freeradius: fixes + minimal support for federez
This commit is contained in:
parent
2c64d27fd3
commit
ddd8c6dcc0
5 changed files with 38 additions and 31 deletions
|
@ -1,37 +1,37 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
always reject {
|
always reject {
|
||||||
rcode = reject
|
rcode = reject
|
||||||
}
|
}
|
||||||
|
|
||||||
always fail {
|
always fail {
|
||||||
rcode = fail
|
rcode = fail
|
||||||
}
|
}
|
||||||
|
|
||||||
always ok {
|
always ok {
|
||||||
rcode = ok
|
rcode = ok
|
||||||
}
|
}
|
||||||
|
|
||||||
always handled {
|
always handled {
|
||||||
rcode = handled
|
rcode = handled
|
||||||
}
|
}
|
||||||
|
|
||||||
always invalid {
|
always invalid {
|
||||||
rcode = invalid
|
rcode = invalid
|
||||||
}
|
}
|
||||||
|
|
||||||
always userlock {
|
always userlock {
|
||||||
rcode = userlock
|
rcode = userlock
|
||||||
}
|
}
|
||||||
|
|
||||||
always notfound {
|
always notfound {
|
||||||
rcode = notfound
|
rcode = notfound
|
||||||
}
|
}
|
||||||
|
|
||||||
always noop {
|
always noop {
|
||||||
rcode = noop
|
rcode = noop
|
||||||
}
|
}
|
||||||
|
|
||||||
always updated {
|
always updated {
|
||||||
rcode = updated
|
rcode = updated
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,11 +18,10 @@ eap {
|
||||||
private_key_file = {{ radiusd__tls_private_key_file }}
|
private_key_file = {{ radiusd__tls_private_key_file }}
|
||||||
certificate_file = {{ radiusd__tls_certificate_file }}
|
certificate_file = {{ radiusd__tls_certificate_file }}
|
||||||
ca_file = {{ radiusd__tls_ca_file }}
|
ca_file = {{ radiusd__tls_ca_file }}
|
||||||
dh_file = ${certdir}/dh
|
|
||||||
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
||||||
cipher_server_preferences = yes
|
cipher_server_preferences = yes
|
||||||
tls_min_version = "1.2"
|
tls_min_version = "1.2"
|
||||||
tls_max_version = "1.2" # TODO: 1.3
|
tls_max_version = "1.3"
|
||||||
# TODO
|
# TODO
|
||||||
# cache {
|
# cache {
|
||||||
# enable = yes
|
# enable = yes
|
||||||
|
@ -43,7 +42,7 @@ eap {
|
||||||
default_eap_type = gtc
|
default_eap_type = gtc
|
||||||
require_client_cert = no
|
require_client_cert = no
|
||||||
copy_request_to_tunnel = no
|
copy_request_to_tunnel = no
|
||||||
use_tunneled_reply = yes
|
use_tunneled_reply = no
|
||||||
virtual_server = inner-aurore
|
virtual_server = inner-aurore
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -52,7 +51,7 @@ eap {
|
||||||
default_eap_type = pap
|
default_eap_type = pap
|
||||||
require_client_cert = no
|
require_client_cert = no
|
||||||
copy_request_to_tunnel = no
|
copy_request_to_tunnel = no
|
||||||
use_tunneled_reply = yes
|
use_tunneled_reply = no
|
||||||
virtual_server = inner-aurore
|
virtual_server = inner-aurore
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
eap inner-eap {
|
eap eap_inner {
|
||||||
|
|
||||||
default_eap_type = gtc
|
default_eap_type = gtc
|
||||||
|
|
||||||
|
|
|
@ -9,17 +9,17 @@ server inner-aurore {
|
||||||
split_username_nai
|
split_username_nai
|
||||||
# Don't proxy requests from inner tunnel
|
# Don't proxy requests from inner tunnel
|
||||||
update control {
|
update control {
|
||||||
&Proxy-To-Realm := LOCAL
|
Proxy-To-Realm := LOCAL
|
||||||
}
|
}
|
||||||
# Must be before 'ldap', so that we don't query the LDAP server
|
