diff --git a/playbooks/freeradius.yml b/playbooks/freeradius.yml index 65c421d..17a796d 100755 --- a/playbooks/freeradius.yml +++ b/playbooks/freeradius.yml @@ -7,12 +7,15 @@ localhost: addr: 127.0.0.1 secret: abcdef + type: aurore wifi-ap-v4: addr: 10.102.0.0/16 secret: abcdef + type: aurore wifi-ap-v6: addr: 2a09:6840:102::/56 secret: abcdef + type: aurore roles: - freeradius ... diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml index b96008b..3746a74 100644 --- a/roles/freeradius/defaults/main.yml +++ b/roles/freeradius/defaults/main.yml @@ -5,7 +5,6 @@ radiusd__clients: {} radiusd__enabled_modules_minimal: - always - attr_filter - - cache_eap # TODO - dynamic_clients # TODO - eap # TODO - expiration # TODO @@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt radiusd__enabled_sites_minimal: - - default - - inner-tunnel + - inner-aurore + - outer-aurore radiusd__enabled_sites: [] ... diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml index 4daa845..59d5947 100644 --- a/roles/freeradius/tasks/main.yml +++ b/roles/freeradius/tasks/main.yml @@ -56,11 +56,13 @@ - mods-available/utf8 - mods-available/always - mods-available/eap + - mods-available/ldap + - mods-available/linelog - mods-available/eap_inner - mods-config/attr_filter/access_challenge - mods-config/attr_filter/access_reject - - sites-available/inner-tunnel - - sites-available/default + - sites-available/outer-aurore + - sites-available/inner-aurore notify: - Restart freeradius diff --git a/roles/freeradius/templates/clients.conf.j2 b/roles/freeradius/templates/clients.conf.j2 index 0c8528b..cce3c91 100644 --- a/roles/freeradius/templates/clients.conf.j2 +++ b/roles/freeradius/templates/clients.conf.j2 @@ -8,8 +8,10 @@ client {{ name }} { require_message_authenticator = yes nastype = other secret = {{ client.secret }} -{% if client.virtual_server is defined %} - virtual_server = {{ client.virtual_server }} +{% if client.type is defined %} +{% if client.type == "aurore" %} + virtual_server = outer-aurore +{% endif %} {% endif %} } diff --git a/roles/freeradius/templates/mods-available/eap.j2 b/roles/freeradius/templates/mods-available/eap.j2 index e9f9b89..f1045d4 100644 --- a/roles/freeradius/templates/mods-available/eap.j2 +++ b/roles/freeradius/templates/mods-available/eap.j2 @@ -44,7 +44,7 @@ eap { require_client_cert = no copy_request_to_tunnel = no use_tunneled_reply = no - virtual_server = inner-tunnel + virtual_server = inner-aurore } ttls { @@ -53,7 +53,7 @@ eap { require_client_cert = no copy_request_to_tunnel = no use_tunneled_reply = no - virtual_server = inner-tunnel + virtual_server = inner-aurore } } diff --git a/roles/freeradius/templates/mods-available/ldap.j2 b/roles/freeradius/templates/mods-available/ldap.j2 index ce4012e..a018fa3 100644 --- a/roles/freeradius/templates/mods-available/ldap.j2 +++ b/roles/freeradius/templates/mods-available/ldap.j2 @@ -2,7 +2,7 @@ ldap { - server = "ldap://ldap-1.int.infra.auro.re" + server = "ldap://10.128.0.10" # TODO: quand on passera en prod, créer un utilisation dédié identity = "cn=Directory manager" @@ -37,12 +37,10 @@ ldap { } pool { - start = ${thread[pool].start_servers} - min = ${thread[pool].min_spare_servers} - max = ${thread[pool].max_servers} - spare = ${thread[pool].max_spare_servers} + start = 0 + min = 1 uses = 0 - retry_delay = 30 + retry_delay = 15 lifetime = 0 idle_timeout = 60 } diff --git a/roles/freeradius/templates/mods-available/linelog.j2 b/roles/freeradius/templates/mods-available/linelog.j2 new file mode 100644 index 0000000..5ac4389 --- /dev/null +++ b/roles/freeradius/templates/mods-available/linelog.j2 @@ -0,0 +1,38 @@ +{{ ansible_managed | comment }} + +linelog log_auth_inner { + filename = syslog + syslog_facility = authpriv + + format = "" + + reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}" + + messages { + default = "Unknown packet type %{Packet-Type}" + + Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}" + Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})" + } + + prefix = "[%{Virtual-Server}] (session #%n)" +} + +linelog log_auth_outer { + filename = syslog + syslog_facility = authpriv + + format = "" + + reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}" + + messages { + default = "Unknown packet type %{Packet-Type}" + + Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}" + Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})" + } + + prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}" +} + diff --git a/roles/freeradius/templates/sites-available/inner-tunnel.j2 b/roles/freeradius/templates/sites-available/inner-aurore.j2 similarity index 90% rename from roles/freeradius/templates/sites-available/inner-tunnel.j2 rename to roles/freeradius/templates/sites-available/inner-aurore.j2 index 3b768ad..5f8ef9e 100644 --- a/roles/freeradius/templates/sites-available/inner-tunnel.j2 +++ b/roles/freeradius/templates/sites-available/inner-aurore.j2 @@ -1,6 +1,6 @@ {{ ansible_managed | comment }} -server inner-tunnel { +server inner-aurore { authorize { # Look for realm using the 'suffix' format (user@realm) @@ -36,4 +36,11 @@ server inner-tunnel { ldap } + post-auth { + Post-Auth-Type REJECT { + log_auth_inner + } + log_auth_inner + } + } diff --git a/roles/freeradius/templates/sites-available/default.j2 b/roles/freeradius/templates/sites-available/outer-aurore.j2 similarity index 94% rename from roles/freeradius/templates/sites-available/default.j2 rename to roles/freeradius/templates/sites-available/outer-aurore.j2 index f661860..05ecc44 100644 --- a/roles/freeradius/templates/sites-available/default.j2 +++ b/roles/freeradius/templates/sites-available/outer-aurore.j2 @@ -1,6 +1,6 @@ {{ ansible_managed | comment }} -server default { +server outer-aurore { listen { type = auth @@ -55,8 +55,10 @@ server default { attr_filter.access_reject eap remove_reply_message_if_eap + log_auth_outer } remove_reply_message_if_eap + log_auth_outer } pre-proxy {