From 2c64d27fd3c20b6cc6f30fb37235221df4bd685c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 2 Jul 2023 16:45:32 +0200 Subject: [PATCH] freeradius: add vlan support --- playbooks/freeradius.yml | 1 + roles/freeradius/templates/mods-available/eap.j2 | 4 ++-- roles/freeradius/templates/mods-available/ldap.j2 | 4 ++++ roles/freeradius/templates/mods-available/linelog.j2 | 6 +++--- .../templates/sites-available/inner-aurore.j2 | 9 +++++++++ .../templates/sites-available/outer-aurore.j2 | 10 ++++++---- 6 files changed, 25 insertions(+), 9 deletions(-) diff --git a/playbooks/freeradius.yml b/playbooks/freeradius.yml index 17a796d..b5cac6a 100755 --- a/playbooks/freeradius.yml +++ b/playbooks/freeradius.yml @@ -3,6 +3,7 @@ - hosts: - radius-1.isp.infra.auro.re vars: + radiusd__guest_vlan: 1000 radiusd__clients: localhost: addr: 127.0.0.1 diff --git a/roles/freeradius/templates/mods-available/eap.j2 b/roles/freeradius/templates/mods-available/eap.j2 index f1045d4..9878067 100644 --- a/roles/freeradius/templates/mods-available/eap.j2 +++ b/roles/freeradius/templates/mods-available/eap.j2 @@ -43,7 +43,7 @@ eap { default_eap_type = gtc require_client_cert = no copy_request_to_tunnel = no - use_tunneled_reply = no + use_tunneled_reply = yes virtual_server = inner-aurore } @@ -52,7 +52,7 @@ eap { default_eap_type = pap require_client_cert = no copy_request_to_tunnel = no - use_tunneled_reply = no + use_tunneled_reply = yes virtual_server = inner-aurore } diff --git a/roles/freeradius/templates/mods-available/ldap.j2 b/roles/freeradius/templates/mods-available/ldap.j2 index a018fa3..2ce1fd2 100644 --- a/roles/freeradius/templates/mods-available/ldap.j2 +++ b/roles/freeradius/templates/mods-available/ldap.j2 @@ -23,6 +23,10 @@ ldap { membership_attribute = "memberOf" } + update { + reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' + } + options { # TODO chase_referrals = no diff --git a/roles/freeradius/templates/mods-available/linelog.j2 b/roles/freeradius/templates/mods-available/linelog.j2 index 0cd6de3..8f221e2 100644 --- a/roles/freeradius/templates/mods-available/linelog.j2 +++ b/roles/freeradius/templates/mods-available/linelog.j2 @@ -18,13 +18,13 @@ linelog linelog_inner_postauth { reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }} messages { - Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }} + Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }} Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }} default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }} } } -linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} (%{jsonquote:%{Called-Station-SSID}}) via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }} +linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} ("%{jsonquote:%{Called-Station-SSID}}") via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }} linelog linelog_outer_authz_user { filename = syslog @@ -47,7 +47,7 @@ linelog linelog_outer_postauth { reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }} messages { - Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }} + Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }} Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }} default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }} } diff --git a/roles/freeradius/templates/sites-available/inner-aurore.j2 b/roles/freeradius/templates/sites-available/inner-aurore.j2 index f743b9b..ea60ed6 100644 --- a/roles/freeradius/templates/sites-available/inner-aurore.j2 +++ b/roles/freeradius/templates/sites-available/inner-aurore.j2 @@ -38,6 +38,15 @@ server inner-aurore { } post-auth { + update reply { + Tunnel-Type = VLAN + Tunnel-Medium-Type = IEEE-802 + } + if (!&reply:Tunnel-Private-Group-ID) { + update reply { + &Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }} + } + } linelog_inner_postauth Post-Auth-Type reject { linelog_inner_postauth diff --git a/roles/freeradius/templates/sites-available/outer-aurore.j2 b/roles/freeradius/templates/sites-available/outer-aurore.j2 index cec2c17..e228602 100644 --- a/roles/freeradius/templates/sites-available/outer-aurore.j2 +++ b/roles/freeradius/templates/sites-available/outer-aurore.j2 @@ -30,11 +30,13 @@ server outer-aurore { linelog_outer_authz_user filter_username split_username_nai - if (&Stripped-User-Domain && &Stripped-User-Domain != "auro.re") { - linelog_outer_unknown_domain - reject + if (!&Stripped-User-Domain || &Stripped-User-Domain == "auro.re") { + eap + } else { + update control { + Proxy-To-Realm := "federez" + } } - eap } authenticate {