# Must be before 'ldap', so that we don't query the LDAP server
|
||||||
# for "internal" packets (cf. documentation for
|
# for "internal" packets (cf. documentation for
|
||||||
# sites-available/inner-tunnel)
|
# sites-available/inner-tunnel)
|
||||||
inner-eap {
|
eap_inner {
|
||||||
ok = return
|
ok = return
|
||||||
}
|
}
|
||||||
ldap
|
ldap
|
||||||
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||||
if ((ok || updated) && User-Password) {
|
if ((ok || updated) && &User-Password) {
|
||||||
update control {
|
update control {
|
||||||
Auth-Type := ldap
|
Auth-Type := ldap
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,7 @@ server inner-aurore {
|
||||||
}
|
}
|
||||||
|
|
||||||
authenticate {
|
authenticate {
|
||||||
inner-eap
|
eap_inner
|
||||||
# Authenticate using 'Auth-Type = LDAP'
|
# Authenticate using 'Auth-Type = LDAP'
|
||||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||||
# sites-available/default), but the password hashing scheme used
|
# sites-available/default), but the password hashing scheme used
|
||||||
|
@ -38,17 +38,24 @@ server inner-aurore {
|
||||||
}
|
}
|
||||||
|
|
||||||
post-auth {
|
post-auth {
|
||||||
update reply {
|
update outer.session-state {
|
||||||
Tunnel-Type = VLAN
|
Tunnel-Type := VLAN
|
||||||
Tunnel-Medium-Type = IEEE-802
|
Tunnel-Medium-Type := IEEE-802
|
||||||
}
|
}
|
||||||
if (!&reply:Tunnel-Private-Group-ID) {
|
if (&reply:Tunnel-Private-Group-ID) {
|
||||||
update reply {
|
update outer.session-state {
|
||||||
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }}
|
Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
|
||||||
}
|
}
|
||||||
}
|
} else {
|
||||||
|
update outer.session-state {
|
||||||
|
Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
|
||||||
|
}
|
||||||
|
}
|
||||||
linelog_inner_postauth
|
linelog_inner_postauth
|
||||||
Post-Auth-Type reject {
|
Post-Auth-Type reject {
|
||||||
|
update outer.session-state {
|
||||||
|
&Module-Failure-Message := &request:Module-Failure-Message
|
||||||
|
}
|
||||||
linelog_inner_postauth
|
linelog_inner_postauth
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ server outer-aurore {
|
||||||
eap
|
eap
|
||||||
} else {
|
} else {
|
||||||
update control {
|
update control {
|
||||||
Proxy-To-Realm := "federez"
|
Proxy-To-Realm := "FEDEREZ"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -50,17 +50,18 @@ server outer-aurore {
|
||||||
}
|
}
|
||||||
|
|
||||||
post-auth {
|
post-auth {
|
||||||
if (session-state:User-Name && reply:User-Name \
|
eap
|
||||||
&& request:User-Name \
|
if (&session-state:User-Name && &reply:User-Name \
|
||||||
&& (reply:User-Name == request:User-Name)) {
|
&& &request:User-Name \
|
||||||
|
&& (&reply:User-Name == &request:User-Name)) {
|
||||||
update reply {
|
update reply {
|
||||||
&User-Name !* ANY
|
&User-Name !* ANY
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
update {
|
update {
|
||||||
&reply: += &session-state:
|
reply: += &session-state:
|
||||||
}
|
}
|
||||||
Post-Auth-Type REJECT {
|
Post-Auth-Type reject {
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
eap
|
eap
|
||||||
remove_reply_message_if_eap
|
remove_reply_message_if_eap
|
||||||
|
|
Loading…
Reference in a new issue