ucentral: development update

* add freeradius wrapper package for gateway images
* pass version and hash in the firmware field
* update ucode to latest HEAD

Signed-off-by: John Crispin <john@phrozen.org>

feeds/tip/tip-defaults/files/etc/init.d/tip-version

@@ -3,5 +3,7 @@
 START=80
 
 boot() {
-	cat /etc/openwrt_release | grep DISTRIB_TIP= | cut -d\' -f2 > /tmp/ucentral.version
+	HASH=$(cat /etc/openwrt_release | grep DISTRIB_TIP= | cut -d\' -f2)
+	VERSION=$(cat /etc/openwrt_release | grep DISTRIB_TIP_VERSION= | cut -d\' -f2)
+	echo "$VERSION-$HASH" > /tmp/ucentral.version
 }

feeds/ucentral/ucentral-freeradius/Makefile

@@ -0,0 +1,34 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ucentral-freeradius
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=John Crispin <john@phrozen.org>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/ucentral-freeradius
+  SECTION:=ucentral
+  CATEGORY:=uCentral
+  TITLE:=ucentral-freeradius cfg wrapper
+  DEPENDS:=+freeradius3-mod-eap +freeradius3-mod-files
+endef
+
+define Package/ucentral-freeradius/description
+	Allow Wireless client rate limiting
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Compile/Default
+
+endef
+Build/Compile = $(Build/Compile/Default)
+
+define Package/ucentral-freeradius/install
+	$(CP) ./files/* $(1)
+endef
+
+$(eval $(call BuildPackage,ucentral-freeradius))

feeds/ucentral/ucentral-freeradius/files/etc/config/radiusd

@@ -0,0 +1,8 @@
+config client
+	option name uCentral
+	option ipaddr *
+	option secret secret
+
+config user
+	option username	test
+	option password example

feeds/ucentral/ucentral-freeradius/files/etc/default/radiusd

@@ -0,0 +1 @@
+OPTIONS="-d /etc/freeradius3-ucentral"

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/certs/ca.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5DCCA8ygAwIBAgIJALUPlXk37qsqMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
+VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
+BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
+ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
+DTIxMDUwNTAyMTMxNloXDTIyMDUwNTAyMTMxNlowgZMxCzAJBgNVBAYTAkZSMQ8w
+DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
+bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
+A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCi3jwwRL0/sg24rhZ4/s45PwaZn1v7nxJrItvO
+W6wgPBsOp0gwEeybV6tmw7+R5n1IYPFV1AVz1XckfH459pbxRNPJok7BFCO6Oa0r
+p2U/rJdXCPKR0Sy2yHEw5ooWraPE6O9swCGv4YjFLTmAsQL2+PRs538ng6s6jYaA
+Ju9ZKDf7Eic9RFMkudN75KYjaXKDOUVKvMIDW3Jb+MD2iLg8nTbkYdFaUif+zNNU
+g47svkNRKFlckrYSPU0odC1MMTRzxkirl35NGEi1I+TcXcFhkPH53I9WTxfI7mmq
+bKQ75i8HJuDKxBbYIOXXnPRYz76G6weHMg4lTXTlod5FgEN5AgMBAAGjggE3MIIB
+MzAdBgNVHQ4EFgQU4XyrFousF2fZ9vdcMWBuhPJhlawwgcgGA1UdIwSBwDCBvYAU
+4XyrFousF2fZ9vdcMWBuhPJhlayhgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
+VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
+ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
+AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQC1D5V5N+6rKjAPBgNV
+HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
+ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBAI+nEdd9G7VI
+xLlvFE8B49CjYX1Bbn3dxbSmpcF0SPG49ZnjH1H54y7ab64nWOMVxrwDurqdo0z9
+dNuazYD0WeAKoHOW5/CJ0LCuZ5AJIAvxrUpeoSF7SnycjzKx9UwGfXQxrYvykuM4
+ihpq2c41ezLtKxRnvBSDMJPWGx1jBKDjEtu1K7IAxhL20L2MCNRE6ut96g2KtEdG
+4hHyM42QelCalJgXfLzp1bsl75k7dMy9Bj3Qbq6nc1+egdQG2dDNJkcHgwTkEmDf
+DTWtEkZlkRrQPqgs6TANxR594flikBx/2sOmfRxfhuq8p1wW/7B5hHjLVi7AGLBS
+toZcDP6CBn8=
+-----END CERTIFICATE-----

