freeradius: fixes + minimal support for federez

2023-07-02 20:51:42 +02:00 · 2023-07-02 20:51:42 +02:00 · ddd8c6dcc0
commit ddd8c6dcc0
parent 2c64d27fd3
5 changed files with 38 additions and 31 deletions
--- a/roles/freeradius/templates/mods-available/always.j2
+++ b/roles/freeradius/templates/mods-available/always.j2
@ -1,37 +1,37 @@
 {{ ansible_managed | comment }}

 always reject {
-	rcode = reject
+    rcode = reject
 }

 always fail {
-	rcode = fail
+    rcode = fail
 }

 always ok {
-	rcode = ok
+    rcode = ok
 }

 always handled {
-	rcode = handled
+    rcode = handled
 }

 always invalid {
-	rcode = invalid
+    rcode = invalid
 }

 always userlock {
-	rcode = userlock
+    rcode = userlock
 }

 always notfound {
-	rcode = notfound
+    rcode = notfound
 }

 always noop {
-	rcode = noop
+    rcode = noop
 }

 always updated {
-	rcode = updated
+    rcode = updated
 }
--- a/roles/freeradius/templates/mods-available/eap.j2
+++ b/roles/freeradius/templates/mods-available/eap.j2
@ -18,11 +18,10 @@ eap {
        private_key_file = {{ radiusd__tls_private_key_file }}
        certificate_file = {{ radiusd__tls_certificate_file }}
        ca_file = {{ radiusd__tls_ca_file }}
-        dh_file = ${certdir}/dh
        cipher_list = {{ radiusd__tls_cipher_list | enquote }}
        cipher_server_preferences = yes
        tls_min_version = "1.2"
-        tls_max_version = "1.2" # TODO: 1.3
+        tls_max_version = "1.3"
        # TODO
        # cache {
        #    enable = yes
@ -43,7 +42,7 @@ eap {
        default_eap_type = gtc
        require_client_cert = no
        copy_request_to_tunnel = no
-        use_tunneled_reply = yes
+        use_tunneled_reply = no
        virtual_server = inner-aurore
    }

@ -52,7 +51,7 @@ eap {
        default_eap_type = pap
        require_client_cert = no
        copy_request_to_tunnel = no
-        use_tunneled_reply = yes
+        use_tunneled_reply = no
        virtual_server = inner-aurore
    }

--- a/roles/freeradius/templates/mods-available/eap_inner.j2
+++ b/roles/freeradius/templates/mods-available/eap_inner.j2
@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}

-eap inner-eap {
+eap eap_inner {

    default_eap_type = gtc

--- a/roles/freeradius/templates/sites-available/inner-aurore.j2
+++ b/roles/freeradius/templates/sites-available/inner-aurore.j2
@ -9,17 +9,17 @@ server inner-aurore {
        split_username_nai
        # Don't proxy requests from inner tunnel
        update control {
-            &Proxy-To-Realm := LOCAL
+            Proxy-To-Realm := LOCAL
        }
        # Must be before 'ldap', so that we don't query the LDAP server
        # for "internal" packets (cf. documentation for
        # sites-available/inner-tunnel)
-        inner-eap {
+        eap_inner {
            ok = return
        }
        ldap
        # See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
-        if ((ok || updated) && User-Password) {
+        if ((ok || updated) && &User-Password) {
            update control {
                Auth-Type := ldap
            }
@ -28,7 +28,7 @@ server inner-aurore {
    }

    authenticate {
-        inner-eap
+        eap_inner
        # Authenticate using 'Auth-Type = LDAP'
        # This is not recommended by FreeRADIUS (cf. documentation for
        # sites-available/default), but the password hashing scheme used
@ -38,17 +38,24 @@ server inner-aurore {
    }

    post-auth {
-        update reply {
-            Tunnel-Type = VLAN
-            Tunnel-Medium-Type = IEEE-802
+        update outer.session-state {
+            Tunnel-Type := VLAN
+            Tunnel-Medium-Type := IEEE-802
        }
-	if (!&reply:Tunnel-Private-Group-ID) {
-            update reply {
-                &Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
+        if (&reply:Tunnel-Private-Group-ID) {
+            update outer.session-state {
+                Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
            }
-	}
+        } else {
+            update outer.session-state {
+                Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
+            }
+        }
        linelog_inner_postauth
        Post-Auth-Type reject {
+            update outer.session-state {
+                &Module-Failure-Message := &request:Module-Failure-Message
+            }
            linelog_inner_postauth
        }
    }
--- a/roles/freeradius/templates/sites-available/outer-aurore.j2
+++ b/roles/freeradius/templates/sites-available/outer-aurore.j2
@ -34,7 +34,7 @@ server outer-aurore {
            eap
        } else {
            update control {
-                Proxy-To-Realm := "federez"
+                Proxy-To-Realm := "FEDEREZ"
            }
        }
    }
@ -50,17 +50,18 @@ server outer-aurore {
    }

    post-auth {
-        if (session-state:User-Name && reply:User-Name \
-                && request:User-Name \
-                && (reply:User-Name == request:User-Name)) {
+        eap
+        if (&session-state:User-Name && &reply:User-Name \
+                && &request:User-Name \
+                && (&reply:User-Name == &request:User-Name)) {
            update reply {
                &User-Name !* ANY
            }
        }
        update {
-            &reply: += &session-state:
+            reply: += &session-state:
        }
-        Post-Auth-Type REJECT {
+        Post-Auth-Type reject {
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap