freeradius: add logging
This commit is contained in:
parent
20bce8a0da
commit
a5b527ec0e
GPG key ID:
800882B66C0C3326
9 changed files with 68 additions and 17 deletions
|
|
@ -7,12 +7,15 @@
|
||||||
localhost:
|
localhost:
|
||||||
addr: 127.0.0.1
|
addr: 127.0.0.1
|
||||||
secret: abcdef
|
secret: abcdef
|
||||||
|
type: aurore
|
||||||
wifi-ap-v4:
|
wifi-ap-v4:
|
||||||
addr: 10.102.0.0/16
|
addr: 10.102.0.0/16
|
||||||
secret: abcdef
|
secret: abcdef
|
||||||
|
type: aurore
|
||||||
wifi-ap-v6:
|
wifi-ap-v6:
|
||||||
addr: 2a09:6840:102::/56
|
addr: 2a09:6840:102::/56
|
||||||
secret: abcdef
|
secret: abcdef
|
||||||
|
type: aurore
|
||||||
roles:
|
roles:
|
||||||
- freeradius
|
- freeradius
|
||||||
...
|
...
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@ radiusd__clients: {}
|
||||||
radiusd__enabled_modules_minimal:
|
radiusd__enabled_modules_minimal:
|
||||||
- always
|
- always
|
||||||
- attr_filter
|
- attr_filter
|
||||||
- cache_eap # TODO
|
|
||||||
- dynamic_clients # TODO
|
- dynamic_clients # TODO
|
||||||
- eap # TODO
|
- eap # TODO
|
||||||
- expiration # TODO
|
- expiration # TODO
|
||||||
|
|
@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||||
radiusd__enabled_sites_minimal:
|
radiusd__enabled_sites_minimal:
|
||||||
- default
|
- inner-aurore
|
||||||
- inner-tunnel
|
- outer-aurore
|
||||||
radiusd__enabled_sites: []
|
radiusd__enabled_sites: []
|
||||||
...
|
...
|
||||||
|
|
|
||||||
|
|
@ -56,11 +56,13 @@
|
||||||
- mods-available/utf8
|
- mods-available/utf8
|
||||||
- mods-available/always
|
- mods-available/always
|
||||||
- mods-available/eap
|
- mods-available/eap
|
||||||
|
- mods-available/ldap
|
||||||
|
- mods-available/linelog
|
||||||
- mods-available/eap_inner
|
- mods-available/eap_inner
|
||||||
- mods-config/attr_filter/access_challenge
|
- mods-config/attr_filter/access_challenge
|
||||||
- mods-config/attr_filter/access_reject
|
- mods-config/attr_filter/access_reject
|
||||||
- sites-available/inner-tunnel
|
- sites-available/outer-aurore
|
||||||
- sites-available/default
|
- sites-available/inner-aurore
|
||||||
notify:
|
notify:
|
||||||
- Restart freeradius
|
- Restart freeradius
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,10 @@ client {{ name }} {
|
||||||
require_message_authenticator = yes
|
require_message_authenticator = yes
|
||||||
nastype = other
|
nastype = other
|
||||||
secret = {{ client.secret }}
|
secret = {{ client.secret }}
|
||||||
{% if client.virtual_server is defined %}
|
{% if client.type is defined %}
|
||||||
virtual_server = {{ client.virtual_server }}
|
{% if client.type == "aurore" %}
|
||||||
|
virtual_server = outer-aurore
|
||||||
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ eap {
|
||||||
require_client_cert = no
|
require_client_cert = no
|
||||||
copy_request_to_tunnel = no
|
copy_request_to_tunnel = no
|
||||||
use_tunneled_reply = no
|
use_tunneled_reply = no
|
||||||
virtual_server = inner-tunnel
|
virtual_server = inner-aurore
|
||||||
}
|
}
|
||||||
|
|
||||||
ttls {
|
ttls {
|
||||||
|
|
@ -53,7 +53,7 @@ eap {
|
||||||
require_client_cert = no
|
require_client_cert = no
|
||||||
copy_request_to_tunnel = no
|
copy_request_to_tunnel = no
|
||||||
use_tunneled_reply = no
|
use_tunneled_reply = no
|
||||||
virtual_server = inner-tunnel
|
virtual_server = inner-aurore
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
ldap {
|
ldap {
|
||||||
|
|
||||||
server = "ldap://ldap-1.int.infra.auro.re"
|
server = "ldap://10.128.0.10"
|
||||||
|
|
||||||
# TODO: quand on passera en prod, créer un utilisation dédié
|
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||||
identity = "cn=Directory manager"
|
identity = "cn=Directory manager"
|
||||||
|
|
@ -37,12 +37,10 @@ ldap {
|
||||||
}
|
}
|
||||||
|
|
||||||
pool {
|
pool {
|
||||||
start = ${thread[pool].start_servers}
|
start = 0
|
||||||
min = ${thread[pool].min_spare_servers}
|
min = 1
|
||||||
max = ${thread[pool].max_servers}
|
|
||||||
spare = ${thread[pool].max_spare_servers}
|
|
||||||
uses = 0
|
uses = 0
|
||||||
retry_delay = 30
|
retry_delay = 15
|
||||||
lifetime = 0
|
lifetime = 0
|
||||||
idle_timeout = 60
|
idle_timeout = 60
|
||||||
}
|
}
|
||||||
|
|
|
||||||
38
roles/freeradius/templates/mods-available/linelog.j2
Normal file
38
roles/freeradius/templates/mods-available/linelog.j2
Normal file
|
|
@ -0,0 +1,38 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
linelog log_auth_inner {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = authpriv
|
||||||
|
|
||||||
|
format = ""
|
||||||
|
|
||||||
|
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||||
|
|
||||||
|
messages {
|
||||||
|
default = "Unknown packet type %{Packet-Type}"
|
||||||
|
|
||||||
|
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
|
||||||
|
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||||
|
}
|
||||||
|
|
||||||
|
prefix = "[%{Virtual-Server}] (session #%n)"
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog log_auth_outer {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = authpriv
|
||||||
|
|
||||||
|
format = ""
|
||||||
|
|
||||||
|
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||||
|
|
||||||
|
messages {
|
||||||
|
default = "Unknown packet type %{Packet-Type}"
|
||||||
|
|
||||||
|
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
|
||||||
|
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||||
|
}
|
||||||
|
|
||||||
|
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
server inner-tunnel {
|
server inner-aurore {
|
||||||
|
|
||||||
authorize {
|
authorize {
|
||||||
# Look for realm using the 'suffix' format (user@realm)
|
# Look for realm using the 'suffix' format (user@realm)
|
||||||
|
|
@ -36,4 +36,11 @@ server inner-tunnel {
|
||||||
ldap
|
ldap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
post-auth {
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
log_auth_inner
|
||||||
|
}
|
||||||
|
log_auth_inner
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
server default {
|
server outer-aurore {
|
||||||
|
|
||||||
listen {
|
listen {
|
||||||
type = auth
|
type = auth
|
||||||
|
|
@ -55,8 +55,10 @@ server default {
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
eap
|
eap
|
||||||
remove_reply_message_if_eap
|
remove_reply_message_if_eap
|
||||||
|
log_auth_outer
|
||||||
}
|
}
|
||||||
remove_reply_message_if_eap
|
remove_reply_message_if_eap
|
||||||
|
log_auth_outer
|
||||||
}
|
}
|
||||||
|
|
||||||
pre-proxy {
|
pre-proxy {
|
||||||
Loading…
Reference in a new issue