freeradius: improve logging robustness
This commit is contained in:
parent
a5b527ec0e
commit
f8b932014f
7 changed files with 73 additions and 38 deletions
|
@ -13,6 +13,7 @@ radiusd__enabled_modules_minimal:
|
||||||
- logintime # TODO
|
- logintime # TODO
|
||||||
- realm # TODO
|
- realm # TODO
|
||||||
- unpack # TODO
|
- unpack # TODO
|
||||||
|
- rest
|
||||||
- eap_inner
|
- eap_inner
|
||||||
- ldap
|
- ldap
|
||||||
- pap
|
- pap
|
||||||
|
|
|
@ -1,7 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: Install freeradius
|
- name: Install freeradius
|
||||||
apt:
|
apt:
|
||||||
name: freeradius
|
name:
|
||||||
|
- eapoltest
|
||||||
|
- freeradius
|
||||||
|
- freeradius-ldap
|
||||||
|
- freeradius-rest
|
||||||
|
- freeradius-utils
|
||||||
install_recommends: false
|
install_recommends: false
|
||||||
|
|
||||||
- name: Remove unused files
|
- name: Remove unused files
|
||||||
|
@ -58,6 +63,7 @@
|
||||||
- mods-available/eap
|
- mods-available/eap
|
||||||
- mods-available/ldap
|
- mods-available/ldap
|
||||||
- mods-available/linelog
|
- mods-available/linelog
|
||||||
|
- mods-available/rest
|
||||||
- mods-available/eap_inner
|
- mods-available/eap_inner
|
||||||
- mods-config/attr_filter/access_challenge
|
- mods-config/attr_filter/access_challenge
|
||||||
- mods-config/attr_filter/access_reject
|
- mods-config/attr_filter/access_reject
|
||||||
|
|
|
@ -1,38 +1,54 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
linelog log_auth_inner {
|
linelog_prefix = {{ '[%{Virtual-Server}] (session #%I)' | enquote }}
|
||||||
|
|
||||||
|
linelog_inner_prefix = {{ '${.linelog_prefix} from %{%{outer.Calling-Station-Id}:-unknown}:' | enquote }}
|
||||||
|
|
||||||
|
linelog linelog_inner_authz_user {
|
||||||
filename = syslog
|
filename = syslog
|
||||||
syslog_facility = authpriv
|
syslog_facility = authpriv
|
||||||
|
|
||||||
format = ""
|
format = {{ '${..linelog_inner_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||||
|
|
||||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
|
||||||
|
|
||||||
messages {
|
|
||||||
default = "Unknown packet type %{Packet-Type}"
|
|
||||||
|
|
||||||
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
|
|
||||||
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
|
||||||
}
|
|
||||||
|
|
||||||
prefix = "[%{Virtual-Server}] (session #%n)"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
linelog log_auth_outer {
|
linelog linelog_inner_postauth {
|
||||||
filename = syslog
|
filename = syslog
|
||||||
syslog_facility = authpriv
|
syslog_facility = authpriv
|
||||||
|
|
||||||
format = ""
|
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
|
||||||
|
|
||||||
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
|
|
||||||
|
|
||||||
messages {
|
messages {
|
||||||
default = "Unknown packet type %{Packet-Type}"
|
Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||||
|
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
|
||||||
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}"
|
default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
|
||||||
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
|
||||||
|
|
||||||
|
linelog linelog_outer_authz_user {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = authpriv
|
||||||
|
|
||||||
|
format = {{ '${..linelog_outer_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_outer_unknown_domain {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = authpriv
|
||||||
|
|
||||||
|
format = {{ '${..linelog_outer_prefix} unknown domain "%{jsonquote:%{Stripped-User-Domain}}"' | enquote }}
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_outer_postauth {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = authpriv
|
||||||
|
|
||||||
|
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
|
||||||
|
|
||||||
|
messages {
|
||||||
|
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
|
||||||
|
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
|
||||||
|
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
5
roles/freeradius/templates/mods-available/rest.j2
Normal file
5
roles/freeradius/templates/mods-available/rest.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# Required for jsonquote
|
||||||
|
rest {
|
||||||
|
}
|
|
@ -28,7 +28,7 @@ correct_escapes = true
|
||||||
log {
|
log {
|
||||||
destination = syslog
|
destination = syslog
|
||||||
syslog_facility = daemon
|
syslog_facility = daemon
|
||||||
auth = yes
|
auth = no
|
||||||
}
|
}
|
||||||
|
|
||||||
security {
|
security {
|
||||||
|
|
|
@ -3,13 +3,14 @@
|
||||||
server inner-aurore {
|
server inner-aurore {
|
||||||
|
|
||||||
authorize {
|
authorize {
|
||||||
# Look for realm using the 'suffix' format (user@realm)
|
linelog_inner_authz_user
|
||||||
suffix
|
filter_username
|
||||||
|
filter_inner_identity
|
||||||
|
split_username_nai
|
||||||
# Don't proxy requests from inner tunnel
|
# Don't proxy requests from inner tunnel
|
||||||
update control {
|
update control {
|
||||||
&Proxy-To-Realm := LOCAL
|
&Proxy-To-Realm := LOCAL
|
||||||
}
|
}
|
||||||
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
|
||||||
# Must be before 'ldap', so that we don't query the LDAP server
|
# Must be before 'ldap', so that we don't query the LDAP server
|
||||||
# for "internal" packets (cf. documentation for
|
# for "internal" packets (cf. documentation for
|
||||||
# sites-available/inner-tunnel)
|
# sites-available/inner-tunnel)
|
||||||
|
@ -37,10 +38,10 @@ server inner-aurore {
|
||||||
}
|
}
|
||||||
|
|
||||||
post-auth {
|
post-auth {
|
||||||
Post-Auth-Type REJECT {
|
linelog_inner_postauth
|
||||||
log_auth_inner
|
Post-Auth-Type reject {
|
||||||
|
linelog_inner_postauth
|
||||||
}
|
}
|
||||||
log_auth_inner
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,8 +25,13 @@ server outer-aurore {
|
||||||
}
|
}
|
||||||
|
|
||||||
authorize {
|
authorize {
|
||||||
filter_username # TODO
|
linelog_outer_authz_user
|
||||||
suffix
|
filter_username
|
||||||
|
split_username_nai
|
||||||
|
if (&Stripped-User-Domain != "auro.re") {
|
||||||
|
linelog_outer_unknown_domain
|
||||||
|
reject
|
||||||
|
}
|
||||||
eap
|
eap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -55,16 +60,17 @@ server outer-aurore {
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
eap
|
eap
|
||||||
remove_reply_message_if_eap
|
remove_reply_message_if_eap
|
||||||
log_auth_outer
|
linelog_outer_postauth
|
||||||
}
|
}
|
||||||
remove_reply_message_if_eap
|
remove_reply_message_if_eap
|
||||||
log_auth_outer
|
linelog_outer_postauth
|
||||||
}
|
}
|
||||||
|
|
||||||
pre-proxy {
|
pre-proxy {
|
||||||
}
|
}
|
||||||
|
|
||||||
post-proxy {
|
post-proxy {
|
||||||
|
split_username_nai
|
||||||
eap
|
eap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue