</form>

![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb)
![pptp.jpg](/public/_imported_attachments_/1/pptp.jpg)
![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb)[/i][/i]</count($rules);></mk@neon1.net>

psychosematic

:D WOW its looking good guys! ;)

hoba

Nice, but we need the files as diffs against the latest revisions of the files you changed to merge them into the pfSense code. Can you attach diffs?

jeroen234

here are my diff's for freeradius.xml and freeradius.inc

on the weekend i will add counter atrr. to freeradius.xml and freeradius.inc
the counters are already eneabled in radiusd.conf

freeradius.inc.diff.txt
freeradius.xml.dif.txt

sbyoon

I have a problem. I don't know how to make the diffs file.

Pls adv me how to make the diffs file so that I can make diffs for vpn_pptp.php and vpn.inc.

hoba

http://forum.pfsense.org/index.php/topic,2972.0.html

sbyoon

Here are the diffs for vpn.inc and vpn_pptp.php.
I used vpn.inc version 1.12 and vpn_pptp.php version 1.38.

vpn.inc.diff.txt
vpn_pptp.php.diff.txt

sbyoon

Dear Jeroen,

Could you add the description column for freeradius users? I think it is needed for users contact number, email address or his real name.

Thank you.

jeroen234

oke than i will add it in frond of the username
there are comming 4 more colom's in the weekend
and suport for 3 more in the future ( upload en download speed settings and wisp redirect url)

monideth

Hi All,

I haven;t checked the forums for a while since I posted this initial thread.

However, I am pleasantly surpised that some work has been done on the freeradius package  :)

Just wanted to ask whether the new freeradius package is now available. I checked the package version and the latest one was 1.1.2 - so I installed this. However, I did not get any changes to the interface to allow config of the IP address in the account configuration.

Is the 1.1.2 version meant to include this feature - or is this feature still needs to be patched in and released?

Thanks for all your hard work.

Regards,

Mon

databeestje

Have the radius extensions made it into CVS yet?

jeroen234

the last time i looked they were not yett in

monideth

Any updates on when these new features will be available?

sbyoon

Now I'm using it and it works great. PPTP users are now given the ip address from freeradius.

I tried 1.0.1-SNAPSHOT-01-13-2007 today but I found that this feature does not added on this snapshot.

Is there some problem to add this function into future pfsense version???

sullrich

Not sure what you mean?  Can you send a patch?

sbyoon

Jeroen and I already attached the diffs files for this functions on this thread. Pls read previous posts.@sbyoon:

Here are the diffs for vpn.inc and vpn_pptp.php.
I used vpn.inc version 1.12 and vpn_pptp.php version 1.38.

sullrich

That is not the proper sequence for sending patches.  Please read:

http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches

sbyoon

Sorry, if the sequece was wrong. I checked the link but it does not meantion how to make patch. Could adv me how to make the patch?

databeestje

from the console.

pkg_add -r diffutils
rehash
gdiff -urN <original file=""><new file="">And to put it into a file

gdiff -urN <original file=""><new file="">> patch.txt

Then you can download or fetch the file from the diagnostics menu.</new></original></new></original>

sbyoon

I'm confused. What is the difference between 'diff' and 'patch'?
I've made the diff files with "diff -rub oldfile newfile > file.diff" and attached it this thread as requested by Hoba.

I made the diff files as instructed in below link.
http://forum.pfsense.org/index.php/topic,2972.0.html
And I used the latest files from pfsense cvs and made the diff file with it.

I think your instruction is also for just making diff files. Then, are diff and patch same thing?

Now I attached the diff files again and am sending them to coreteam@pfsense.com as well.

vpn.inc.diff.txt
vpn_pptp.php.diff.txt
freeradius.inc.diff.txt
freeradius.xml.dif.txt