diff --git a/tasks/freeradius.yml b/tasks/freeradius.yml index 0b80b5f9..ce9755c0 100644 --- a/tasks/freeradius.yml +++ b/tasks/freeradius.yml @@ -142,7 +142,6 @@ state: absent with_items: - "{{ freeradius_sites_enabled_dir }}/default" - - "{{ freeradius_sites_enabled_dir }}/inner-tunnel" - name: Site configuration template: @@ -152,3 +151,12 @@ owner: freerad group: freerad notify: restart freeradius + +- name: Inner tunnel + template: + src: freeradius/openwisp_site.j2 + dest: "{{ freeradius_sites_enabled_dir }}/inner-tunnel" + mode: 0640 + owner: freerad + group: freerad + notify: restart freeradius diff --git a/templates/freeradius/inner-tunnel.j2 b/templates/freeradius/inner-tunnel.j2 new file mode 100644 index 00000000..686ca489 --- /dev/null +++ b/templates/freeradius/inner-tunnel.j2 @@ -0,0 +1,81 @@ +server inner-tunnel { + listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth + } + + authorize { + filter_username + rest + + chap + mschap + suffix + + update control { + &Proxy-To-Realm := LOCAL + } + + eap { + ok = return + } + + -ldap + + pap + + dailycounter + dailybandwidthcounter + noresetcounter + expiration + logintime + } + + authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type MS-CHAP { + mschap + } + eap + } + + session {} + + post-auth { + if (0) { + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + update { + &outer.session-state: += &reply: + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } + } + + pre-proxy {} + post-proxy { + eap + } +}