From 5315fdf542c95df66a9b75a2657c58594c554bf5 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 12 Jul 2015 23:14:32 +0200 Subject: [PATCH] Add radius scripts --- install/radius_install | 10 ++++ install/radius_prepare | 75 ++++++++++++++++++++++++++++++ modules/gpio/html/gpio_trigger.php | 13 +++--- modules/radius/EAP_TLS_client | 39 ++++++++++++++++ modules/radius/EAP_TLS_revoke | 15 ++++++ 5 files changed, 146 insertions(+), 6 deletions(-) create mode 100755 install/radius_install create mode 100755 install/radius_prepare create mode 100755 modules/radius/EAP_TLS_client create mode 100755 modules/radius/EAP_TLS_revoke diff --git a/install/radius_install b/install/radius_install new file mode 100755 index 000000000..6599f5652 --- /dev/null +++ b/install/radius_install @@ -0,0 +1,10 @@ +#! /bin/bash + +apt-get install libssl-dev libgnutls28-dev gcc python2.7-dev libldap2-dev libacl1-dev libtalloc-dev libsasl2-dev +cd /tmp +wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.gz +tar -xzf freeradius-server-3.0.9.tar.gz +cd freeradius-server-3.0.9 +./configure +make +make install diff --git a/install/radius_prepare b/install/radius_prepare new file mode 100755 index 000000000..e5953dd29 --- /dev/null +++ b/install/radius_prepare @@ -0,0 +1,75 @@ +#! /bin/bash + + + +cd /usr/local/etc/raddb/certs/ + +capass=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +srvpass=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + +#ca +cafile=ca.cnf +sed -i -e '/\[ req \]/,/^\[/ s/.*input_password.*/input_password = '$capass'/' $cafile +sed -i -e '/\[ req \]/,/^\[/ s/.*output_password.*/output_password = '$capass'/' $cafile + +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*countryName.*/countryName = PL/' $cafile +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*stateOrProvinceName.*/stateOrProvinceName = Radius/' $cafile +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*localityName.*/localityName = Poland/' $cafile +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*organizationName.*/organizationName = nettemp.pl/' $cafile +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*emailAddress.*/emailAddress = admin@nettemp.pl/' $cafile +sed -i -e '/\[certificate_authority\]/,/^\[/ s/.*commonName.*/commonName = "Local nettemp"/' $cafile + +sed -i -e '/\[ CA_default \]/,/^\[/ s/.*default_days.*/default_days = 1825/' $cafile + +#server +serverfile=server.cnf + +sed -i -e '/\[ req \]/,/^\[/ s/.*input_password.*/input_password = '$srvpass'/' $serverfile +sed -i -e '/\[ req \]/,/^\[/ s/.*output_password.*/output_password = '$srvpass'/' $serverfile + +sed -i -e '/\[server\]/,/^\[/ s/.*countryName.*/countryName = PL/' $serverfile +sed -i -e '/\[server\]/,/^\[/ s/.*stateOrProvinceName.*/stateOrProvinceName = Radius/' $serverfile +sed -i -e '/\[server\]/,/^\[/ s/.*localityName.*/localityName = Poland/' $serverfile +sed -i -e '/\[server\]/,/^\[/ s/.*organizationName.*/organizationName = nettemp.pl/' $serverfile +sed -i -e '/\[server\]/,/^\[/ s/.*emailAddress.*/emailAddress = admin@nettemp.pl/' $serverfile +sed -i -e '/\[server\]/,/^\[/ s/.*commonName.*/commonName = "Local nettemp"/' $serverfile + +sed -i -e '/\[ CA_default \]/,/^\[/ s/.*default_days.*/default_days = 1825/' $serverfile + + +#client +clientfile=client.cnf +sed -i -e '/\[client\]/,/^\[/ s/.*countryName.*/countryName = PL/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*stateOrProvinceName.*/stateOrProvinceName = Radius/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*localityName.