Freeradius.inc file changes



  • Hi,

    Just posting this here so I don't lose what I did again; doing an upgrade of pfSense wipes out the changes to the freeradius.inc file so I keep having to do this, and I lost what I did last time.

    Modified freeradius_clients_resync function:

    Basically add the $varclientipsubnet variable so that netmask lines are configured from the GUI when clients with /24 are input.

    
    function freeradius_clients_resync() {
    	global $config;
    
    	$conf = '';
    	$arrclients = $config['installedpackages']['freeradiusclients']['config'];
    	if (is_array($arrclients) && !empty($arrclients)) {
    		foreach ($arrclients as $item) {
    			$varclientip = $item['varclientip'];
    			$varclientipsubnet = '';
    			$varclientipissubnet = strpos($varclientip, '/');
    
    			if ($varclientipissubnet > 0) {
    				$varclientipsubnet = substr($varclientip, (strlen($varclientip) - $varclientipissubnet - 1) * -1);
    				$varclientip = substr($varclientip, 0, $varclientipissubnet);
    				$varclientipsubnet = 'netmask = ' . $varclientipsubnet;
    			}
    
    			$varclientsharedsecret = $item['varclientsharedsecret'];
    			$varclientipversion = $item['varclientipversion'];
    			$varclientshortname = $item['varclientshortname'];
    			$varclientproto = $item['varclientproto'];
    			$varrequiremessageauthenticator = $item['varrequiremessageauthenticator'];
    			$varclientnastype = $item['varclientnastype'];
    			$varclientmaxconnections = $item['varclientmaxconnections'];
    			$varclientlogininput = ($item['varclientlogininput']?$item['varclientlogininput']:'### login = !root ###');
    			$varclientpasswordinput = ($item['varclientpasswordinput']?$item['varclientpasswordinput']:'### password = someadminpass ###');
    
    			if ($item['varclientlogininput'] == '') {
    				$varclientlogin = '### login = !root ###';
    			}
    			else {
    				$varclientlogin = "login = $varclientlogininput";
    			}
    			if ($item['varclientpasswordinput'] == '') {
    				$varclientpassword = '### password = someadminpass ###';
    			}
    			else {
    				$varclientpassword = "password = $varclientpasswordinput";
    			}
    
    			$conf .= << <eod<br>client "$varclientshortname" {
    	$varclientipversion = $varclientip
    	$varclientipsubnet
    	proto = $varclientproto
    	secret = $varclientsharedsecret
    	require_message_authenticator = $varrequiremessageauthenticator
    	max_connections = $varclientmaxconnections
    	shortname = $varclientshortname
    	nastype = $varclientnastype
    	$varclientlogin
    	$varclientpassword
    }
    
    EOD;
    		}
    	}
    	else {
    		$conf .= <<<eod<br>client pfsense {
    	ipaddr = 127.0.0.1
    	secret = pfsense
    	shortname = pfsense
    }
    
    EOD;
    	}
    
    	conf_mount_rw();
    	file_put_contents(FREERADIUS_ETC . '/raddb/clients.conf', $conf);
    	conf_mount_ro();
    
    	freeradius_sync_on_changes();
    	restart_service("radiusd");
    }</eod<br></eod<br> 
    

    Also uncomment the below two lines:

    
    #proxy_requests = yes
    #\$INCLUDE  proxy.conf
    
    

    If whoever maintains this file finds this post, it would be useful if these could be incorporated in future releases, thanks.

    Regards,
    Rob.



  • Disclaimer: I have not thought for a moment about FreeRadius and what the actual changes are here.

    Principle: This is an Open Source project. The project code is on GitHub https://github.com/pfsense/pfsense and https://github.com/pfsense/pfsense-packages
    If you are into gory backend code and OS patches, there is also pfsense-tools for which there is an extra hoop to jump for access.
    It is very easy to create a GitHub account if you do not already have one. Then for small things you do not need to install Git on your own device, just use the GitHub web interface. Drill down to the file in question, click the pencil to edit, make your changes, put a decent title and description of what and why it is "a good thing", save, press the button to make a pull request.

    Those in charge of reviewing will be nice to you on your first try (I hope)


Log in to reply