freeradius: fixes + minimal support for federez

This commit is contained in:
jeltz 2023-07-02 20:51:42 +02:00
parent 2c64d27fd3
commit ddd8c6dcc0
Signed by: jeltz
GPG key ID: 800882B66C0C3326
5 changed files with 38 additions and 31 deletions

View file

@ -1,37 +1,37 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
always reject { always reject {
rcode = reject rcode = reject
} }
always fail { always fail {
rcode = fail rcode = fail
} }
always ok { always ok {
rcode = ok rcode = ok
} }
always handled { always handled {
rcode = handled rcode = handled
} }
always invalid { always invalid {
rcode = invalid rcode = invalid
} }
always userlock { always userlock {
rcode = userlock rcode = userlock
} }
always notfound { always notfound {
rcode = notfound rcode = notfound
} }
always noop { always noop {
rcode = noop rcode = noop
} }
always updated { always updated {
rcode = updated rcode = updated
} }

View file

@ -18,11 +18,10 @@ eap {
private_key_file = {{ radiusd__tls_private_key_file }} private_key_file = {{ radiusd__tls_private_key_file }}
certificate_file = {{ radiusd__tls_certificate_file }} certificate_file = {{ radiusd__tls_certificate_file }}
ca_file = {{ radiusd__tls_ca_file }} ca_file = {{ radiusd__tls_ca_file }}
dh_file = ${certdir}/dh
cipher_list = {{ radiusd__tls_cipher_list | enquote }} cipher_list = {{ radiusd__tls_cipher_list | enquote }}
cipher_server_preferences = yes cipher_server_preferences = yes
tls_min_version = "1.2" tls_min_version = "1.2"
tls_max_version = "1.2" # TODO: 1.3 tls_max_version = "1.3"
# TODO # TODO
# cache { # cache {
# enable = yes # enable = yes
@ -43,7 +42,7 @@ eap {
default_eap_type = gtc default_eap_type = gtc
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = yes use_tunneled_reply = no
virtual_server = inner-aurore virtual_server = inner-aurore
} }
@ -52,7 +51,7 @@ eap {
default_eap_type = pap default_eap_type = pap
require_client_cert = no require_client_cert = no
copy_request_to_tunnel = no copy_request_to_tunnel = no
use_tunneled_reply = yes use_tunneled_reply = no
virtual_server = inner-aurore virtual_server = inner-aurore
} }

View file

@ -1,6 +1,6 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
eap inner-eap { eap eap_inner {
default_eap_type = gtc default_eap_type = gtc

View file

@ -9,17 +9,17 @@ server inner-aurore {
split_username_nai split_username_nai
# Don't proxy requests from inner tunnel # Don't proxy requests from inner tunnel
update control { update control {
&Proxy-To-Realm := LOCAL Proxy-To-Realm := LOCAL
} }
# Must be before 'ldap', so that we don't query the LDAP server # Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for # for "internal" packets (cf. documentation for
# sites-available/inner-tunnel) # sites-available/inner-tunnel)
inner-eap { eap_inner {
ok = return ok = return
} }
ldap ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc # See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) { if ((ok || updated) && &User-Password) {
update control { update control {
Auth-Type := ldap Auth-Type := ldap
} }
@ -28,7 +28,7 @@ server inner-aurore {
} }
authenticate { authenticate {
inner-eap eap_inner
# Authenticate using 'Auth-Type = LDAP' # Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for # This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used # sites-available/default), but the password hashing scheme used
@ -38,17 +38,24 @@ server inner-aurore {
} }
post-auth { post-auth {
update reply { update outer.session-state {
Tunnel-Type = VLAN Tunnel-Type := VLAN
Tunnel-Medium-Type = IEEE-802 Tunnel-Medium-Type := IEEE-802
} }
if (!&reply:Tunnel-Private-Group-ID) { if (&reply:Tunnel-Private-Group-ID) {
update reply { update outer.session-state {
&Tunnel-Private-Group-ID = {{ radiusd__guest_vlan | int }} Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
} }
} } else {
update outer.session-state {
Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
}
}
linelog_inner_postauth linelog_inner_postauth
Post-Auth-Type reject { Post-Auth-Type reject {
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
linelog_inner_postauth linelog_inner_postauth
} }
} }

View file

@ -34,7 +34,7 @@ server outer-aurore {
eap eap
} else { } else {
update control { update control {
Proxy-To-Realm := "federez" Proxy-To-Realm := "FEDEREZ"
} }
} }
} }
@ -50,17 +50,18 @@ server outer-aurore {
} }
post-auth { post-auth {
if (session-state:User-Name && reply:User-Name \ eap
&& request:User-Name \ if (&session-state:User-Name && &reply:User-Name \
&& (reply:User-Name == request:User-Name)) { && &request:User-Name \
&& (&reply:User-Name == &request:User-Name)) {
update reply { update reply {
&User-Name !* ANY &User-Name !* ANY
} }
} }
update { update {
&reply: += &session-state: reply: += &session-state:
} }
Post-Auth-Type REJECT { Post-Auth-Type reject {
attr_filter.access_reject attr_filter.access_reject
eap eap
remove_reply_message_if_eap remove_reply_message_if_eap