ansible/roles/freeradius/templates/sites-available/inner-aurore.j2

57 lines
1.6 KiB
Text
Raw Normal View History

{{ ansible_managed | comment }}
2023-06-25 00:27:08 +02:00
server inner-aurore {
authorize {
2023-06-25 19:25:50 +02:00
linelog_inner_authz_user
filter_username
filter_inner_identity
split_username_nai
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
2023-06-25 19:25:50 +02:00
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
2023-06-25 19:25:50 +02:00
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
2023-06-25 00:27:08 +02:00
post-auth {
2023-07-02 16:45:32 +02:00
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
}
if (!&reply:Tunnel-Private-Group-ID) {
update reply {
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
}
}
2023-06-25 19:25:50 +02:00
linelog_inner_postauth
Post-Auth-Type reject {
linelog_inner_postauth
2023-06-25 00:27:08 +02:00
}
}
}