net/freeradius: Add option to enable EAP-PWD (#4093)

* Add option to enable EAP-PWD

* also make server_id configurable

net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml

@@ -29,6 +29,17 @@
         <type>dropdown</type>
         <help>Choose the certificate the Radius service should use.</help>
     </field>
+    <field>
+        <id>eap.enable_pwd</id>
+        <label>Enable EAP-PWD</label>
+        <type>checkbox</type>
+        <help>This enables EAP-PWD authentication</help>
+    </field>
+    <field>
+        <id>eap.pwd_serverid</id>
+        <label>EAP-PWD server id</label>
+        <type>text</type>
+    </field>
     <field>
         <id>eap.crl</id>
         <label>CRL</label>

net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml

@@ -9,6 +9,7 @@
             <Multiple>N</Multiple>
             <OptionValues>
                 <md5>MD5</md5>
+                <pwd>PWD</pwd>
                 <mschapv2>MSCHAPv2</mschapv2>
                 <peap>PEAP</peap>
                 <tls>TLS</tls>
@@ -37,6 +38,14 @@
             <Type>cert</Type>
             <Required>N</Required>
         </certificate>
+        <enable_pwd type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enable_pwd>
+        <pwd_serverid type="TextField">
+            <default>theserver@example.com</default>
+            <Required>Y</Required>
+        </pwd_serverid>
         <crl type="CertificateField">
             <Type>crl</Type>
             <Required>N</Required>

net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap

@@ -87,12 +87,13 @@ eap {
         }
 
 
+{% if OPNsense.freeradius.eap.enable_pwd == '1' %}
         #  EAP-pwd -- secure password-based authentication
         #
-        #pwd {
+        pwd {
         #        group = 19
 
-        #        server_id = theserver@example.com
+                server_id = {{ OPNsense.freeradius.eap.pwd_serverid }}
 
                 #  This has the same meaning as for TLS.
                 #
@@ -106,7 +107,8 @@ eap {
                 # no User-Password, CHAP-Password, EAP-Message, etc.
                 #
         #        virtual_server = "inner-tunnel"
-        #}
+        }
+{% endif %}
 
 
         #  Cisco LEAP