freeradius: add vlan support

playbooks/freeradius.yml

@@ -3,6 +3,7 @@
 - hosts:
     - radius-1.isp.infra.auro.re
   vars:
+    radiusd__guest_vlan: 1000
     radiusd__clients:
       localhost:
         addr: 127.0.0.1

roles/freeradius/templates/mods-available/eap.j2

@@ -43,7 +43,7 @@ eap {
         default_eap_type = gtc
         require_client_cert = no
         copy_request_to_tunnel = no
-        use_tunneled_reply = no
+        use_tunneled_reply = yes
         virtual_server = inner-aurore
     }
 
@@ -52,7 +52,7 @@ eap {
         default_eap_type = pap
         require_client_cert = no
         copy_request_to_tunnel = no
-        use_tunneled_reply = no
+        use_tunneled_reply = yes
         virtual_server = inner-aurore
     }
 

roles/freeradius/templates/mods-available/ldap.j2

@@ -23,6 +23,10 @@ ldap {
         membership_attribute = "memberOf"
     }
 
+    update {
+        reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+    }
+
     options {
         # TODO
         chase_referrals = no

roles/freeradius/templates/mods-available/linelog.j2

@@ -18,13 +18,13 @@ linelog linelog_inner_postauth {
     reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
 
     messages {
-        Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
+        Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
         Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
         default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
     }
 }
 
-linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} (%{jsonquote:%{Called-Station-SSID}}) via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
+linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} ("%{jsonquote:%{Called-Station-SSID}}") via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
 
 linelog linelog_outer_authz_user {
     filename = syslog
@@ -47,7 +47,7 @@ linelog linelog_outer_postauth {
     reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
 
     messages {
-        Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
+        Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
         Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
         default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
     }

roles/freeradius/templates/sites-available/inner-aurore.j2

@@ -38,6 +38,15 @@ server inner-aurore {
     }
 
     post-auth {
+        update reply {
+            Tunnel-Type = VLAN
+            Tunnel-Medium-Type = IEEE-802
+        }
+	if (!&reply:Tunnel-Private-Group-ID) {
+            update reply {
+                &Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
+            }
+	}
         linelog_inner_postauth
         Post-Auth-Type reject {
             linelog_inner_postauth

roles/freeradius/templates/sites-available/outer-aurore.j2

@@ -30,11 +30,13 @@ server outer-aurore {
         linelog_outer_authz_user
         filter_username
         split_username_nai
-        if (&Stripped-User-Domain && &Stripped-User-Domain != "auro.re") {
+        if (!&Stripped-User-Domain || &Stripped-User-Domain == "auro.re") {
-            linelog_outer_unknown_domain
+            eap
-            reject
+        } else {
+            update control {
+                Proxy-To-Realm := "federez"
+            }
         }
-        eap
     }
 
     authenticate {