diff --git a/src/Database/Migrations/2024-01-21-223112_create_radius_tables.php b/src/Database/Migrations/2024-01-21-223112_create_radius_tables.php index d7c3bce..6204182 100644 --- a/src/Database/Migrations/2024-01-21-223112_create_radius_tables.php +++ b/src/Database/Migrations/2024-01-21-223112_create_radius_tables.php @@ -15,8 +15,13 @@ class CreateRadiusTables extends Migration public function __construct(?Forge $forge = null) { - $this->tables = setting('FreeRadius.tables'); - $this->db = db_connect(setting('FreeRadius.database')); + $this->tables = setting('FreeRadius.tables'); + + if (ENVIRONMENT === 'development') { + $this->DBGroup = setting('FreeRadius.database'); + } + + $this->db = db_connect(setting('FreeRadius.database')); parent::__construct($forge); diff --git a/src/Enums/Attribute.php b/src/Enums/Attribute.php index d50ad67..b3ce97a 100644 --- a/src/Enums/Attribute.php +++ b/src/Enums/Attribute.php @@ -107,6 +107,25 @@ enum Attribute: string */ case MSSecondaryDNSServer = 'MS-Secondary-DNS-Server'; + /** + * The Mikrotik-Group Attribute is used to assign a user to a specific group in Mikrotik RouterOS. + * More information: https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/Group_Handling + */ + case MikrotikGroup = 'Mikrotik-Group'; + + // The Fortinet-Class Attribute is used to assign a user to a specific class in FortiGate. + case FortinetClass = 'Class'; + + /** + * The Fortinet-Group-Name Attribute is used to assign a user to a specific group in FortiGate. + */ + case FortinetGroupName = 'Fortinet-Group-Name'; + + /** + * The Fortinet-Access-Profile Attribute defines access profile settings for the user in FortiGate. + */ + case FortinetAccessProfile = 'Fortinet-Access-Profile'; + /** * Returns an array of dropdown values. */ @@ -124,34 +143,38 @@ public static function getDropdownValues(): array public function toDescription(): string { return match ($this) { - self::NasIpAddress => lang('FreeRadius.attributeDescription.nasIpAddress'), - self::CleartextPassword => lang('FreeRadius.attributeDescription.cleartextPassword'), - self::FallThrough => lang('FreeRadius.attributeDescription.fallThrough'), - self::SimultaneousUse => lang('FreeRadius.attributeDescription.simultaneousUse'), - self::ServiceType => lang('FreeRadius.attributeDescription.serviceType'), - self::FramedIPAddress => lang('FreeRadius.attributeDescription.framedIPAddress'), - self::FramedIPNetmask => lang('FreeRadius.attributeDescription.framedIPNetmask'), - self::FramedProtocol => lang('FreeRadius.attributeDescription.framedProtocol'), - self::FramedMTU => lang('FreeRadius.attributeDescription.framedMTU'), - self::CiscoAVPair => lang('FreeRadius.attributeDescription.ciscoAVPair'), - self::CiscoNASPort => lang('FreeRadius.attributeDescription.ciscoNASPort'), - self::CiscoFramedRoute => lang('FreeRadius.attributeDescription.ciscoFramedRoute'), - self::AcctAuthentic => lang('FreeRadius.attributeDescription.acctAuthentic'), - self::AcctTerminateCause => lang('FreeRadius.attributeDescription.acctTerminateCause'), - self::AcctOutputOctets => lang('FreeRadius.attributeDescription.acctOutputOctets'), - self::AcctInterval => lang('FreeRadius.attributeDescription.acctInterval'), - self::AcctSessionId => lang('FreeRadius.attributeDescription.acctSessionId'), - self::AcctUniqueId => lang('FreeRadius.attributeDescription.acctUniqueId'), - self::AcctStartTime => lang('FreeRadius.attributeDescription.acctStartTime'), - self::AcctUpdateTime => lang('FreeRadius.attributeDescription.acctUpdateTime'), - self::AcctStopTime => lang('FreeRadius.attributeDescription.acctStopTime'), - self::AcctSessionTime => lang('FreeRadius.attributeDescription.acctSessionTime'), - self::NasPortId => lang('FreeRadius.attributeDescription.nasPortId'), - self::NasPortType => lang('FreeRadius.attributeDescription.nasPortType'), - self::AcctInputOctets => lang('FreeRadius.attributeDescription.acctInputOctets'), - self::CiscoServiceInfo => lang('FreeRadius.attributeDescription.ciscoServiceInfo'), - self::MSPrimaryDNSServer => lang('FreeRadius.attributeDescription.msPrimaryDNSServer'), - self::MSSecondaryDNSServer => lang('FreeRadius.attributeDescription.msSecondaryDNSServer'), + self::NasIpAddress => lang('FreeRadius.attributeDescription.nasIpAddress'), + self::CleartextPassword => lang('FreeRadius.attributeDescription.cleartextPassword'), + self::FallThrough => lang('FreeRadius.attributeDescription.fallThrough'), + self::SimultaneousUse => lang('FreeRadius.attributeDescription.simultaneousUse'), + self::ServiceType => lang('FreeRadius.attributeDescription.serviceType'), + self::FramedIPAddress => lang('FreeRadius.attributeDescription.framedIPAddress'), + self::FramedIPNetmask => lang('FreeRadius.attributeDescription.framedIPNetmask'), + self::FramedProtocol => lang('FreeRadius.attributeDescription.framedProtocol'), + self::FramedMTU => lang('FreeRadius.attributeDescription.framedMTU'), + self::CiscoAVPair => lang('FreeRadius.attributeDescription.ciscoAVPair'), + self::CiscoNASPort => lang('FreeRadius.attributeDescription.ciscoNASPort'), + self::CiscoFramedRoute => lang('FreeRadius.attributeDescription.ciscoFramedRoute'), + self::AcctAuthentic => lang('FreeRadius.attributeDescription.acctAuthentic'), + self::AcctTerminateCause => lang('FreeRadius.attributeDescription.acctTerminateCause'), + self::AcctOutputOctets => lang('FreeRadius.attributeDescription.acctOutputOctets'), + self::AcctInterval => lang('FreeRadius.attributeDescription.acctInterval'), + self::AcctSessionId => lang('FreeRadius.attributeDescription.acctSessionId'), + self::AcctUniqueId => lang('FreeRadius.attributeDescription.acctUniqueId'), + self::AcctStartTime => lang('FreeRadius.attributeDescription.acctStartTime'), + self::AcctUpdateTime => lang('FreeRadius.attributeDescription.acctUpdateTime'), + self::AcctStopTime => lang('FreeRadius.attributeDescription.acctStopTime'), + self::AcctSessionTime => lang('FreeRadius.attributeDescription.acctSessionTime'), + self::NasPortId => lang('FreeRadius.attributeDescription.nasPortId'), + self::NasPortType => lang('FreeRadius.attributeDescription.nasPortType'), + self::AcctInputOctets => lang('FreeRadius.attributeDescription.acctInputOctets'), + self::CiscoServiceInfo => lang('FreeRadius.attributeDescription.ciscoServiceInfo'), + self::MSPrimaryDNSServer => lang('FreeRadius.attributeDescription.msPrimaryDNSServer'), + self::MSSecondaryDNSServer => lang('FreeRadius.attributeDescription.msSecondaryDNSServer'), + self::MikrotikGroup => lang('FreeRadius.attributeDescription.mikrotikGroup'), + self::FortinetClass => lang('FreeRadius.attributeDescription.fortinetClass'), + self::FortinetGroupName => lang('FreeRadius.attributeDescription.fortinetGroupName'), + self::FortinetAccessProfile => lang('FreeRadius.attributeDescription.fortinetAccessProfile'), }; } diff --git a/src/Language/en/FreeRadius.php b/src/Language/en/FreeRadius.php index e7f0e29..e048cbf 100644 --- a/src/Language/en/FreeRadius.php +++ b/src/Language/en/FreeRadius.php @@ -6,42 +6,45 @@ 'accessReject' => 'Access-Reject', ], 'attributeDescription' => [ - 'nasIpAddress' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', - 'nasPortType' => 'TODO', - 'nasPortId' => 'TODO', - 'cleartextPassword' => 'TODO', - 'fallThrough' => 'The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.', - 'simultaneousUse' => 'This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected. ', - 'serviceType' => 'This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated. When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service. ', - 'framedIPAddress' => 'This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user\'s IP. ', - 'framedIPNetmask' => 'This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', - 'framedProtocol' => 'This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. ', - 'framedMTU' => 'This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.', - 'ciscoAVPair' => 'Cisco-AVPair allows Vendor-Specific information to be carried in RADIUS packets.', - 'ciscoNASPort' => 'Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer.', - 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', - 'ciscoServiceInfo' => 'Cisco-Service-Info