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/certs/dh

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAw6U9O9lNo45nVpheg8+DLoGQDvs7kTPHn/I3mxLWUDsWE6QghUhS
+TX2pvkZDzSsWGHKMz7vJm3h2C8p7R3nhAI/LX1iCZkGKYvCsR7pHhCSujFtGiBqc
+XeXE5j2pQpB9G6UFql+7gqRSV+mw4MckoR1bqI1W4ibH/vnAOJOVq8PQucMITsqY
+JIhFJdVMJRIR5rPfZnaGdeokljE1tnK5/ycWfjYGp2fBLbTqGu7G7LSvzb8+VttF
+nVTDbbdp1LBQzxYj0a0MS54jLOxxDKM0C/HVn71hMnLTakASGu3qcMkMwuiLzX1i
+MNMsi7dYnGWXA1AcICag61CYqlJ3AccMgwIBAg==
+-----END DH PARAMETERS-----

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/certs/server.pem

@@ -0,0 +1,61 @@
+Bag Attributes
+    localKeyID: AB 3D 8E E1 1B 78 0B 8E 15 2B 3F A7 E7 D3 B4 B8 7A 91 94 89 
+subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org
+issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
+DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
+eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
+JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTA1MDUw
+MjEzMTZaFw0yMjA1MDUwMjEzMTZaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
+YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
+ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
+b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEqpvZdH9B6iMpI2
+b5titfABWy6aaI6SYHna8TS5FF/i/xzjyhGmEQ2S38aHECw1dxYuKOGuvNcABVWu
+WmakdFwcTFkPRg7RSQBgktWCVfkPRukQ8roMS9by9rbRdtT0VeC229WigWzUNiuA
+BrtJCDMdzdbh2bNBCKXpxsx9yI5bv1ZdlRmixyA4XE4wseGFy1RZaCEZ56aiF0M1
+q5slld4L3vfDFPSAQhk87G0jw+HipO6q51X8zCwwySAYbdqErUxLOHCL1rIO3Im5
+46dspVyEMperT6kVM2cxFpphPUvHdiDhwxT/fWomzXA1ElvMKg6se1En5HVip9dn
+i1mjmQIDAQABo2kwZzATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
+KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMBgGA1Ud
+IAQRMA8wDQYLKwYBBAGCvmgBAwIwDQYJKoZIhvcNAQELBQADggEBAFynmC8gLhmc
+Y/GeSg35LBNapllIns8lnneF/D3fJ0JrlkYUGH8I6nQiH5838J235omkjue2hyy8
+w40NQqL5N5wv29gUhbRJgNxEBg0CcWP9gfT/H54gdrhiewfspyxApyLQVuGqf2px
+Ba6STD41jnvGVf1L7WB0MueypxD0hTb6vgQjbcp+2yBUWyR2RhFVMcrdbmJFRdwF
+aui4gksF2UWSsXhmy88tc0Xw4svbR+sepQhIidYg3U0qVh6iaXrds7LqNo6XAfn3
