freeradius: add vlan support

This commit is contained in:
jeltz 2023-07-02 16:45:32 +02:00
parent b3d18e92b6
commit 2c64d27fd3
Signed by: jeltz
GPG key ID: 800882B66C0C3326
6 changed files with 25 additions and 9 deletions

View file

@ -3,6 +3,7 @@
- hosts: - hosts:
- radius-1.isp.infra.auro.re - radius-1.isp.infra.auro.re
vars: vars:
radiusd__guest_vlan: 1000
radiusd__clients: radiusd__clients:
localhost: localhost:
addr: 127.0.0.1 addr: 127.0.0.1

View file

@ -43,7 +43,7 @@ eap {
default_eap_type = gtc default_eap_type = gtc
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = no use_tunneled_reply = yes
virtual_server = inner-aurore virtual_server = inner-aurore
} }
@ -52,7 +52,7 @@ eap {
default_eap_type = pap default_eap_type = pap
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = no use_tunneled_reply = yes
virtual_server = inner-aurore virtual_server = inner-aurore
} }

View file

@ -23,6 +23,10 @@ ldap {
membership_attribute = "memberOf" membership_attribute = "memberOf"
} }
update {
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
}
options { options {
# TODO # TODO
chase_referrals = no chase_referrals = no

View file

@ -18,13 +18,13 @@ linelog linelog_inner_postauth {
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }} reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages { messages {
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }} Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }} Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }} default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
} }
} }
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} (%{jsonquote:%{Called-Station-SSID}}) via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }} linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} ("%{jsonquote:%{Called-Station-SSID}}") via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
linelog linelog_outer_authz_user { linelog linelog_outer_authz_user {
filename = syslog filename = syslog
@ -47,7 +47,7 @@ linelog linelog_outer_postauth {
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }} reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages { messages {
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }} Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}" (VLAN %{reply:Tunnel-Private-Group-Id})' | enquote }}
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }} Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }} default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
} }

View file

@ -38,6 +38,15 @@ server inner-aurore {
} }
post-auth { post-auth {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
}
if (!&reply:Tunnel-Private-Group-ID) {
update reply {
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
}
}
linelog_inner_postauth linelog_inner_postauth
Post-Auth-Type reject { Post-Auth-Type reject {
linelog_inner_postauth linelog_inner_postauth

View file

@ -30,11 +30,13 @@ server outer-aurore {
linelog_outer_authz_user linelog_outer_authz_user
filter_username filter_username
split_username_nai split_username_nai
if (&Stripped-User-Domain && &Stripped-User-Domain != "auro.re") { if (!&Stripped-User-Domain || &Stripped-User-Domain == "auro.re") {
linelog_outer_unknown_domain eap
reject } else {
update control {
Proxy-To-Realm := "federez"
}
} }
eap
} }
authenticate { authenticate {