freeradius: add logging

This commit is contained in:
jeltz 2023-06-25 00:27:08 +02:00
parent 20bce8a0da
commit a5b527ec0e
Signed by: jeltz
GPG key ID: 800882B66C0C3326
9 changed files with 68 additions and 17 deletions

View file

@ -7,12 +7,15 @@
localhost: localhost:
addr: 127.0.0.1 addr: 127.0.0.1
secret: abcdef secret: abcdef
type: aurore
wifi-ap-v4: wifi-ap-v4:
addr: 10.102.0.0/16 addr: 10.102.0.0/16
secret: abcdef secret: abcdef
type: aurore
wifi-ap-v6: wifi-ap-v6:
addr: 2a09:6840:102::/56 addr: 2a09:6840:102::/56
secret: abcdef secret: abcdef
type: aurore
roles: roles:
- freeradius - freeradius
... ...

View file

@ -5,7 +5,6 @@ radiusd__clients: {}
radiusd__enabled_modules_minimal: radiusd__enabled_modules_minimal:
- always - always
- attr_filter - attr_filter
- cache_eap # TODO
- dynamic_clients # TODO - dynamic_clients # TODO
- eap # TODO - eap # TODO
- expiration # TODO - expiration # TODO
@ -24,7 +23,7 @@ radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
radiusd__enabled_sites_minimal: radiusd__enabled_sites_minimal:
- default - inner-aurore
- inner-tunnel - outer-aurore
radiusd__enabled_sites: [] radiusd__enabled_sites: []
... ...

View file

@ -56,11 +56,13 @@
- mods-available/utf8 - mods-available/utf8
- mods-available/always - mods-available/always
- mods-available/eap - mods-available/eap
- mods-available/ldap
- mods-available/linelog
- mods-available/eap_inner - mods-available/eap_inner
- mods-config/attr_filter/access_challenge - mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject - mods-config/attr_filter/access_reject
- sites-available/inner-tunnel - sites-available/outer-aurore
- sites-available/default - sites-available/inner-aurore
notify: notify:
- Restart freeradius - Restart freeradius

View file

@ -8,8 +8,10 @@ client {{ name }} {
require_message_authenticator = yes require_message_authenticator = yes
nastype = other nastype = other
secret = {{ client.secret }} secret = {{ client.secret }}
{% if client.virtual_server is defined %} {% if client.type is defined %}
virtual_server = {{ client.virtual_server }} {% if client.type == "aurore" %}
virtual_server = outer-aurore
{% endif %}
{% endif %} {% endif %}
} }

View file

@ -44,7 +44,7 @@ eap {
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = no use_tunneled_reply = no
virtual_server = inner-tunnel virtual_server = inner-aurore
} }
ttls { ttls {
@ -53,7 +53,7 @@ eap {
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = no use_tunneled_reply = no
virtual_server = inner-tunnel virtual_server = inner-aurore
} }
} }

View file

@ -2,7 +2,7 @@
ldap { ldap {
server = "ldap://ldap-1.int.infra.auro.re" server = "ldap://10.128.0.10"
# TODO: quand on passera en prod, créer un utilisation dédié # TODO: quand on passera en prod, créer un utilisation dédié
identity = "cn=Directory manager" identity = "cn=Directory manager"
@ -37,12 +37,10 @@ ldap {
} }
pool { pool {
start = ${thread[pool].start_servers} start = 0
min = ${thread[pool].min_spare_servers} min = 1
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0 uses = 0
retry_delay = 30 retry_delay = 15
lifetime = 0 lifetime = 0
idle_timeout = 60 idle_timeout = 60
} }

View file

@ -0,0 +1,38 @@
{{ ansible_managed | comment }}
linelog log_auth_inner {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "[%{Virtual-Server}] (session #%n)"
}
linelog log_auth_outer {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
}

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
server inner-tunnel { server inner-aurore {
authorize { authorize {
# Look for realm using the 'suffix' format (user@realm) # Look for realm using the 'suffix' format (user@realm)
@ -36,4 +36,11 @@ server inner-tunnel {
ldap ldap
} }
post-auth {
Post-Auth-Type REJECT {
log_auth_inner
}
log_auth_inner
}
} }

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
server default { server outer-aurore {
listen { listen {
type = auth type = auth
@ -55,8 +55,10 @@ server default {
attr_filter.access_reject attr_filter.access_reject
eap eap
remove_reply_message_if_eap remove_reply_message_if_eap
log_auth_outer
} }
remove_reply_message_if_eap remove_reply_message_if_eap
log_auth_outer
} }
pre-proxy { pre-proxy {