freeradius: fixes + minimal support for federez
This commit is contained in:
parent
2c64d27fd3
commit
ddd8c6dcc0
5 changed files with 38 additions and 31 deletions
|
@ -1,37 +1,37 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
always reject {
|
||||
rcode = reject
|
||||
rcode = reject
|
||||
}
|
||||
|
||||
always fail {
|
||||
rcode = fail
|
||||
rcode = fail
|
||||
}
|
||||
|
||||
always ok {
|
||||
rcode = ok
|
||||
rcode = ok
|
||||
}
|
||||
|
||||
always handled {
|
||||
rcode = handled
|
||||
rcode = handled
|
||||
}
|
||||
|
||||
always invalid {
|
||||
rcode = invalid
|
||||
rcode = invalid
|
||||
}
|
||||
|
||||
always userlock {
|
||||
rcode = userlock
|
||||
rcode = userlock
|
||||
}
|
||||
|
||||
always notfound {
|
||||
rcode = notfound
|
||||
rcode = notfound
|
||||
}
|
||||
|
||||
always noop {
|
||||
rcode = noop
|
||||
rcode = noop
|
||||
}
|
||||
|
||||
always updated {
|
||||
rcode = updated
|
||||
rcode = updated
|
||||
}
|
||||
|
|
|
@ -18,11 +18,10 @@ eap {
|
|||
private_key_file = {{ radiusd__tls_private_key_file }}
|
||||
certificate_file = {{ radiusd__tls_certificate_file }}
|
||||
ca_file = {{ radiusd__tls_ca_file }}
|
||||
dh_file = ${certdir}/dh
|
||||
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
||||
cipher_server_preferences = yes
|
||||
tls_min_version = "1.2"
|
||||
tls_max_version = "1.2" # TODO: 1.3
|
||||
tls_max_version = "1.3"
|
||||
# TODO
|
||||
# cache {
|
||||
# enable = yes
|
||||
|
@ -43,7 +42,7 @@ eap {
|
|||
default_eap_type = gtc
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = yes
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-aurore
|
||||
}
|
||||
|
||||
|
@ -52,7 +51,7 @@ eap {
|
|||
default_eap_type = pap
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = yes
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-aurore
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
eap inner-eap {
|
||||
eap eap_inner {
|
||||
|
||||
default_eap_type = gtc
|
||||
|
||||
|
|
|
@ -9,17 +9,17 @@ server inner-aurore {
|
|||
split_username_nai
|
||||
# Don't proxy requests from inner tunnel
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
Proxy-To-Realm := LOCAL
|
||||
}
|
||||
# Must be before 'ldap', so that we don't query the LDAP server
|
||||
# for "internal" packets (cf. documentation for
|
||||
# sites-available/inner-tunnel)
|
||||
inner-eap {
|
||||
eap_inner {
|
||||
ok = return
|
||||
}
|
||||
ldap
|
||||
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||
if ((ok || updated) && User-Password) {
|
||||
if ((ok || updated) && &User-Password) {
|
||||
update control {
|
||||
Auth-Type := ldap
|
||||
}
|
||||
|
@ -28,7 +28,7 @@ server inner-aurore {
|
|||
}
|
||||
|
||||
authenticate {
|
||||
inner-eap
|
||||
eap_inner
|
||||
# Authenticate using 'Auth-Type = LDAP'
|
||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
|
@ -38,17 +38,24 @@ server inner-aurore {
|
|||
}
|
||||
|
||||
post-auth {
|
||||
update reply {
|
||||
Tunnel-Type = VLAN
|
||||
Tunnel-Medium-Type = IEEE-802
|
||||
update outer.session-state {
|
||||
Tunnel-Type := VLAN
|
||||
Tunnel-Medium-Type := IEEE-802
|
||||
}
|
||||
if (!&reply:Tunnel-Private-Group-ID) {
|
||||
update reply {
|
||||
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
|
||||
if (&reply:Tunnel-Private-Group-ID) {
|
||||
update outer.session-state {
|
||||
Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
|
||||
}
|
||||
}
|
||||
} else {
|
||||
update outer.session-state {
|
||||
Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
|
||||
}
|
||||
}
|
||||
linelog_inner_postauth
|
||||
Post-Auth-Type reject {
|
||||
update outer.session-state {
|
||||
&Module-Failure-Message := &request:Module-Failure-Message
|
||||
}
|
||||
linelog_inner_postauth
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,7 +34,7 @@ server outer-aurore {
|
|||
eap
|
||||
} else {
|
||||
update control {
|
||||
Proxy-To-Realm := "federez"
|
||||
Proxy-To-Realm := "FEDEREZ"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -50,17 +50,18 @@ server outer-aurore {
|
|||
}
|
||||
|
||||
post-auth {
|
||||
if (session-state:User-Name && reply:User-Name \
|
||||
&& request:User-Name \
|
||||
&& (reply:User-Name == request:User-Name)) {
|
||||
eap
|
||||
if (&session-state:User-Name && &reply:User-Name \
|
||||
&& &request:User-Name \
|
||||
&& (&reply:User-Name == &request:User-Name)) {
|
||||
update reply {
|
||||
&User-Name !* ANY
|
||||
}
|
||||
}
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
reply: += &session-state:
|
||||
}
|
||||
Post-Auth-Type REJECT {
|
||||
Post-Auth-Type reject {
|
||||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
|
|
Loading…
Reference in a new issue