ansible/roles/freeradius/templates/sites-available/inner-aurore.j2

63 lines
1.9 KiB
Django/Jinja

{{ ansible_managed | comment }}
server inner-aurore {
authorize {
linelog_inner_authz_user
filter_username
filter_inner_identity
split_username_nai
# Don't proxy requests from inner tunnel
update control {
Proxy-To-Realm := LOCAL
}
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
eap_inner {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && &User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
eap_inner
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
post-auth {
update outer.session-state {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&reply:Tunnel-Private-Group-ID) {
update outer.session-state {
Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
}
} else {
update outer.session-state {
Tunnel-Private-Group-ID := {{ radiusd__guest_vlan | int }}
}
}
linelog_inner_postauth
Post-Auth-Type reject {
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
linelog_inner_postauth
}
}
}