freeradius: support for EAP-TTLS/PAP and EAP-PEAP/GTC
This commit is contained in:
parent
231c3aac09
commit
2d6ee91f93
10 changed files with 186 additions and 11 deletions
|
@ -4,6 +4,9 @@
|
|||
- radius-1.isp.infra.auro.re
|
||||
vars:
|
||||
radiusd__clients:
|
||||
localhost:
|
||||
addr: 127.0.0.1
|
||||
secret: abcdef
|
||||
wifi-ap-v4:
|
||||
addr: 10.102.0.0/16
|
||||
secret: abcdef
|
||||
|
|
|
@ -18,6 +18,8 @@ radiusd__enabled_modules_minimal:
|
|||
- realm # TODO
|
||||
- unpack # TODO
|
||||
- eap_inner
|
||||
- ldap
|
||||
- pap
|
||||
- utf8
|
||||
radiusd__enabled_modules: []
|
||||
radiusd__tls_cipher_list: DEFAULT
|
||||
|
|
|
@ -54,6 +54,8 @@
|
|||
- mods-available/eap_inner
|
||||
- mods-config/attr_filter/access_challenge
|
||||
- mods-config/attr_filter/access_reject
|
||||
- sites-available/inner-tunnel
|
||||
- sites-available/default
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
|
|
|
@ -2,12 +2,8 @@
|
|||
|
||||
{% for name, client in radiusd__clients.items() %}
|
||||
client {{ name }} {
|
||||
{% if client.addr | ansible.utils.ipv4 %}
|
||||
ipv4addr = {{ client.addr | ansible.utils.ipv4("network") }}
|
||||
{% else %}
|
||||
ipv6addr = {{ client.addr | ansible.utils.ipaddr("network") }}
|
||||
{% endif %}
|
||||
netmask = {{ client.addr | ansible.utils.ipaddr("prefix") }}
|
||||
ipaddr = {{ client.addr }}
|
||||
shortname = {{ name }}
|
||||
proto = *
|
||||
require_message_authenticator = yes
|
||||
nastype = other
|
||||
|
|
|
@ -5,6 +5,7 @@ eap {
|
|||
default_eap_type = peap
|
||||
|
||||
type = peap
|
||||
type = ttls
|
||||
|
||||
ignore_unknown_eap_types = no
|
||||
|
||||
|
@ -40,6 +41,16 @@ eap {
|
|||
peap {
|
||||
tls = tls-common
|
||||
default_eap_type = gtc
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
}
|
||||
|
||||
ttls {
|
||||
tls = tls-common
|
||||
default_eap_type = pap
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
|
|
|
@ -5,13 +5,10 @@ eap inner-eap {
|
|||
default_eap_type = gtc
|
||||
|
||||
type = gtc
|
||||
type = mschapv2
|
||||
type = pap
|
||||
|
||||
gtc {
|
||||
auth_type = local
|
||||
}
|
||||
|
||||
mschapv2 {
|
||||
auth_type = LDAP
|
||||
}
|
||||
|
||||
}
|
||||
|
|
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
|
@ -0,0 +1,50 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
ldap {
|
||||
|
||||
server = "ldap://ldap-1.int.infra.auro.re"
|
||||
|
||||
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||
identity = "cn=Directory manager"
|
||||
password = "MotDePasseSuperComplique"
|
||||
|
||||
base_dn = "ou=users,dc=auro,dc=re"
|
||||
|
||||
user_dn = "LDAP-UserDn"
|
||||
|
||||
user {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
|
||||
}
|
||||
|
||||
group {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "(objectClass=posixGroup)"
|
||||
membership_attribute = "memberOf"
|
||||
}
|
||||
|
||||
# TODO
|
||||
options {
|
||||
chase_referrals = yes
|
||||
rebind = yes
|
||||
res_timeout = 10
|
||||
srv_timelimit = 3
|
||||
net_timeout = 1
|
||||
idle = 60
|
||||
probes = 3
|
||||
interval = 3
|
||||
ldap_debug = 0x0028
|
||||
}
|
||||
|
||||
pool {
|
||||
start = ${thread[pool].start_servers}
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
max = ${thread[pool].max_servers}
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
uses = 0
|
||||
retry_delay = 30
|
||||
lifetime = 0
|
||||
idle_timeout = 60
|
||||
}
|
||||
|
||||
}
|
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
pap {
|
||||
normalise = no
|
||||
}
|
70
roles/freeradius/templates/sites-available/default.j2
Normal file
70
roles/freeradius/templates/sites-available/default.j2
Normal file
|
@ -0,0 +1,70 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server default {
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipv6addr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
authorize {
|
||||
filter_username # TODO
|
||||
preprocess # TODO
|
||||
suffix
|
||||
eap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
eap
|
||||
}
|
||||
|
||||
preacct {
|
||||
}
|
||||
|
||||
accounting {
|
||||
}
|
||||
|
||||
post-auth {
|
||||
if (session-state:User-Name && reply:User-Name \
|
||||
&& request:User-Name \
|
||||
&& (reply:User-Name == request:User-Name)) {
|
||||
update reply {
|
||||
&User-Name !* ANY
|
||||
}
|
||||
}
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
}
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
|
||||
}
|
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
|
@ -0,0 +1,39 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
authorize {
|
||||
# Look for realm using the 'suffix' format (user@realm)
|
||||
suffix
|
||||
# Don't proxy requests from inner tunnel
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
||||
# Must be before 'ldap', so that we don't query the LDAP server
|
||||
# for "internal" packets (cf. documentation for
|
||||
# sites-available/inner-tunnel)
|
||||
inner-eap {
|
||||
ok = return
|
||||
}
|
||||
ldap
|
||||
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||
if ((ok || updated) && User-Password) {
|
||||
update control {
|
||||
Auth-Type := ldap
|
||||
}
|
||||
}
|
||||
pap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
inner-eap
|
||||
# Authenticate using 'Auth-Type = LDAP'
|
||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
# by 389DS is not yet supported by FreeRADIUS 3
|
||||
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
||||
ldap
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue