freeradius: improve logging robustness

This commit is contained in:
jeltz 2023-06-25 19:25:50 +02:00
parent a5b527ec0e
commit f8b932014f
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 73 additions and 38 deletions

View file

@ -13,6 +13,7 @@ radiusd__enabled_modules_minimal:
- logintime # TODO - logintime # TODO
- realm # TODO - realm # TODO
- unpack # TODO - unpack # TODO
- rest
- eap_inner - eap_inner
- ldap - ldap
- pap - pap

View file

@ -1,7 +1,12 @@
--- ---
- name: Install freeradius - name: Install freeradius
apt: apt:
name: freeradius name:
- eapoltest
- freeradius
- freeradius-ldap
- freeradius-rest
- freeradius-utils
install_recommends: false install_recommends: false
- name: Remove unused files - name: Remove unused files
@ -58,6 +63,7 @@
- mods-available/eap - mods-available/eap
- mods-available/ldap - mods-available/ldap
- mods-available/linelog - mods-available/linelog
- mods-available/rest
- mods-available/eap_inner - mods-available/eap_inner
- mods-config/attr_filter/access_challenge - mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject - mods-config/attr_filter/access_reject

View file

@ -1,38 +1,54 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
linelog log_auth_inner { linelog_prefix = {{ '[%{Virtual-Server}] (session #%I)' | enquote }}
linelog_inner_prefix = {{ '${.linelog_prefix} from %{%{outer.Calling-Station-Id}:-unknown}:' | enquote }}
linelog linelog_inner_authz_user {
filename = syslog filename = syslog
syslog_facility = authpriv syslog_facility = authpriv
format = "" format = {{ '${..linelog_inner_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "${..prefix} ACCEPT %{Stripped-User-Name}"
Access-Reject = "${..prefix} REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
}
prefix = "[%{Virtual-Server}] (session #%n)"
} }
linelog log_auth_outer { linelog linelog_inner_postauth {
filename = syslog filename = syslog
syslog_facility = authpriv syslog_facility = authpriv
format = "" reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
reference = "{{ 'messages.%{%{reply:Packet-Type}:-default}' }}"
messages { messages {
default = "Unknown packet type %{Packet-Type}" Access-Accept = {{ '${...linelog_inner_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Reject = {{ '${...linelog_inner_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
Access-Accept = "${..prefix}: ACCEPT %{Stripped-User-Name}" default = {{ '${...linelog_inner_prefix} unknown packet type %{Packet-Type}' | enquote }}
Access-Reject = "${..prefix}: REJECT %{Stripped-User-Name} (%{Module-Failure-Message})"
} }
prefix = "{{ '[%{Virtual-Server}] (session #%n) from %{Calling-Station-Id} via %{NAS-IP-Address}:%{%{NAS-Port}:-0}' }}"
} }
linelog_outer_prefix = {{ '${.linelog_prefix} from %{%{Calling-Station-Id}:-unknown} via %{NAS-IP-Address} (%{Client-Shortname}):' | enquote }}
linelog linelog_outer_authz_user {
filename = syslog
syslog_facility = authpriv
format = {{ '${..linelog_outer_prefix} received request for "%{jsonquote:%{User-Name}}"' | enquote }}
}
linelog linelog_outer_unknown_domain {
filename = syslog
syslog_facility = authpriv
format = {{ '${..linelog_outer_prefix} unknown domain "%{jsonquote:%{Stripped-User-Domain}}"' | enquote }}
}
linelog linelog_outer_postauth {
filename = syslog
syslog_facility = authpriv
reference = {{ 'messages.%{%{reply:Packet-Type}:-default}' | enquote }}
messages {
Access-Accept = {{ '${...linelog_outer_prefix} accepted "%{jsonquote:%{User-Name}}"' | enquote }}
Access-Reject = {{ '${...linelog_outer_prefix} rejected "%{jsonquote:%{User-Name}}" (%{%{Module-Failure-Message}:-unknown})' | enquote }}
default = {{ '${...linelog_outer_prefix} unknown packet type %{Packet-Type}' | enquote }}
}
}

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
# Required for jsonquote
rest {
}

View file

@ -28,7 +28,7 @@ correct_escapes = true
log { log {
destination = syslog destination = syslog
syslog_facility = daemon syslog_facility = daemon
auth = yes auth = no
} }
security { security {

View file

@ -3,16 +3,17 @@
server inner-aurore { server inner-aurore {
authorize { authorize {
# Look for realm using the 'suffix' format (user@realm) linelog_inner_authz_user
suffix filter_username
filter_inner_identity
split_username_nai
# Don't proxy requests from inner tunnel # Don't proxy requests from inner tunnel
update control { update control {
&Proxy-To-Realm := LOCAL &Proxy-To-Realm := LOCAL
} }
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
# Must be before 'ldap', so that we don't query the LDAP server # Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for # for "internal" packets (cf. documentation for
# sites-available/inner-tunnel) # sites-available/inner-tunnel)
inner-eap { inner-eap {
ok = return ok = return
} }
@ -30,17 +31,17 @@ server inner-aurore {
inner-eap inner-eap
# Authenticate using 'Auth-Type = LDAP' # Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for # This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used # sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3 # by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649) # (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap ldap
} }
post-auth { post-auth {
Post-Auth-Type REJECT { linelog_inner_postauth
log_auth_inner Post-Auth-Type reject {
linelog_inner_postauth
} }
log_auth_inner
} }
} }

View file

@ -25,8 +25,13 @@ server outer-aurore {
} }
authorize { authorize {
filter_username # TODO linelog_outer_authz_user
suffix filter_username
split_username_nai
if (&Stripped-User-Domain != "auro.re") {
linelog_outer_unknown_domain
reject
}
eap eap
} }
@ -55,16 +60,17 @@ server outer-aurore {
attr_filter.access_reject attr_filter.access_reject
eap eap
remove_reply_message_if_eap remove_reply_message_if_eap
log_auth_outer linelog_outer_postauth
} }
remove_reply_message_if_eap remove_reply_message_if_eap
log_auth_outer linelog_outer_postauth
} }
pre-proxy { pre-proxy {
} }
post-proxy { post-proxy {
split_username_nai
eap eap
} }