freeradius: nas-auth-server généralise wifi et fil

Python/etc/cron.d/check_cert

@@ -34,7 +34,7 @@ if has('asterisk'):
     check_cert('localhost', 5061)
 
 # file specific
-if has('eap'):
+if has('nas-auth-server'):
     check_cert(filename='/etc/freeradius/certs/wifi.crt', user='freerad')
 
 if has('vpn'):

Python/etc/freeradius/clients.conf

@@ -1,55 +0,0 @@
-# -*- mode: python; coding: utf-8 -*-
-
-include("secrets")
-
-info["owner"] = "root"
-info["group"] = "adm"
-info["perms"] = 0640
-
-def netmask(**kw):
-    kw['ipaddr'] = 'ipaddr'
-    if ':' in kw['net']:
-        kw['ipaddr'] = 'ipv6addr'
-    print """
-# %(comment)s
-client netmask {
-   \x20%(ipaddr)s = %(net)s
-    netmask = %(slash)d
-    secret = %(secret)s
-    shortname = %(shortname)s
-    nastype = other
-}
-""" % kw
-
-# TODO: dehardcoder les IPs
-netmask(
-    net='10.231.136.0',
-    slash=24,
-    comment='Les switchs',
-    secret=secrets.radius_key,
-    shortname='switchs')
-netmask(
-    net='138.231.148.0',
-    slash=25,
-    comment='Les bornes, en ipv4',
-    secret=secrets.radius_eap_key,
-    shortname='wifi')
-netmask(
-    net='fda8:5d34:a228:c04::',
-    slash=64,
-    comment='Les bornes, en ipv6',
-    secret=secrets.radius_eap_key,
-    shortname='wifi')
-netmask(
-    net='2a01:240:fe3d:c04::',
-    slash=64,
-    comment='Les bornes, en ipv6 (kludge)',
-    secret=secrets.radius_eap_key,
-    shortname='wifi')
-netmask(
-    net='0::',
-    slash=0,
-    comment='Les bornes, en ipv6 (kludge bis)',
-    secret=secrets.radius_eap_key,
-    shortname='wifi')
-

