freeradius: fixes + minimal support for federez

roles/freeradius/templates/mods-available/eap.j2

@@ -18,11 +18,10 @@ eap {
         private_key_file = {{ radiusd__tls_private_key_file }}
         certificate_file = {{ radiusd__tls_certificate_file }}
         ca_file = {{ radiusd__tls_ca_file }}
-        dh_file = ${certdir}/dh
         cipher_list = {{ radiusd__tls_cipher_list | enquote }}
         cipher_server_preferences = yes
         tls_min_version = "1.2"
-        tls_max_version = "1.2" # TODO: 1.3
+        tls_max_version = "1.3"
         # TODO
         # cache {
         #    enable = yes
@@ -43,7 +42,7 @@ eap {
         default_eap_type = gtc
         require_client_cert = no
         copy_request_to_tunnel = no
-        use_tunneled_reply = yes
+        use_tunneled_reply = no
         virtual_server = inner-aurore
     }
 
@@ -52,7 +51,7 @@ eap {
         default_eap_type = pap
         require_client_cert = no
         copy_request_to_tunnel = no
-        use_tunneled_reply = yes
+        use_tunneled_reply = no
         virtual_server = inner-aurore
     }
 

roles/freeradius/templates/mods-available/eap_inner.j2

@@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}
 
-eap inner-eap {
+eap eap_inner {
 
     default_eap_type = gtc
 

roles/freeradius/templates/sites-available/inner-aurore.j2

@@ -9,17 +9,17 @@ server inner-aurore {
         split_username_nai
         # Don't proxy requests from inner tunnel
         update control {
-            &Proxy-To-Realm := LOCAL
+            Proxy-To-Realm := LOCAL
         }
         # Must be before 'ldap', so that we don't query the LDAP server
         # for "internal" packets (cf. documentation for
         # sites-available/inner-tunnel)
-        inner-eap {
+        eap_inner {
             ok = return
         }
         ldap
         # See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
-        if ((ok || updated) && User-Password) {
+        if ((ok || updated) && &User-Password) {
             update control {
                 Auth-Type := ldap
             }
@@ -28,7 +28,7 @@ server inner-aurore {
     }
 
     authenticate {
-        inner-eap
+        eap_inner
         # Authenticate using 'Auth-Type = LDAP'
         # This is not recommended by FreeRADIUS (cf. documentation for
         # sites-available/default), but the password hashing scheme used
@@ -38,17 +38,24 @@ server inner-aurore {
     }
 
     post-auth {
-        update reply {
+        update outer.session-state {
-            Tunnel-Type = VLAN
+            Tunnel-Type := VLAN
-            Tunnel-Medium-Type = IEEE-802
+            Tunnel-Medium-Type := IEEE-802
         }
-	if (!&reply:Tunnel-Private-Group-ID) {
+        if (&reply:Tunnel-Private-Group-ID) {
-            update reply {
+            update outer.session-state {
-                &Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
+                Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
+            }
+        } else {
+            update outer.session-state {
+                Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
             }
         }
         linelog_inner_postauth
         Post-Auth-Type reject {
+            update outer.session-state {
+                &Module-Failure-Message := &request:Module-Failure-Message
+            }
             linelog_inner_postauth
         }
     }

roles/freeradius/templates/sites-available/outer-aurore.j2

@@ -34,7 +34,7 @@ server outer-aurore {
             eap
         } else {
             update control {
-                Proxy-To-Realm := "federez"
+                Proxy-To-Realm := "FEDEREZ"
             }
         }
     }
@@ -50,17 +50,18 @@ server outer-aurore {
     }
 
     post-auth {
-        if (session-state:User-Name && reply:User-Name \
+        eap
-                && request:User-Name \
+        if (&session-state:User-Name && &reply:User-Name \
-                && (reply:User-Name == request:User-Name)) {
+                && &request:User-Name \
+                && (&reply:User-Name == &request:User-Name)) {
             update reply {
                 &User-Name !* ANY
             }
         }
         update {
-            &reply: += &session-state:
+            reply: += &session-state:
         }
-        Post-Auth-Type REJECT {
+        Post-Auth-Type reject {
             attr_filter.access_reject
             eap
             remove_reply_message_if_eap