summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Davis <phil.davis@inf.org>2016-07-20 17:09:25 +0930
committerPhil Davis <phil.davis@inf.org>2016-07-20 17:09:25 +0930
commit10d4fe2e5babaaae4351436cf3f4996c66e53228 (patch)
tree0a04b7c0706e0e3935dd05e9bbcb897e8dbdb5d0
parentc9d6b915daced9767ff596ee9485ec2d9a573a41 (diff)
downloadpfsense-10d4fe2e5babaaae4351436cf3f4996c66e53228.zip
pfsense-10d4fe2e5babaaae4351436cf3f4996c66e53228.tar.gz
Backport Radius auth server to detect openVPN
Original pull request to master was #3057
-rw-r--r--src/etc/inc/openvpn.auth-user.php44
-rw-r--r--src/etc/inc/openvpn.inc2
-rw-r--r--src/etc/inc/radius.inc16
-rwxr-xr-xsrc/usr/local/sbin/ovpn_auth_verify2
4 files changed, 53 insertions, 11 deletions
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index 32c89a9..669ace5 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -68,17 +68,11 @@ require_once("interfaces.inc");
/**
* Get the NAS-Identifier
*
- * We will use our local hostname to make up the nas_id
+ * We will return "openVPN" so that connections can be distinguished by the Radius
*/
if (!function_exists("getNasID")) {
function getNasID() {
- global $g;
-
- $nasId = gethostname();
- if (empty($nasId)) {
- $nasId = $g['product_name'];
- }
- return $nasId;
+ return "openVPN";
}
}
@@ -97,6 +91,40 @@ function getNasIP() {
return $nasIp;
}
}
+
+/**
+ * Set the NAS-Port-Type
+ *
+ * Should be "Virtual" since that denotes VPN connections
+ */
+if (!function_exists("getNasPortType")) {
+function getNasPortType() {
+ return RADIUS_VIRTUAL;
+}
+}
+
+/**
+ * Set the NAS-Port
+ *
+ * We will return the port the client connected to
+ */
+if (!function_exists("getNasPort")) {
+function getNasPort() {
+ return $_GET['nas_port'];
+}
+}
+
+/**
+ * Set the Called-Station-ID
+ *
+ * We will return the IP and port the client connected to
+ */
+if (!function_exists("getCalledStationId")) {
+function getCalledStationId() {
+ return get_interface_ip() . ":" . getNasPort();
+}
+}
+
/* setup syslog logging */
openlog("openvpn", LOG_ODELAY, LOG_AUTH);
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 7f2897a..dc28520 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -849,7 +849,7 @@ function openvpn_reconfigure($mode, $settings) {
if ($settings['strictusercn']) {
$strictusercn = "true";
}
- $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id}\" via-env\n";
+ $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id} {$settings['local_port']}\" via-env\n";
}
break;
}
diff --git a/src/etc/inc/radius.inc b/src/etc/inc/radius.inc
index 326b359..bbed12f 100644
--- a/src/etc/inc/radius.inc
+++ b/src/etc/inc/radius.inc
@@ -303,12 +303,26 @@ class Auth_RADIUS extends PEAR {
$this->putAttribute(RADIUS_NAS_IP_ADDRESS, $ipaddr, "addr");
// Add support for sending NAS-Identifier
- if (empty($config["captiveportal"][$cpzone]["radiusnasid"])) {
+ if (function_exists("getNasID")) {
+ $nasId = getNasID();
+ } else if (empty($config["captiveportal"][$cpzone]["radiusnasid"])) {
$nasId = php_uname("n");
} else {
$nasId = $config["captiveportal"][$cpzone]["radiusnasid"];
}
$this->putAttribute(RADIUS_NAS_IDENTIFIER, $nasId);
+
+ if (function_exists("getNasPortType")) {
+ $this->putAttribute(RADIUS_NAS_PORT_TYPE, getNasPortType());
+ }
+
+ if (function_exists("getNasPort")) {
+ $this->putAttribute(RADIUS_NAS_PORT, getNasPort(), 'integer');
+ }
+
+ if (function_exists("getCalledStationId")) {
+ $this->putAttribute(RADIUS_CALLED_STATION_ID, getCalledStationId());
+ }
}
/**
diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify
index c850d4d..3990d28 100755
--- a/src/usr/local/sbin/ovpn_auth_verify
+++ b/src/usr/local/sbin/ovpn_auth_verify
@@ -58,7 +58,7 @@ else
# Base64 and urlEncode usernames and passwords
password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
- RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4")
+ RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
fi
if [ "${RESULT}" = "OK" ]; then
OpenPOWER on IntegriCloud