+ss+lc0efkX6UOg4gQNhO9RMAYi9ONbw0x8xgdjKAQLbvEmT+nbFu82DkhuwxjRIE
+a89fVn5xduo=
+-----END CERTIFICATE-----
+Bag Attributes
+    localKeyID: AB 3D 8E E1 1B 78 0B 8E 15 2B 3F A7 E7 D3 B4 B8 7A 91 94 89 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIaErHBLSTVqECAggA
+MBQGCCqGSIb3DQMHBAgcNkbiAf7DVgSCBMjDeGJkfFxUKTEfRzyUvh8Y8ij62IgR
+r+SmuQadDNoIzVv0sPbAkUVRB/NA/zYkwfrF4CWNdT+S9LvpnrMGsncjrxWZUu2J
+PmUxddJa/TCHCQ0BM+Cw6EktOVhb9kiXCANH1sf/3AtoU7x89CrHAyMAyBRc6MIo
+m94CEczqkLKt9TAdsEw87rgBjIN1PDaHJjC3sl6nvqACuibd8OiiL8V0Fv1isjYK
+daxfZCWLuvW42OJ2pt4bIwS6VBbkJrIPsFJUUSgkpXUVniB/mtgaxafU3FpR5jU8
+kbUAjjQAqrvj8AL6fjzTbZsOHWOz0wo/5wt9HebqwoopCvUNTPOaNZ5pKYC2FWB0
+Eh4sIShq9qdAASjEgt6vJGiTO6OBVx6AxrtKUGPj4NFNkhQy4Frpy22qRcX5fd9T
+QNP7hEWkPLGxRzxtxuYCVHu7Uwk99OA1xsaLx+2RttfbPThKxTXJa6OZHAZBVa14
+1kcFRBJbK0O6r4ni5dR7/SdcnuSj1yJusdcU5Fgdn+8F5J7qPB+Pr59EIxLRraL8
+8KvpAYunGPhR71FnxmWXbXRl0IEwvtJ+zsX4nfSDn0i9SNeGunBD2wtK6izq3dWw
+FRI4o5tGm8uA4bRD2am5NAZoEnuKqnfDpnqpHEakKBLC1QOhPvRqGWP/IdZC1bCy
+WF0KGjJYyQ1m638RzYaxfuUVZ3Vwm2YQTcixAfAdpGHkIRhc0cAuOEekSbftFTrV
+fRPKI0AFxVswJVsnUsnbyFcmSXaVkcVeDgRzcJ/4bQWOsLNdeJXozVd0zd0lxJf2
+rjVbbO056luwtdCN6G9d1OwIDk0H16lmcHkQ23Omvw45vCBhKcQiEEoCwsNSfJ/n
+vxvXgY2txvgt5WASNIwJmBsRUIbev6daV2zOKtfRFGNQh7PujwPKIglAWib8q05n
+sdUSQi77nRY0YHIP3Og9f+brZCxR0U4zylZa6NXlzo4nO+8GcrjYF6jxfXk179oK
+SOiqnCZ4K1EBDSJgWNexRrpNEdBW4JMfduV+BKIUUt4tieFL8CQMiO3/IATQzDSm
+ehyDPcXmc/DHiW4wt3fOkqy2huDReu6u7YPf6xUS+XiyLnPvWXIe9Y1ofvUjpCeS
+FAh+HBWaYLhOoO7Nj0/8MtOpeK0w4eUJvTCenwtBd9AnxLX55sY3/dRVtOZcOtwH
+FSBnTkEGs5yW/eNZI4DsKhHA7MmwbWaV9C8CgRnKoSQq+PvDGD3pq80NjJxz/l6X
+2uETwOPYgAjekQs7bZSB8P5xkzUT1zXCCsJBJFzIPOs5kvVG7BqwBbHbJUt/g1/1
+bOzCR53fzuq7dKnPyGSD8J8Y7dXdYPHYy4jqwMnDKqstahGlq4lE8rRcLvP47Z/v
+9+9Aa3hmmpTfkjVE+q99oZamK9zFWiWNhyeaNJuTXJaToW4Gj5h7d4T5xsBWwyhG
+JkZhbkMYlqp2zDxyW18wAznTVZutfu4Wx0Ot/JU3ye6BarJD/hWeOF51QD0fyrFV
+q5NX1CS/T8cO5mFTRqdqQXzXJaPKST4SSu0pDRrYLKnGuGrUQMVszjcv/TQkjs0u
+UbZJXNozsK9EXCrtokDSjMXzjob8t+MwzgU9AtzO7JnAa1jvLYq2ggODHOOCVRyz
+bO0=
+-----END ENCRYPTED PRIVATE KEY-----