provides information about the service parameters for Cisco devices.', - 'acctUniqueId' => 'TODO', - 'acctInterval' => 'TODO', - 'acctStopTime' => 'TODO', - 'acctUpdateTime' => 'TODO', - 'acctStartTime' => 'TODO', - 'acctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', - 'acctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', - 'acctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', - 'acctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', - 'acctOutputGigawords' => 'TODO', - 'acctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', - 'acctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', - 'acctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctTunnelConnection' => 'TODO', - 'acctTunnelPacketsLost' => 'TODO', - 'msPrimaryDnsServer' => 'The MS-Primary-DNS-Server Attribute is used to indicate the address of the primary Domain Name Server (DNS) server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'msSecondaryDnsServer' => 'The MS-Secondary-DNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'nasIpAddress' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', + 'nasPortType' => 'TODO', + 'nasPortId' => 'TODO', + 'cleartextPassword' => 'TODO', + 'fallThrough' => 'The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.', + 'simultaneousUse' => 'This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected. ', + 'serviceType' => 'This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated. When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service. ', + 'framedIPAddress' => 'This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user\'s IP. ', + 'framedIPNetmask' => 'This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', + 'framedProtocol' => 'This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. ', + 'framedMTU' => 'This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.', + 'ciscoAVPair' => 'Cisco-AVPair allows Vendor-Specific information to be carried in RADIUS packets.', + 'ciscoNASPort' => 'Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer.', + 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', + 'ciscoServiceInfo' => 'Cisco-Service-Info provides information about the service parameters for Cisco devices.', + 'acctUniqueId' => 'TODO', + 'acctInterval' => 'TODO', + 'acctStopTime' => 'TODO', + 'acctUpdateTime' => 'TODO', + 'acctStartTime' => 'TODO', + 'acctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', + 'acctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', + 'acctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', + 'acctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', + 'acctOutputGigawords' => 'TODO', + 'acctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', + 'acctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', + 'acctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'acctTunnelConnection' => 'TODO', + 'acctTunnelPacketsLost' => 'TODO', + 'msPrimaryDnsServer' => 'The MS-Primary-DNS-Server Attribute is used to indicate the address of the primary Domain Name Server (DNS) server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'msSecondaryDnsServer' => 'The MS-Secondary-DNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'mikrotikGroup' => 'This attribute is used to assign a user to a group in Mikrotik routers.', + 'fortinetGroupName' => 'This attribute is used to assign a user to a group in Fortinet routers.', + 'fortinetAcccessProfile' => 'This attribute is used to assign a user to an access profile in Fortinet routers.', ], ]; diff --git a/src/Models/BaseModel.php b/src/Models/BaseModel.php index 14668be..dd1f918 100644 --- a/src/Models/BaseModel.php +++ b/src/Models/BaseModel.php @@ -13,8 +13,13 @@ class BaseModel extends Model public function __construct() { - $this->tables = setting('FreeRadius.tables'); - $this->db = db_connect(setting('FreeRadius.database')); + $this->tables = setting('FreeRadius.tables'); + + if (ENVIRONMENT === 'development') { + $this->DBGroup = setting('FreeRadius.DBGroup'); + } + + $this->db = db_connect(setting('FreeRadius.database')); parent::__construct(); } }