From f4477d35e51b617bd12cb1098ec7e85d74fa4234 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Severin=20Sch=C3=BCller?= <Schueller.Severin@gmail.com>
Date: Sun, 14 Jul 2024 15:39:33 +0200
Subject: [PATCH 1/2] Add option to enable EAP-PWD

---
 .../mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml   | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml | 5 +++++
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap  | 6 ++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 8438620895..c08096e418 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -29,6 +29,12 @@
         <type>dropdown</type>
         <help>Choose the certificate the Radius service should use.</help>
     </field>
+    <field>
+        <id>eap.enable_pwd</id>
+        <label>Enable EAP-PWD</label>
+        <type>checkbox</type>
+        <help>This enables EAP-PWD authentication</help>
+    </field>
     <field>
         <id>eap.crl</id>
         <label>CRL</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index c44c58ed39..938dec301d 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -9,6 +9,7 @@
             <multiple>N</multiple>
             <OptionValues>
                 <md5>MD5</md5>
+                <pwd>PWD</pwd>
                 <mschapv2>MSCHAPv2</mschapv2>
                 <peap>PEAP</peap>
                 <tls>TLS</tls>
@@ -36,6 +37,10 @@
             <Type>cert</Type>
             <Required>N</Required>
         </certificate>
+        <enable_pwd type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enable_pwd>
         <crl type="CertificateField">
             <Type>crl</Type>
             <Required>N</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 954edf8b66..5cd17ca02a 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -87,9 +87,10 @@ eap {
         }
 
 
+{% if OPNsense.freeradius.eap.enable_pwd == '1' %}
         #  EAP-pwd -- secure password-based authentication
         #
-        #pwd {
+        pwd {
         #        group = 19
 
         #        server_id = theserver@example.com
@@ -106,7 +107,8 @@ eap {
                 # no User-Password, CHAP-Password, EAP-Message, etc.
                 #
         #        virtual_server = "inner-tunnel"
-        #}
+        }
+{% endif %}
 
 
         #  Cisco LEAP

From 8aeaf2d31328967fe046a9367c1342fb130a5d25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Severin=20Sch=C3=BCller?= <Schueller.Severin@gmail.com>
Date: Sun, 14 Jul 2024 16:32:38 +0200
Subject: [PATCH 2/2] also make server_id configurable

---
 .../mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml    | 5 +++++
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml  | 4 ++++
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap   | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index c08096e418..a65e34bcca 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -35,6 +35,11 @@
         <type>checkbox</type>
         <help>This enables EAP-PWD authentication</help>
     </field>
+    <field>
+        <id>eap.pwd_serverid</id>
+        <label>EAP-PWD server id</label>
+        <type>text</type>
+    </field>
     <field>
         <id>eap.crl</id>
         <label>CRL</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 938dec301d..6fca941fc6 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -41,6 +41,10 @@
             <default>0</default>
             <Required>Y</Required>
         </enable_pwd>
+        <pwd_serverid type="TextField">
+            <default>theserver@example.com</default>
+            <Required>Y</Required>
+        </pwd_serverid>
         <crl type="CertificateField">
             <Type>crl</Type>
             <Required>N</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 5cd17ca02a..82577438a2 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -93,7 +93,7 @@ eap {
         pwd {
         #        group = 19
 
-        #        server_id = theserver@example.com
+                server_id = {{ OPNsense.freeradius.eap.pwd_serverid }}
 
                 #  This has the same meaning as for TLS.
                 #