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/clients.conf

@@ -0,0 +1,11 @@
+client 0.0.0.0/0 {
+        ipaddr = *
+        secret = uSyncRad1u5
+        require_message_authenticator = no
+        shortname = usync
+        limit {
+                max_connections = 16
+                lifetime = 0
+                idle_timeout = 30
+        }
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/dictionary

@@ -0,0 +1,49 @@
+#
+#	This is the local dictionary file which can be
+#	edited by local administrators.  It will be loaded
+#	AFTER the main dictionary files are loaded.
+#
+#	As of version 3.0.2, FreeRADIUS will automatically
+#	load the main dictionary files from
+#
+#		${prefix}/share/freeradius/dictionary
+#
+#	It is no longer necessary for this file to $INCLUDE
+#	the main dictionaries.  However, if the $INCLUDE
+#	line is here, nothing bad will happen.
+#
+#	Any new/changed attributes MUST be placed in this file.
+#	The pre-defined dictionaries SHOULD NOT be edited.
+#
+#	See "man dictionary" for documentation on its format.
+#
+#	$Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
+#
+
+#
+#	All local attributes and $INCLUDE's should go into
+#	this file.
+#
+
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them to the 'dictionary.local' file.
+#
+#	The numbers you pick should be between 3000 and 4000.
+#	These attributes will NOT go into a RADIUS packet.
+#
+#	If you want that, you will need to use VSAs.  This means
+#	requesting allocation of a Private Enterprise Code from
+#	http://iana.org.  We STRONGLY suggest doing that only if
+#	you are a vendor of RADIUS equipment.
+#
+#	See RFC 6158 for more details.
+#	http://ietf.org/rfc/rfc6158.txt
+#
+
+#
+#	These attributes are examples
+#
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/mods-config/files/accounting

@@ -0,0 +1 @@
+john	Cleartext-Password := "SuperGeheim"

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/mods-config/files/authorize

@@ -0,0 +1 @@
+john	Cleartext-Password := "SuperGeheim"

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/mods-enabled/eap

@@ -0,0 +1,13 @@
+eap {
+	default_eap_type = pwd
+	timer_expire = 60
+	ignore_unknown_eap_types = no
+	cisco_accounting_username_bug = no
+	max_sessions = ${max_requests}
+
+	pwd {
+		group = 19
+		server_id = theserver@example.com
+		fragment_size = 1020
+	}
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/mods-enabled/files

@@ -0,0 +1,5 @@
+files {
+	moddir = ${modconfdir}/${.:instance}
+	filename = ${moddir}/authorize
+	acctusersfile = ${moddir}/accounting
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/policy.d/accounting

