freeradius: fixes + minimal support for federez

This commit is contained in:
jeltz 2023-07-02 20:51:42 +02:00
parent 2c64d27fd3
commit ddd8c6dcc0
Signed by: jeltz
GPG key ID: 800882B66C0C3326
5 changed files with 38 additions and 31 deletions

View file

@ -1,37 +1,37 @@
{{ ansible_managed | comment }}
always reject {
rcode = reject
rcode = reject
}
always fail {
rcode = fail
rcode = fail
}
always ok {
rcode = ok
rcode = ok
}
always handled {
rcode = handled
rcode = handled
}
always invalid {
rcode = invalid
rcode = invalid
}
always userlock {
rcode = userlock
rcode = userlock
}
always notfound {
rcode = notfound
rcode = notfound
}
always noop {
rcode = noop
rcode = noop
}
always updated {
rcode = updated
rcode = updated
}

View file

@ -18,11 +18,10 @@ eap {
private_key_file = {{ radiusd__tls_private_key_file }}
certificate_file = {{ radiusd__tls_certificate_file }}
ca_file = {{ radiusd__tls_ca_file }}
dh_file = ${certdir}/dh
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
cipher_server_preferences = yes
tls_min_version = "1.2"
tls_max_version = "1.2" # TODO: 1.3
tls_max_version = "1.3"
# TODO
# cache {
# enable = yes
@ -43,7 +42,7 @@ eap {
default_eap_type = gtc
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = yes
use_tunneled_reply = no
virtual_server = inner-aurore
}
@ -52,7 +51,7 @@ eap {
default_eap_type = pap
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = yes
use_tunneled_reply = no
virtual_server = inner-aurore
}

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }}
eap inner-eap {
eap eap_inner {
default_eap_type = gtc

View file

@ -9,17 +9,17 @@ server inner-aurore {
split_username_nai
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
Proxy-To-Realm := LOCAL
}
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
inner-eap {
eap_inner {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
if ((ok || updated) && &User-Password) {
update control {
Auth-Type := ldap
}
@ -28,7 +28,7 @@ server inner-aurore {
}
authenticate {
inner-eap
eap_inner
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
@ -38,17 +38,24 @@ server inner-aurore {
}
post-auth {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
update outer.session-state {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (!&reply:Tunnel-Private-Group-ID) {
update reply {
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
if (&reply:Tunnel-Private-Group-ID) {
update outer.session-state {
Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
}
}
} else {
update outer.session-state {
Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
}
}
linelog_inner_postauth
Post-Auth-Type reject {
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
linelog_inner_postauth
}
}

View file

@ -34,7 +34,7 @@ server outer-aurore {
eap
} else {
update control {
Proxy-To-Realm := "federez"
Proxy-To-Realm := "FEDEREZ"
}
}
}
@ -50,17 +50,18 @@ server outer-aurore {
}
post-auth {
if (session-state:User-Name && reply:User-Name \
&& request:User-Name \
&& (reply:User-Name == request:User-Name)) {
eap
if (&session-state:User-Name && &reply:User-Name \
&& &request:User-Name \
&& (&reply:User-Name == &request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
reply: += &session-state:
}
Post-Auth-Type REJECT {
Post-Auth-Type reject {
attr_filter.access_reject
eap
remove_reply_message_if_eap