freeradius: add logging

This commit is contained in:
jeltz 2023-06-25 00:27:08 +02:00
parent 20bce8a0da
commit a5b527ec0e
Signed by: jeltz
GPG key ID: 800882B66C0C3326
9 changed files with 68 additions and 17 deletions

View file

@ -7,12 +7,15 @@
localhost:
addr: 127.0.0.1
secret: abcdef
type: aurore
wifi-ap-v4:
addr: 10.102.0.0/16
secret: abcdef
type: aurore
wifi-ap-v6:
addr: 2a09:6840:102::/56
secret: abcdef
type: aurore
roles:
- freeradius
...

View file

@ -5,7 +5,6 @@ radiusd__clients: {}
radiusd__enabled_modules_minimal:
- always
- attr_filter
- cache_eap # TODO
- dynamic_clients # TODO
- eap # TODO
- expiration # TODO
@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
radiusd__enabled_sites_minimal:
- default
- inner-tunnel
- inner-aurore
- outer-aurore
radiusd__enabled_sites: []
...

View file

@ -56,11 +56,13 @@
- mods-available/utf8
- mods-available/always
- mods-available/eap
- mods-available/ldap
- mods-available/linelog
- mods-available/eap_inner
- mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject
- sites-available/inner-tunnel
- sites-available/default
- sites-available/outer-aurore
- sites-available/inner-aurore
notify:
- Restart freeradius

View file

@ -8,8 +8,10 @@ client {{ name }} {
require_message_authenticator = yes
nastype = other
secret = {{ client.secret }}
{% if client.virtual_server is defined %}
virtual_server = {{ client.virtual_server }}
{% if client.type is defined %}
{% if client.type == "aurore" %}
virtual_server = outer-aurore
{% endif %}
{% endif %}
}

View file

@ -44,7 +44,7 @@ eap {
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
virtual_server = inner-aurore
}
ttls {
@ -53,7 +53,7 @@ eap {
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
virtual_server = inner-aurore
}
}

View file

@ -2,7 +2,7 @@
ldap {
server = "ldap://ldap-1.int.infra.auro.re"
server = "ldap://10.128.0.10"
# TODO: quand on passera en prod, créer un utilisation dédié
identity = "cn=Directory manager"
@ -37,12 +37,10 @@ ldap {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
start = 0
min = 1
uses = 0
retry_delay = 30
retry_delay = 15
lifetime = 0
idle_timeout = 60
}

View file

@ -0,0 +1,38 @@
{{ ansible_managed | comment }}
linelog log_auth_inner {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "[%{Virtual-Server}] (session #%n)"
}
linelog log_auth_outer {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
}

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }}
server inner-tunnel {
server inner-aurore {
authorize {
# Look for realm using the 'suffix' format (user@realm)
@ -36,4 +36,11 @@ server inner-tunnel {
ldap
}
post-auth {
Post-Auth-Type REJECT {
log_auth_inner
}
log_auth_inner
}
}

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }}
server default {
server outer-aurore {
listen {
type = auth
@ -55,8 +55,10 @@ server default {
attr_filter.access_reject
eap
remove_reply_message_if_eap
log_auth_outer
}
remove_reply_message_if_eap
log_auth_outer
}
pre-proxy {