@@ -0,0 +1,117 @@
+# We check for this prefix to determine whether the class
+# value was generated by this server.  It should be changed
+# so that it is globally unique.
+class_value_prefix = 'ai:'
+
+#
+#	Replacement for the old rlm_acct_unique module
+#
+acct_unique {
+	#
+	#  If we have a class attribute in the format
+	#  'auth_id:[0-9a-f]{32}' it'll have a local value
+	#  (defined by insert_acct_class), this ensures
+	#  uniqueness and suitability.
+	#
+	#  We could just use the Class attribute as
+	#  Acct-Unique-Session-Id, but this may cause problems
+	#  with NAS that carry Class values across between
+	#  multiple linked sessions.  So we rehash class with
+	#  Acct-Session-ID to provide a truely unique session
+	#  identifier.
+	#
+	#  Using a Class/Session-ID combination is more robust
+	#  than using elements in the Accounting-Request,
+	#  which may be subject to change, such as
+	#  NAS-IP-Address, Client-IP-Address and
+	#  NAS-Port-ID/NAS-Port.
+	#
+	#  This policy should ensure that session data is not
+	#  affected if NAS IP addresses change, or the client
+	#  roams to a different 'port' whilst maintaining its
+	#  initial authentication session (Common in a
+	#  wireless environment).
+	#
+	update request {
+	       &Tmp-String-9 := "${policy.class_value_prefix}"
+	}
+
+	if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \
+	    ("%{string:&Class}" =~ /^${policy.class_value_prefix}([0-9a-f]{32})/i)) {
+		update request {
+			&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
+		}
+	}
+
+	#
+	#  Not All devices respect RFC 2865 when dealing with
+	#  the class attribute, so be prepared to use the
+	#  older style of hashing scheme if a class attribute
+	#  is not included
+	#
+	else {
+		update request {
+			&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
+		 }
+	}
+}
+
+#
+#	Insert a (hopefully unique) value into class
+#
+insert_acct_class {
+	update reply {
+		&Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}"
+	}
+}
+
+#
+#	Merges Acct-[Input|Output]-Octets and Acct-[Input|Output]-Gigawords into Acct-[Input|Output]-Octets64
+#
+#	If the &Attr-Foo doesn't exist, it's value is taken as zero.
+#
+acct_counters64.preacct {
+	update request {
+		&Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}"
+		&Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}"
+	}
+}
+
+#
+#  There is a delay between sending the Access-Accept and receiving
+#  the corresponding Accounting-Request "start" packet.  This delay
+#  can be leveraged by a user to bypass Simultaneous-Use checks.
+#
+#  The user can start up multiple sessions at the same time.  When
+#  that happens, both Simultaneous-Use checks are performed before any
+#  Accounting-Request packet is received.  Both Simultaneous-Use
+#  checks will result in "no user session" in the radacct table, and
+#  both sessions will be allowed.  At some point later in time, the
+#  Accounting-Request packets are received.  But by then it's too
+#  late.
+#
+#  The solution is to insert a temporary session into the "radacct"
+#  table, during the "post-auth" section.  This is done by
+#  uncommenting the "sql_session_start" entry in
+#  sites-enabled/default.  Then, reading
+#  raddb/mods-config/sql/main/*/queries.conf, and looking for the
+#  "sql_session_start" comments.  Follow the instructions there to
+#  finalize the configuration.
+#
+#  The server will then create a temporary entry in "radacct" before
+#  it returns the Access-Request.  Any other Access-Request which is
+#  received at the same time will then have it's Simultaneous-Use
+#  check see that entry, and will be rejected.
+#
+#  Subsequent Accounting-Request packets for the first session will
+#  then UPDATE (not INSERT) the data for the session.
+#
+#  There is still a small race condition as the Simultaneous-Use
+#  checks are not done at the same time as updating radacct.  But the
+#  window of opportunity is much smaller.  i.e. milliseconds, instead
+#  of seconds.
+#
+sql_session_start.post-auth {
+	acct_unique
+	sql.accounting
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/policy.d/eap

@@ -0,0 +1,85 @@
+#
+#	Response caching to handle proxy failovers
+#
+Xeap.authorize {
+	cache_eap
+	if (ok) {
+		#
+		#	Expire previous cache entry
+		#
+		if (&control:State) {
+			update control {
+				&Cache-TTL := 0
+			}
+			cache_eap
+
+			update control {
+				&State !* ANY
+			}
+		}
+
+		handled
+	}
+	else {
+		eap.authorize
+	}
+}
+
+#
+#	Populate cache with responses from the EAP module
+#
+Xeap.authenticate {
+	eap {
+		handled = 1
+	}
+	if (handled) {
+		cache_eap.authorize
+
+		handled
+	}
+
+	cache_eap.authorize
+}
+
+#
+#       Forbid all EAP types.  Enable this by putting "forbid_eap"
+#       into the "authorize" section.
+#
+forbid_eap {
+	if (&EAP-Message) {
+		reject
+	}
+}
+
+#
+#       Forbid all non-EAP types outside of an EAP tunnel.
+#
+permit_only_eap {
+	if (!&EAP-Message) {
+		#  We MAY be inside of a TTLS tunnel.
+		#  PEAP and EAP-FAST require EAP inside of
+		#  the tunnel, so this check is OK.
+		#  If so, then there MUST be an outer EAP message.
+		if (!&outer.request || !&outer.request:EAP-Message) {
+			reject
+		}
+	}
+}
+
+#
+#       Remove Reply-Message from response if were doing EAP
+#
+#  Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should
+#  not be present in the same response.
+#
+remove_reply_message_if_eap {
+	if (&reply:EAP-Message && &reply:Reply-Message) {
+		update reply {
+			&Reply-Message !* ANY
+		}
+	}
+	else {
+		noop
+	}
+}
+

