aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

freeradius: add vlan support

Browse source
This commit is contained in:
jeltz 2023-07-02 16:45:32 +02:00
parent b3d18e92b6
commit 2c64d27fd3
Signed by: jeltz
GPG key ID: 800882B66C0C3326
6 changed files with 25 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
playbooks/freeradius.yml
View file

@ -3,6 +3,7 @@
- hosts:
- radius-1.isp.infra.auro.re
vars:
radiusd__guest_vlan: 1000
radiusd__clients:
localhost:
addr: 127.0.0.1

4
roles/freeradius/templates/mods-available/eap.j2
View file

@ -43,7 +43,7 @@ eap {
default_eap_type = gtc
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
use_tunneled_reply = yes
virtual_server = inner-aurore
}
@ -52,7 +52,7 @@ eap {
default_eap_type = pap
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
use_tunneled_reply = yes
virtual_server = inner-aurore
}

4
roles/freeradius/templates/mods-available/ldap.j2
View file

@ -23,6 +23,10 @@ ldap {
membership_attribute = "memberOf"
}
update {
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
}
options {
# TODO
chase_referrals = no

6
roles/freeradius/templates/mods-available/linelog.j2
View file

@ -18,13 +18,13 @@ linelog linelog_inner_postauth {
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages {
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
}
}
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} (%{jsonquote:%{Called-Station-SSID}}) via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} ("%{jsonquote:%{Called-Station-SSID}}") via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
linelog linelog_outer_authz_user {
filename = syslog
@ -47,7 +47,7 @@ linelog linelog_outer_postauth {
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages {
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
}

9
roles/freeradius/templates/sites-available/inner-aurore.j2
View file

@ -38,6 +38,15 @@ server inner-aurore {
}
post-auth {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
}
if (!&reply:Tunnel-Private-Group-ID) {
update reply {
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
}
}
linelog_inner_postauth
Post-Auth-Type reject {
linelog_inner_postauth

10
roles/freeradius/templates/sites-available/outer-aurore.j2
View file

@ -30,11 +30,13 @@ server outer-aurore {
linelog_outer_authz_user
filter_username
split_username_nai
if (&Stripped-User-Domain && &Stripped-User-Domain != "auro.re") {
linelog_outer_unknown_domain
reject
if (!&Stripped-User-Domain || &Stripped-User-Domain == "auro.re") {
eap
} else {
update control {
Proxy-To-Realm := "federez"
}
}
eap
}
authenticate {