freeradius: add logging
This commit is contained in:
parent
20bce8a0da
commit
a5b527ec0e
9 changed files with 68 additions and 17 deletions
|
@ -7,12 +7,15 @@
|
|||
localhost:
|
||||
addr: 127.0.0.1
|
||||
secret: abcdef
|
||||
type: aurore
|
||||
wifi-ap-v4:
|
||||
addr: 10.102.0.0/16
|
||||
secret: abcdef
|
||||
type: aurore
|
||||
wifi-ap-v6:
|
||||
addr: 2a09:6840:102::/56
|
||||
secret: abcdef
|
||||
type: aurore
|
||||
roles:
|
||||
- freeradius
|
||||
...
|
||||
|
|
|
@ -5,7 +5,6 @@ radiusd__clients: {}
|
|||
radiusd__enabled_modules_minimal:
|
||||
- always
|
||||
- attr_filter
|
||||
- cache_eap # TODO
|
||||
- dynamic_clients # TODO
|
||||
- eap # TODO
|
||||
- expiration # TODO
|
||||
|
@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
|||
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
radiusd__enabled_sites_minimal:
|
||||
- default
|
||||
- inner-tunnel
|
||||
- inner-aurore
|
||||
- outer-aurore
|
||||
radiusd__enabled_sites: []
|
||||
...
|
||||
|
|
|
@ -56,11 +56,13 @@
|
|||
- mods-available/utf8
|
||||
- mods-available/always
|
||||
- mods-available/eap
|
||||
- mods-available/ldap
|
||||
- mods-available/linelog
|
||||
- mods-available/eap_inner
|
||||
- mods-config/attr_filter/access_challenge
|
||||
- mods-config/attr_filter/access_reject
|
||||
- sites-available/inner-tunnel
|
||||
- sites-available/default
|
||||
- sites-available/outer-aurore
|
||||
- sites-available/inner-aurore
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
|
|
|
@ -8,8 +8,10 @@ client {{ name }} {
|
|||
require_message_authenticator = yes
|
||||
nastype = other
|
||||
secret = {{ client.secret }}
|
||||
{% if client.virtual_server is defined %}
|
||||
virtual_server = {{ client.virtual_server }}
|
||||
{% if client.type is defined %}
|
||||
{% if client.type == "aurore" %}
|
||||
virtual_server = outer-aurore
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
|
|
|
@ -44,7 +44,7 @@ eap {
|
|||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
virtual_server = inner-aurore
|
||||
}
|
||||
|
||||
ttls {
|
||||
|
@ -53,7 +53,7 @@ eap {
|
|||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
virtual_server = inner-aurore
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
ldap {
|
||||
|
||||
server = "ldap://ldap-1.int.infra.auro.re"
|
||||
server = "ldap://10.128.0.10"
|
||||
|
||||
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||
identity = "cn=Directory manager"
|
||||
|
@ -37,12 +37,10 @@ ldap {
|
|||
}
|
||||
|
||||
pool {
|
||||
start = ${thread[pool].start_servers}
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
max = ${thread[pool].max_servers}
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
start = 0
|
||||
min = 1
|
||||
uses = 0
|
||||
retry_delay = 30
|
||||
retry_delay = 15
|
||||
lifetime = 0
|
||||
idle_timeout = 60
|
||||
}
|
||||
|
|
38
roles/freeradius/templates/mods-available/linelog.j2
Normal file
38
roles/freeradius/templates/mods-available/linelog.j2
Normal file
|
@ -0,0 +1,38 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
linelog log_auth_inner {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = ""
|
||||
|
||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||
|
||||
messages {
|
||||
default = "Unknown packet type %{Packet-Type}"
|
||||
|
||||
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
|
||||
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||
}
|
||||
|
||||
prefix = "[%{Virtual-Server}] (session #%n)"
|
||||
}
|
||||
|
||||
linelog log_auth_outer {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = ""
|
||||
|
||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||
|
||||
messages {
|
||||
default = "Unknown packet type %{Packet-Type}"
|
||||
|
||||
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
|
||||
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||
}
|
||||
|
||||
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server inner-tunnel {
|
||||
server inner-aurore {
|
||||
|
||||
authorize {
|
||||
# Look for realm using the 'suffix' format (user@realm)
|
||||
|
@ -36,4 +36,11 @@ server inner-tunnel {
|
|||
ldap
|
||||
}
|
||||
|
||||
post-auth {
|
||||
Post-Auth-Type REJECT {
|
||||
log_auth_inner
|
||||
}
|
||||
log_auth_inner
|
||||
}
|
||||
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server default {
|
||||
server outer-aurore {
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
|
@ -55,8 +55,10 @@ server default {
|
|||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
log_auth_outer
|
||||
}
|
||||
remove_reply_message_if_eap
|
||||
log_auth_outer
|
||||
}
|
||||
|
||||
pre-proxy {
|
Loading…
Reference in a new issue