Commit def4a8e2 authored by Gabriel Detraz's avatar Gabriel Detraz Committed by root

Merge branch 'freeradius3'

parents beb7e202 a6ca634c
This diff is collapsed.
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python crans {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
python_path="/usr/scripts/:/usr/scripts/freeradius/3.0/:/usr/lib/python2.7/:/usr/lib/python2.7/dist-packages/:/usr/lib/python2.7/lib-dynload/"
module = auth
mod_instantiate = ${.module}
func_instantiate = instantiate
mod_detach = ${.module}
func_detach = detach
mod_authorize = ${.module}
func_authorize = authorize
mod_authenticate = ${.module}
func_authenticate = authenticate
mod_preacct = ${.module}
func_preacct = preacct
mod_accounting = ${.module}
func_accounting = accounting
mod_checksimul = ${.module}
func_checksimul = checksimul
mod_pre_proxy = ${.module}
func_pre_proxy = pre_proxy
mod_post_proxy = ${.module}
func_post_proxy = post_proxy
mod_post_auth = ${.module}
func_post_auth = post_auth
mod_recv_coa = ${.module}
func_recv_coa = recv_coa
mod_send_coa = ${.module}
func_send_coa = send_coa
}
../mods-available/crans
\ No newline at end of file
#
# Normalize the MAC Addresses in the Calling/Called-Station-Id
#
mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'
#
# Add "rewrite_called_station_id" in the "authorize" and
# "preacct" sections.
#
# Makes Called-Station-ID conform to what RFC3580 says should
# be provided by 802.1X authenticators.
#
rewrite_called_station_id_unix {
if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
update request {
&Called-Station-Id := "%{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
}
# SSID component?
if ("%{8}") {
update request {
&Called-Station-SSID := "%{8}"
}
}
updated
}
else {
noop
}
}
#
# Add "rewrite_calling_station_id" in the "authorize" and
# "preacct" sections.
#
# Makes Calling-Station-ID conform to what RFC3580 says should
# be provided by 802.1X authenticators.
#
rewrite_calling_station_id_unix {
if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
update request {
&Calling-Station-Id := "%{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
}
updated
}
else {
noop
}
}
#
# Rewrite NAS-Identifier attribute to match the RADIUS request
# source IP address
#
rewrite_nas_ip_address {
update request {
&NAS-IP-Address := "%{Packet-Src-IP-Address}"
}
updated
}
-- Schéma de la table utilisée pour l'accounting RADIUS
CREATE TABLE IF NOT EXISTS accounting (
-- Adresse MAC du client
"mac" macaddr PRIMARY KEY,
-- Type de machine
"type" varchar NOT NULL,
-- Identifiant de session unique
"session_id" varchar UNIQUE NOT NULL,
-- Date de dernière mise à jour de l'entrée
"last_update" timestamp with time zone NOT NULL DEFAULT now(),
-- NAS ayant fourni le service au client
"nas" macaddr NOT NULL,
-- Port attribué au client par la NAS
"port" integer NOT NULL,
-- SSID auquel a accédé le client, le cas échéant
"ssid" varchar DEFAULT NULL,
-- BSS auquel le client a accédé, le cas échéant
"bss" macaddr,
-- VLAN sur lequel a été placé le client
"vlan" integer,
CHECK ("type" IN ('Wired', 'Wireless')),
CHECK (("type" = 'Wired' AND "ssid" IS NULL) OR ("type" = 'Wireless' AND "ssid" IS NOT NULL)),
CHECK ("vlan" IS NULL OR (0 <= "vlan" AND "vlan" <= 4094))
);
##
## Gestion de l'authentification des adhérents Crans
## Gère à la fois IEEE 802.1X et MAC Auth
##
server crans {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = acct
ipaddr = *
port = 0
limit {
max_pps = 100
}
}
listen {
type = auth
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = acct
ipv6addr = ::
port = 0
limit {
max_pps = 100
}
}
authorize {
# Pré-traitement des données du paquet
utf8
filter_username
preprocess
rewrite_nas_ip_address
rewrite_called_station_id_unix
rewrite_calling_station_id_unix
suffix
# Séparation entre IEEE 802.1X et MAC Auth
if (&EAP-Message) {
# Nos équipements utilisent PEAP pour transporter les informations
# utiles de manière sécurisée
eap {
ok = return
}
}
else {
# A priori, nos équipements en MAC Auth utilisent CHAP avec
# l'adresse MAC de l'utilisateur
chap
crans
}
}
authenticate {
# Le module "crans" sert ici à vérifier que la machine n'est pas
# un machine inconnue
Auth-Type CHAP {
chap
crans
}
Auth-Type eap {
eap
crans
}
}
preacct {
# Pré-traitement des requêtes de comptabilisation
utf8
preprocess
rewrite_nas_ip_address
rewrite_called_station_id_unix
rewrite_calling_station_id_unix
suffix
}
accounting {
# Traitement des requêtes de comptabilisation
# Le but de cette section est de déterminer si une session en cours doit
# être interrompue en fonction de l'état courant et des changements qui
# ont eu lieu entre temps
crans
if (&config:Send-Disconnect-Request) {
update disconnect {
&User-Name := &User-Name
&Acct-Session-Id := &Acct-Session-Id
&NAS-Identifier := &NAS-Identifier
&Event-Timestamp := "%l"
}
}
elsif (&config:Send-CoA-Request) {
update coa {
&User-Name := &User-Name
&Acct-Session-Id := &Acct-Session-Id
&NAS-Identifier := &NAS-Identifier
&NAS-IP-Address := &NAS-IP-Address
&NAS-IPv6-Address := &NAS-IPv6-Address
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := IEEE-802
&Tunnel-Private-Group-ID := &config:Tunnel-Private-Group-ID
&Event-Timestamp := "%l"
}
}
else {
noop
}
}
post-auth {
# Une fois l'authentification effectuée, on vérifie les blacklistes
if (&Realm == "DEFAULT") {
noop
} else {
crans
}
}
post-proxy {
# Dans le cas d'une requête proxifiée, on droppe les attributs de la réponse
# qui pourraient nous poser problème et on rajoute les nôtres
attr_filter.post-proxy
switch &proxy-reply:Packet-Type {
# Dans le cas d'une réponse positive, on place l'invité sur le VLAN des invités
case Access-Accept {
update reply {
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := 802
&Tunnel-Private-Group-ID := 22
&Class := "22"
&Reply-Message := "Authentication succeded"
}
updated
}
# Sinon, on le place sur le VLAN d'accueil
case Access-Reject {
update reply {
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := 802
&Tunnel-Private-Group-ID := 7
&Class := "7"
&Reply-Message := "Authentication failed"
}
updated
}
# Réponses aux requêtes CoA proxyfiées
case CoA-ACK {
ok
}
case CoA-NAK {
fail
}
case Disconnect-ACK {
ok
}
case Disconnect-NAK {
fail
}
case {
noop
}
}
# Au cas où le serveur distant ne répond pas, on place l'invité sur le VLAN accueil
Post-Proxy-Type Fail {
update reply {
&Tunnel-Type := VLAN
&Tunnel-Medium-Type := 802
&Tunnel-Private-Group-ID := 7
&Class := "7"
&Reply-Message := "Remote authentication server is unreachable, please contact your administrator"
}
updated
}
Post-Proxy-Type Fail-CoA {
fail
}
Post-Proxy-Type Fail-Disconnect {
fail
}
}
}
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: 70b1d8da255a740d2d1b59808393722766dc6a60 $
#
######################################################################
server crans-inner-tunnel {
#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username
rewrite_calling_station_id_unix
rewrite_nas_ip_address
#
# Do checks on outer / inner User-Name, so that users
# can't spoof us by using incompatible identities
#
# filter_inner_identity
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
# chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
# update control {
# &Proxy-To-Realm := LOCAL
# }
crans
#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
inner-eap {
ok = return
}
#
# Read the 'users' file
# files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# -sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# enable the "smbpasswd" module.
# smbpasswd
#
# The ldap module reads passwords from the LDAP database.
# -ldap
#
# Enforce daily limits on time spent logged in.
# daily
# expiration
# logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
# pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
#
# Pluggable Authentication Modules.
# pam
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
inner-eap
}
######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are