diff options
| author | Phil Davis <phil.davis@inf.org> | 2016-07-20 17:09:25 +0930 |
|---|---|---|
| committer | Phil Davis <phil.davis@inf.org> | 2016-07-20 17:09:25 +0930 |
| commit | 10d4fe2e5babaaae4351436cf3f4996c66e53228 (patch) | |
| tree | 0a04b7c0706e0e3935dd05e9bbcb897e8dbdb5d0 | |
| parent | c9d6b915daced9767ff596ee9485ec2d9a573a41 (diff) | |
| download | pfsense-10d4fe2e5babaaae4351436cf3f4996c66e53228.zip pfsense-10d4fe2e5babaaae4351436cf3f4996c66e53228.tar.gz | |
Backport Radius auth server to detect openVPN
Original pull request to master was #3057
| -rw-r--r-- | src/etc/inc/openvpn.auth-user.php | 44 | ||||
| -rw-r--r-- | src/etc/inc/openvpn.inc | 2 | ||||
| -rw-r--r-- | src/etc/inc/radius.inc | 16 | ||||
| -rwxr-xr-x | src/usr/local/sbin/ovpn_auth_verify | 2 |
4 files changed, 53 insertions, 11 deletions
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php index 32c89a9..669ace5 100644 --- a/src/etc/inc/openvpn.auth-user.php +++ b/src/etc/inc/openvpn.auth-user.php @@ -68,17 +68,11 @@ require_once("interfaces.inc"); /** * Get the NAS-Identifier * - * We will use our local hostname to make up the nas_id + * We will return "openVPN" so that connections can be distinguished by the Radius */ if (!function_exists("getNasID")) { function getNasID() { - global $g; - - $nasId = gethostname(); - if (empty($nasId)) { - $nasId = $g['product_name']; - } - return $nasId; + return "openVPN"; } } @@ -97,6 +91,40 @@ function getNasIP() { return $nasIp; } } + +/** + * Set the NAS-Port-Type + * + * Should be "Virtual" since that denotes VPN connections + */ +if (!function_exists("getNasPortType")) { +function getNasPortType() { + return RADIUS_VIRTUAL; +} +} + +/** + * Set the NAS-Port + * + * We will return the port the client connected to + */ +if (!function_exists("getNasPort")) { +function getNasPort() { + return $_GET['nas_port']; +} +} + +/** + * Set the Called-Station-ID + * + * We will return the IP and port the client connected to + */ +if (!function_exists("getCalledStationId")) { +function getCalledStationId() { + return get_interface_ip() . ":" . getNasPort(); +} +} + /* setup syslog logging */ openlog("openvpn", LOG_ODELAY, LOG_AUTH); diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 7f2897a..dc28520 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -849,7 +849,7 @@ function openvpn_reconfigure($mode, $settings) { if ($settings['strictusercn']) { $strictusercn = "true"; } - $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id}\" via-env\n"; + $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id} {$settings['local_port']}\" via-env\n"; } break; } diff --git a/src/etc/inc/radius.inc b/src/etc/inc/radius.inc index 326b359..bbed12f 100644 --- a/src/etc/inc/radius.inc +++ b/src/etc/inc/radius.inc @@ -303,12 +303,26 @@ class Auth_RADIUS extends PEAR { $this->putAttribute(RADIUS_NAS_IP_ADDRESS, $ipaddr, "addr"); // Add support for sending NAS-Identifier - if (empty($config["captiveportal"][$cpzone]["radiusnasid"])) { + if (function_exists("getNasID")) { + $nasId = getNasID(); + } else if (empty($config["captiveportal"][$cpzone]["radiusnasid"])) { $nasId = php_uname("n"); } else { $nasId = $config["captiveportal"][$cpzone]["radiusnasid"]; } $this->putAttribute(RADIUS_NAS_IDENTIFIER, $nasId); + + if (function_exists("getNasPortType")) { + $this->putAttribute(RADIUS_NAS_PORT_TYPE, getNasPortType()); + } + + if (function_exists("getNasPort")) { + $this->putAttribute(RADIUS_NAS_PORT, getNasPort(), 'integer'); + } + + if (function_exists("getCalledStationId")) { + $this->putAttribute(RADIUS_CALLED_STATION_ID, getCalledStationId()); + } } /** diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify index c850d4d..3990d28 100755 --- a/src/usr/local/sbin/ovpn_auth_verify +++ b/src/usr/local/sbin/ovpn_auth_verify @@ -58,7 +58,7 @@ else # Base64 and urlEncode usernames and passwords password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g') username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g') - RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4") + RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5") fi if [ "${RESULT}" = "OK" ]; then |
