freeradius: improve logging robustness

This commit is contained in:
jeltz 2023-06-25 19:25:50 +02:00
parent a5b527ec0e
commit f8b932014f
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 73 additions and 38 deletions

View file

@ -13,6 +13,7 @@ radiusd__enabled_modules_minimal:
- logintime # TODO
- realm # TODO
- unpack # TODO
- rest
- eap_inner
- ldap
- pap

View file

@ -1,7 +1,12 @@
---
- name: Install freeradius
apt:
name: freeradius
name:
- eapoltest
- freeradius
- freeradius-ldap
- freeradius-rest
- freeradius-utils
install_recommends: false
- name: Remove unused files
@ -58,6 +63,7 @@
- mods-available/eap
- mods-available/ldap
- mods-available/linelog
- mods-available/rest
- mods-available/eap_inner
- mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject

View file

@ -1,38 +1,54 @@
{{ ansible_managed | comment }}
linelog log_auth_inner {
linelog_prefix = {{ '[%{Virtual-Server}] (session #%I)' | enquote }}
linelog_inner_prefix = {{ '${.linelog_prefix} from %{%{outer.Calling-Station-Id}:-unknown}:' | enquote }}
linelog linelog_inner_authz_user {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "[%{Virtual-Server}] (session #%n)"
format = {{ '${..linelog_inner_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
}
linelog log_auth_outer {
linelog linelog_inner_postauth {
filename = syslog
syslog_facility = authpriv
format = ""
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
}
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
}
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
linelog linelog_outer_authz_user {
filename = syslog
syslog_facility = authpriv
format = {{ '${..linelog_outer_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
}
linelog linelog_outer_unknown_domain {
filename = syslog
syslog_facility = authpriv
format = {{ '${..linelog_outer_prefix} unknown domain "%{jsonquote:%{Stripped-User-Domain}}"' | enquote }}
}
linelog linelog_outer_postauth {
filename = syslog
syslog_facility = authpriv
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages {
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
}
}

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
# Required for jsonquote
rest {
}

View file

@ -28,7 +28,7 @@ correct_escapes = true
log {
destination = syslog
syslog_facility = daemon
auth = yes
auth = no
}
security {

View file

@ -3,16 +3,17 @@
server inner-aurore {
authorize {
# Look for realm using the 'suffix' format (user@realm)
suffix
linelog_inner_authz_user
filter_username
filter_inner_identity
split_username_nai
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
@ -30,17 +31,17 @@ server inner-aurore {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
post-auth {
Post-Auth-Type REJECT {
log_auth_inner
linelog_inner_postauth
Post-Auth-Type reject {
linelog_inner_postauth
}
log_auth_inner
}
}

View file

@ -25,8 +25,13 @@ server outer-aurore {
}
authorize {
filter_username # TODO
suffix
linelog_outer_authz_user
filter_username
split_username_nai
if (&Stripped-User-Domain != "auro.re") {
linelog_outer_unknown_domain
reject
}
eap
}
@ -55,16 +60,17 @@ server outer-aurore {
attr_filter.access_reject
eap
remove_reply_message_if_eap
log_auth_outer
linelog_outer_postauth
}
remove_reply_message_if_eap
log_auth_outer
linelog_outer_postauth
}
pre-proxy {
}
post-proxy {
split_username_nai
eap
}