freeradius: improve logging robustness
This commit is contained in:
parent
a5b527ec0e
commit
f8b932014f
7 changed files with 73 additions and 38 deletions
|
@ -13,6 +13,7 @@ radiusd__enabled_modules_minimal:
|
|||
- logintime # TODO
|
||||
- realm # TODO
|
||||
- unpack # TODO
|
||||
- rest
|
||||
- eap_inner
|
||||
- ldap
|
||||
- pap
|
||||
|
|
|
@ -1,7 +1,12 @@
|
|||
---
|
||||
- name: Install freeradius
|
||||
apt:
|
||||
name: freeradius
|
||||
name:
|
||||
- eapoltest
|
||||
- freeradius
|
||||
- freeradius-ldap
|
||||
- freeradius-rest
|
||||
- freeradius-utils
|
||||
install_recommends: false
|
||||
|
||||
- name: Remove unused files
|
||||
|
@ -58,6 +63,7 @@
|
|||
- mods-available/eap
|
||||
- mods-available/ldap
|
||||
- mods-available/linelog
|
||||
- mods-available/rest
|
||||
- mods-available/eap_inner
|
||||
- mods-config/attr_filter/access_challenge
|
||||
- mods-config/attr_filter/access_reject
|
||||
|
|
|
@ -1,38 +1,54 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
linelog log_auth_inner {
|
||||
linelog_prefix = {{ '[%{Virtual-Server}] (session #%I)' | enquote }}
|
||||
|
||||
linelog_inner_prefix = {{ '${.linelog_prefix} from %{%{outer.Calling-Station-Id}:-unknown}:' | enquote }}
|
||||
|
||||
linelog linelog_inner_authz_user {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = ""
|
||||
|
||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||
|
||||
messages {
|
||||
default = "Unknown packet type %{Packet-Type}"
|
||||
|
||||
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
|
||||
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||
}
|
||||
|
||||
prefix = "[%{Virtual-Server}] (session #%n)"
|
||||
format = {{ '${..linelog_inner_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||
}
|
||||
|
||||
linelog log_auth_outer {
|
||||
linelog linelog_inner_postauth {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = ""
|
||||
|
||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
||||
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
|
||||
|
||||
messages {
|
||||
default = "Unknown packet type %{Packet-Type}"
|
||||
|
||||
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
|
||||
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
||||
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
|
||||
default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
|
||||
}
|
||||
|
||||
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
|
||||
}
|
||||
|
||||
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
|
||||
|
||||
linelog linelog_outer_authz_user {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = {{ '${..linelog_outer_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||
}
|
||||
|
||||
linelog linelog_outer_unknown_domain {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
format = {{ '${..linelog_outer_prefix} unknown domain "%{jsonquote:%{Stripped-User-Domain}}"' | enquote }}
|
||||
}
|
||||
|
||||
linelog linelog_outer_postauth {
|
||||
filename = syslog
|
||||
syslog_facility = authpriv
|
||||
|
||||
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
|
||||
|
||||
messages {
|
||||
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
|
||||
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
|
||||
}
|
||||
}
|
||||
|
|
5
roles/freeradius/templates/mods-available/rest.j2
Normal file
5
roles/freeradius/templates/mods-available/rest.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Required for jsonquote
|
||||
rest {
|
||||
}
|
|
@ -28,7 +28,7 @@ correct_escapes = true
|
|||
log {
|
||||
destination = syslog
|
||||
syslog_facility = daemon
|
||||
auth = yes
|
||||
auth = no
|
||||
}
|
||||
|
||||
security {
|
||||
|
|
|
@ -3,16 +3,17 @@
|
|||
server inner-aurore {
|
||||
|
||||
authorize {
|
||||
# Look for realm using the 'suffix' format (user@realm)
|
||||
suffix
|
||||
linelog_inner_authz_user
|
||||
filter_username
|
||||
filter_inner_identity
|
||||
split_username_nai
|
||||
# Don't proxy requests from inner tunnel
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
||||
# Must be before 'ldap', so that we don't query the LDAP server
|
||||
# for "internal" packets (cf. documentation for
|
||||
# sites-available/inner-tunnel)
|
||||
# sites-available/inner-tunnel)
|
||||
inner-eap {
|
||||
ok = return
|
||||
}
|
||||
|
@ -30,17 +31,17 @@ server inner-aurore {
|
|||
inner-eap
|
||||
# Authenticate using 'Auth-Type = LDAP'
|
||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
# by 389DS is not yet supported by FreeRADIUS 3
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
# by 389DS is not yet supported by FreeRADIUS 3
|
||||
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
||||
ldap
|
||||
}
|
||||
|
||||
post-auth {
|
||||
Post-Auth-Type REJECT {
|
||||
log_auth_inner
|
||||
linelog_inner_postauth
|
||||
Post-Auth-Type reject {
|
||||
linelog_inner_postauth
|
||||
}
|
||||
log_auth_inner
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -25,8 +25,13 @@ server outer-aurore {
|
|||
}
|
||||
|
||||
authorize {
|
||||
filter_username # TODO
|
||||
suffix
|
||||
linelog_outer_authz_user
|
||||
filter_username
|
||||
split_username_nai
|
||||
if (&Stripped-User-Domain != "auro.re") {
|
||||
linelog_outer_unknown_domain
|
||||
reject
|
||||
}
|
||||
eap
|
||||
}
|
||||
|
||||
|
@ -55,16 +60,17 @@ server outer-aurore {
|
|||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
log_auth_outer
|
||||
linelog_outer_postauth
|
||||
}
|
||||
remove_reply_message_if_eap
|
||||
log_auth_outer
|
||||
linelog_outer_postauth
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
split_username_nai
|
||||
eap
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue