freeradius: add logging

2023-06-25 00:27:08 +02:00 · 2023-06-25 00:27:08 +02:00 · a5b527ec0e
parent 20bce8a0da
commit a5b527ec0e
9 changed files with 68 additions and 17 deletions
--- a/playbooks/freeradius.yml
+++ b/playbooks/freeradius.yml
@ -7,12 +7,15 @@
      localhost:
        addr: 127.0.0.1
        secret: abcdef
+        type: aurore
      wifi-ap-v4:
        addr: 10.102.0.0/16
        secret: abcdef
+        type: aurore
      wifi-ap-v6:
        addr: 2a09:6840:102::/56
        secret: abcdef
+        type: aurore
  roles:
    - freeradius
 ...
--- a/roles/freeradius/defaults/main.yml
+++ b/roles/freeradius/defaults/main.yml
@ -5,7 +5,6 @@ radiusd__clients: {}
 radiusd__enabled_modules_minimal:
  - always
  - attr_filter
-  - cache_eap # TODO
  - dynamic_clients # TODO
  - eap # TODO
  - expiration # TODO
@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
 radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
 radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
 radiusd__enabled_sites_minimal:
-  - default
-  - inner-tunnel
+  - inner-aurore
+  - outer-aurore
 radiusd__enabled_sites: []
 ...
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@ -56,11 +56,13 @@
    - mods-available/utf8
    - mods-available/always
    - mods-available/eap
+    - mods-available/ldap
+    - mods-available/linelog
    - mods-available/eap_inner
    - mods-config/attr_filter/access_challenge
    - mods-config/attr_filter/access_reject
-    - sites-available/inner-tunnel
-    - sites-available/default
+    - sites-available/outer-aurore
+    - sites-available/inner-aurore
  notify:
    - Restart freeradius

--- a/roles/freeradius/templates/clients.conf.j2
+++ b/roles/freeradius/templates/clients.conf.j2
@ -8,8 +8,10 @@ client {{ name }} {
    require_message_authenticator = yes
    nastype = other
    secret = {{ client.secret }}
-{% if client.virtual_server is defined %}
-    virtual_server = {{ client.virtual_server }}
+{% if client.type is defined %}
+{% if client.type == "aurore" %}
+    virtual_server = outer-aurore
+{% endif %}
 {% endif %}
 }

--- a/roles/freeradius/templates/mods-available/eap.j2
+++ b/roles/freeradius/templates/mods-available/eap.j2
@ -44,7 +44,7 @@ eap {
        require_client_cert = no
        copy_request_to_tunnel = no
        use_tunneled_reply = no
-        virtual_server = inner-tunnel
+        virtual_server = inner-aurore
    }

    ttls {
@ -53,7 +53,7 @@ eap {
        require_client_cert = no
        copy_request_to_tunnel = no
        use_tunneled_reply = no
-        virtual_server = inner-tunnel
+        virtual_server = inner-aurore
    }

 }
--- a/roles/freeradius/templates/mods-available/ldap.j2
+++ b/roles/freeradius/templates/mods-available/ldap.j2
@ -2,7 +2,7 @@

 ldap {

-    server = "ldap://ldap-1.int.infra.auro.re"
+    server = "ldap://10.128.0.10"

    # TODO: quand on passera en prod, créer un utilisation dédié
    identity = "cn=Directory manager"
@ -37,12 +37,10 @@ ldap {
    }

    pool {
-        start = ${thread[pool].start_servers}
-        min = ${thread[pool].min_spare_servers}
-        max = ${thread[pool].max_servers}
-        spare = ${thread[pool].max_spare_servers}
+        start = 0
+        min = 1
        uses = 0
-        retry_delay = 30
+        retry_delay = 15
        lifetime = 0
        idle_timeout = 60
    }
--- a/roles/freeradius/templates/mods-available/linelog.j2
+++ b/roles/freeradius/templates/mods-available/linelog.j2
@ -0,0 +1,38 @@
+{{ ansible_managed | comment }}
+
+linelog log_auth_inner {
+    filename = syslog
+    syslog_facility = authpriv
+
+    format = ""
+
+    reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
+
+    messages {
+        default = "Unknown packet type %{Packet-Type}"
+
+        Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
+        Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
+    }
+
+    prefix = "[%{Virtual-Server}] (session #%n)"
+}
+
+linelog log_auth_outer {
+    filename = syslog
+    syslog_facility = authpriv
+
+    format = ""
+
+    reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
+
+    messages {
+        default = "Unknown packet type %{Packet-Type}"
+
+        Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
+        Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
+    }
+
+    prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
+}
+
--- a/roles/freeradius/templates/sites-available/inner-aurore.j2
+++ b/roles/freeradius/templates/sites-available/inner-aurore.j2
@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}

-server inner-tunnel {
+server inner-aurore {

    authorize {
        # Look for realm using the 'suffix' format (user@realm)
@ -36,4 +36,11 @@ server inner-tunnel {
        ldap
    }

+    post-auth {
+        Post-Auth-Type REJECT {
+            log_auth_inner
+        }
+	log_auth_inner
+    }
+
 }
--- a/roles/freeradius/templates/sites-available/outer-aurore.j2
+++ b/roles/freeradius/templates/sites-available/outer-aurore.j2
@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}

-server default {
+server outer-aurore {

    listen {
        type = auth
@ -55,8 +55,10 @@ server default {
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap
+            log_auth_outer
        }
        remove_reply_message_if_eap
+        log_auth_outer
    }

    pre-proxy {