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/radiusd.conf

@@ -0,0 +1,62 @@
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = /usr/sbin
+logdir = /var/log
+raddbdir = /etc/freeradius3
+radacctdir = /var/db/radacct
+name = radiusd
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir   = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+db_dir = ${raddbdir}
+libdir = /usr/lib/freeradius3
+pidfile = ${run_dir}/${name}.pid
+correct_escapes = true
+max_request_time = 30
+cleanup_delay = 5
+max_requests = 16384
+hostname_lookups = no
+log {
+	destination = syslog
+	colourise = yes
+	syslog_facility = daemon
+	stripped_names = no
+	auth = no
+	auth_badpass = no
+	auth_goodpass = no
+	msg_denied = "You are already logged in - access denied"
+}
+
+checkrad = ${sbindir}/checkrad
+security {
+	allow_core_dumps = no
+	max_attributes = 200
+	reject_delay = 1
+	status_server = yes
+}
+
+proxy_requests  = no
+$INCLUDE clients.conf
+
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+	auto_limit_acct = no
+}
+
+modules {
+	$INCLUDE mods-enabled/
+}
+
+policy {
+	$INCLUDE policy.d/
+}
+
+$INCLUDE sites-enabled/

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/sites-enabled/default

@@ -0,0 +1,33 @@
+server default {
+
+listen {
+	type = auth
+	ipaddr = *
+	port = 0
+#	interface = eth0
+	limit {
+	      max_connections = 16
+	      lifetime = 0
+	      idle_timeout = 30
+	}
+}
+
+listen {
+	type = acct
+	ipaddr = *
+	port = 0
+#	interface = eth0
+}
+
+authorize {
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/sites-enabled/inner-tunnel

@@ -0,0 +1,19 @@
+server inner-tunnel {
+listen {
+       ipaddr = 127.0.0.1
+       port = 18120
+       type = auth
+}
+
+authorize {
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+}

feeds/ucentral/ucentral-freeradius/files/etc/freeradius3-ucentral/users

@@ -0,0 +1 @@
+john	Cleartext-Password := "SuperGeheim"

feeds/ucentral/ucentral-freeradius/files/etc/init.d/uradiusd

@@ -0,0 +1,16 @@
+#!/bin/sh /etc/rc.common
+
+START=49
+
+USE_PROCD=1
+PROG=/usr/libexec/ucentral-radiusd.sh
+
+service_triggers() {
+	procd_add_reload_trigger radiusd
+}
+
+start_service() {
+	procd_open_instance
+	procd_set_param command "$PROG"
+	procd_close_instance
+}

feeds/ucentral/ucentral-freeradius/files/usr/libexec/ucentral-radiusd.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+config_load radiusd
+
+user_add() {
+	config_get username $1 username
+	config_get password $1 password
+	[ -z "$username" -o -z "$password" ] && return
+	echo -e "$username\tCleartext-Password := \"$password\"" >> /etc/freeradius3-ucentral/mods-config/files/authorize
+	echo -e "$username\tCleartext-Password := \"$password\"" >> /etc/freeradius3-ucentral/mods-config/files/accounting
+}
+
+rm /etc/freeradius3-ucentral/mods-config/files/authorize
+rm /etc/freeradius3-ucentral/mods-config/files/accounting
+config_foreach user_add user
+
+client_add() {
+	config_get name $1 name
+	config_get secret $1 secret
+	config_get ipaddr $1 ipaddr "*"
+	config_get netmask $1 netmask 0
+	
+	echo "client $name {
+	ipaddr = $ipaddr
+	secret = $secret
+	require_message_authenticator = no
+	shortname = $name
+	limit {
+		max_connections = 16
+		lifetime = 0
+		idle_timeout = 30
+	}
+}
+" >> /etc/freeradius3-ucentral/clients.conf
+}
+
+rm /etc/freeradius3-ucentral/clients.conf
+config_foreach client_add client
+
+/etc/init.d/radiusd restart

feeds/ucentral/ucode/Makefile

@@ -13,7 +13,7 @@ PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=https://github.com/jow-/ucode.git
 PKG_SOURCE_DATE:=2021-03-15
-PKG_SOURCE_VERSION:=f360350bd874aeec0806c8df02c7a20a54c44406
+PKG_SOURCE_VERSION:=02629b84de23bdc5896ac4b357e2f16dfb3996ec
 PKG_MIRROR_HASH:=
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=ISC
@@ -26,6 +26,8 @@ include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 include $(INCLUDE_DIR)/version.mk
 
+CMAKE_OPTIONS+=-DFS_SUPPORT=1 -DMATH_SUPPORT=1 -DUBUS_SUPPORT=1 -DUCI_SUPPORT=1
+
 define Package/ucode/default
   SECTION:=utils
   CATEGORY:=Utilities
@@ -90,27 +92,27 @@ endef
 
 define Package/ucode/install
 	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ucode $(1)/usr/bin/ucode
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ipkg-install/usr/bin/ucode $(1)/usr/bin/ucode
 endef
 
 define Package/ucode-mod-fs/install
 	$(INSTALL_DIR) $(1)/usr/lib/ucode
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/fs.so $(1)/usr/lib/ucode/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ipkg-install/usr/lib/ucode/fs.so $(1)/usr/lib/ucode/
 endef
 
 define Package/ucode-mod-math/install
 	$(INSTALL_DIR) $(1)/usr/lib/ucode
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/math.so $(1)/usr/lib/ucode/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ipkg-install/usr/lib/ucode/math.so $(1)/usr/lib/ucode/
 endef
 
 define Package/ucode-mod-ubus/install
 	$(INSTALL_DIR) $(1)/usr/lib/ucode
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/ubus.so $(1)/usr/lib/ucode/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ipkg-install/usr/lib/ucode/ubus.so $(1)/usr/lib/ucode/
 endef
 
 define Package/ucode-mod-uci/install
 	$(INSTALL_DIR) $(1)/usr/lib/ucode
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/uci.so $(1)/usr/lib/ucode/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ipkg-install/usr/lib/ucode/uci.so $(1)/usr/lib/ucode/
 endef
 
 

feeds/ucentral/ucode/patches/000-fix.patch

@@ -1,13 +0,0 @@
-diff --git a/lib/uci.c b/lib/uci.c
-index 86bf247..3906b6b 100644
---- a/lib/uci.c
-+++ b/lib/uci.c
-@@ -706,7 +706,7 @@ uc_uci_pkg_command(struct uc_state *s, uint32_t off, struct json_object *args, e
- 	struct uci_element *e, *tmp;
- 	struct uci_package *p;
- 	struct uci_ptr ptr = {};
--	int rv, res = UCI_OK;
-+	int rv = 0, res = UCI_OK;
- 
- 	if (cmd != CMD_REVERT && conf)
- 		err_return(UCI_ERR_INVAL);

profiles/ucentral-gateway.yml

@@ -7,6 +7,7 @@ feeds:
     uri: https://git.openwrt.org/project/luci.git
 packages:
   - cgi-io
+  - freeradius3
   - liblucihttp
   - lua
   - luci-base
@@ -14,16 +15,15 @@ packages:
   - luci-mod-network
   - luci-mod-system
   - luci-theme-bootstrap
-  - freeradius3-utils
-  - freeradius3-mod-eap-pwd
-  - freeradius3-mod-eap-tls
   - openssl-util
+  - radsecproxy
   - rpcd
   - rpcd-mod-file
   - rpcd-mod-iwinfo
   - rpcd-mod-luci
   - rpcd-mod-rrdns
   - ucentralgw
+  - ucentral-freeradius
   - uhttpd
   - uhttpd-mod-ubus
 diffconfig: |