*/localityName = Poland/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*organizationName.*/organizationName = nettemp.pl/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*emailAddress.*/emailAddress = admin@nettemp.pl/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*commonName.*/commonName = "Local nettemp"/' $clientfile + +sed -i -e '/\[ CA_default \]/,/^\[/ s/.*default_days.*/default_days = 365/' $clientfile + +#make + +rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* +rm -rf CA +mkdir -p CA +make ca +make server + +# default CLR + +capass=$(grep output_password ca.cnf | sed 's/.*=//;s/^ *//') +openssl ca -gencrl -keyfile ca.key -key $capass -cert ca.pem -out CA/crl.pem -config ./ca.cnf +cp ca.pem CA/ +c_rehash CA/ + + +#eap +cp ../mods-available/eap ../mods-available/eap.org +sed -i -e 's/.*private_key_password.*/private_key_password = '$srvpass'/' ../mods-available/eap +sed -i -e 's/.*ca_file = ${cadir}\/ca.pem.*/#ca_file = ${cadir}\/ca.pem/' ../mods-available/eap +sed -i -e 's/.*check_crl =.*/check_crl = yes/' ../mods-available/eap +sed -i -e 's/.*ca_path = ${cadir}.*/ca_path = ${cadir}\/CA/' ../mods-available/eap +sed -i -e 's/.*check_cert_cn = %{User-Name}.*/check_cert_cn = %{User-Name}/' ../mods-available/eap + + diff --git a/modules/gpio/html/gpio_trigger.php b/modules/gpio/html/gpio_trigger.php index 576560de4..849b1a34f 100755 --- a/modules/gpio/html/gpio_trigger.php +++ b/modules/gpio/html/gpio_trigger.php @@ -80,12 +80,13 @@ ?>
diff --git a/modules/radius/EAP_TLS_client b/modules/radius/EAP_TLS_client new file mode 100755 index 000000000..19a684547 --- /dev/null +++ b/modules/radius/EAP_TLS_client @@ -0,0 +1,39 @@ +#! /bin/bash + +user="$1" +mail="$2" +days="$3" + +if [[ ! -n "$user" || ! -n "$mail" ]]; then + echo "No user or email or days" + echo "ex. client test test@test.com 365" + exit 0 +fi + +cd /usr/local/etc/raddb/certs +mkdir -p users/$user + +clientfile=client.cnf +pass=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1) + +if [ -n "$days" ]; then +sed -i -e '/\[ CA_default \]/,/^\[/ s/.*default_days.*/default_days = '$days'/' $clientfile +fi + +sed -i -e '/\[ req \]/,/^\[/ s/.*input_password.*/input_password = '$pass'/' $clientfile +sed -i -e '/\[ req \]/,/^\[/ s/.*output_password.*/output_password = '$pass'/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*emailAddress.*/emailAddress = '$mail'/' $clientfile +sed -i -e '/\[client\]/,/^\[/ s/.*commonName.*/commonName = '$user'/' $clientfile + +make client + +openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$pass -passout pass:$pass -name "RADIUS Nettemp" + + +mv client.p12 users/$user/export.p12 +mv client.pem users/$user/$user.pem +rm $mail.pem +echo "$pass" > users/$user/pass.txt + + +/var/www/nettemp/modules/mail/mail_test $mail "WiFi certificate form RADIUS " "This is Your certificate file and export password: $(cat users/$user/pass.txt)" users/$user/export.p12 \ No newline at end of file diff --git a/modules/radius/EAP_TLS_revoke b/modules/radius/EAP_TLS_revoke new file mode 100755 index 000000000..649ed5830 --- /dev/null +++ b/modules/radius/EAP_TLS_revoke @@ -0,0 +1,15 @@ +#! /bin/bash + +cd /usr/local/etc/raddb/certs + +user="users/$1/$1.pem" +name="$1" + +capass=$(grep output_password ca.cnf | sed 's/.*=//;s/^ *//') + +openssl ca -revoke $user -keyfile ca.key -key $capass -cert ca.pem -config ./ca.cnf +openssl ca -gencrl -keyfile ca.key -key $capass -cert ca.pem -out CA/crl.pem -config ./ca.cnf + +rm CA/ca.pem +cp ca.pem CA/ +c_rehash CA/