Python/etc/freeradius/modules/ldap

@@ -1,176 +0,0 @@
-# -*- coding: utf-8 -*-
-
-include("secrets")
-include("ldap")
-
-print """
-# -*- text -*-
-# ceci est le fichier /etc/freeradius/modules/ldap
-#
-#  $Id: ldap,v 1.1 2008/05/30 09:18:45 aland Exp $
-
-# Lightweight Directory Access Protocol (LDAP)
-#
-#  This module definition allows you to use LDAP for
-#  authorization and authentication.
-#
-#  See raddb/sites-available/default for reference to the
-#  ldap module in the authorize and authenticate sections.
-#
-#  However, LDAP can be used for authentication ONLY when the
-#  Access-Request packet contains a clear-text User-Password
-#  attribute.  LDAP authentication will NOT work for any other
-#  authentication method.
-#
-#  This means that LDAP servers don't understand EAP.  If you
-#  force "Auth-Type = LDAP", and then send the server a
-#  request containing EAP authentication, then authentication
-#  WILL NOT WORK.
-#
-#  The solution is to use the default configuration, which does
-#  work.
-#
-#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
-#  really can't emphasize this enough.
-#
-ldap {
-	#
-	#  Note that this needs to match the name in the LDAP
-	#  server certificate, if you're using ldaps.
-	server = "%(server)s"
-	identity = "cn=readonly,dc=crans,dc=org"
-	password = %(password)s
-	basedn = "ou=data,dc=crans,dc=org"
-	# Note: pour pouvoir filter par macAddress=MAC fournie, il faut remplacer les - par des :
-	# (la casse n'est pas importante pour ldap)
-	# Si toutefois, la variable est vide, on laisse passer (a priori, lorsque ttls, la connexion
-	# interne n'est pas issue de la borne mais du tunnel, donc cela ne passe pas, par défaut, 
-	# donc tout est accepté, cependant, avec copy_request_to_tunnel = yes dans eap.conf, on s'en sort)
-	# Ceci est fait dans le fichier hints par le matching d'une expression régulière, extrait:
-	#DEFAULT  Calling-Station-Id =~ "^(..)-(..)-(..)-(..)-(..)-(..)$"
-	#Calling-Station-Id := `%%{1}:%%{2}:%%{3}:%%{4}:%%{5}:%%{6}`
-	# On auth fdésormais par login=mac OU hostname (sans le .wifi.crans.org)
-	filter = "macAddress=%%{Calling-Station-Id:-*}"
-	base_filter = "(objectclass=machineWifi)"
-
-	#  How many connections to keep open to the LDAP server.
-	#  This saves time over opening a new LDAP socket for
-	#  every authentication request.
-	ldap_connections_number = 5
-
-	# seconds to wait for LDAP query to finish. default: 20
-	timeout = 4
-
-	#  seconds LDAP server has to process the query (server-side
-	#  time limit). default: 20
-	#
-	#  LDAP_OPT_TIMELIMIT is set to this value.
-	timelimit = 3
-
-	#
-	#  seconds to wait for response of the server. (network
-	#   failures) default: 10
-	#
-	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
-	net_timeout = 1
-
-	#
-	#  This subsection configures the tls related items
-	#  that control how FreeRADIUS connects to an LDAP
-	#  server.  It contains all of the "tls_*" configuration
-	#  entries used in older versions of FreeRADIUS.  Those
-	#  configuration entries can still be used, but we recommend
-	#  using these.
-	#
-	tls {
-		# Set this to 'yes' to use TLS encrypted connections
-		# to the LDAP database by using the StartTLS extended
-		# operation.
-		#
-		# The StartTLS operation is supposed to be
-		# used with normal ldap connections instead of
-		# using ldaps (port 689) connections
-		start_tls = no
-
-		# cacertfile	= /path/to/cacert.pem
-		# cacertdir		= /path/to/ca/dir/
-		# certfile		= /path/to/radius.crt
-		# keyfile		= /path/to/radius.key
-		# randfile		= /path/to/rnd
-
-		#  Certificate Verification requirements.  Can be:
-		#    "never" (don't even bother trying)
-		#    "allow" (try, but don't fail if the cerificate
-		#		can't be verified)
-		#    "demand" (fail if the certificate doesn't verify.)
-		#
-		#	The default is "allow"
-		# require_cert	= "demand"
-	}
-
-	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
-	# profile_attribute = "radiusProfileDn"
-	# access_attr = "dialupAccess"
-
-	# Mapping of RADIUS dictionary attributes to LDAP
-	# directory attributes.
-	dictionary_mapping = ${confdir}/ldap.attrmap
-
-	#  Set password_attribute = nspmPassword to get the
-	#  user's password from a Novell eDirectory
-	#  backend. This will work ONLY IF FreeRADIUS has been
-	#  built with the --with-edir configure option.
-	#
-	#  See also the following links:
-	#
-	#  http://www.novell.com/coolsolutions/appnote/16745.html
-	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
-	#
-	#  Novell may require TLS encrypted sessions before returning
-	#  the user's password.
-	#
-	# password_attribute = userPassword
-
-	#  Un-comment the following to disable Novell
-	#  eDirectory account policy check and intruder
-	#  detection. This will work *only if* FreeRADIUS is
-	#  configured to build with --with-edir option.
-	#
-	edir_account_policy_check = no
-
-	#
-	#  Group membership checking.  Disabled by default.
-	#
-	# groupname_attribute = cn
-	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%%{Ldap-UserDn})))"
-	# groupmembership_attribute = radiusGroupName
-
-	# compare_check_items = yes
-	do_xlat = yes
-	# access_attr_used_for_allow = yes
-
-	#
-	#  By default, if the packet contains a User-Password,
-	#  and no other module is configured to handle the
-	#  authentication, the LDAP module sets itself to do
-	#  LDAP bind for authentication.
-	#
-	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
-	#
-	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
-	#
-	#  You can disable this behavior by setting the following
-	#  configuration entry to "no".
-	#
-	#  allowed values: {no, yes}
-	# set_auth_type = yes
-
-	#  ldap_debug: debug flag for LDAP SDK
-	#  (see OpenLDAP documentation).  Set this to enable
-	#  huge amounts of LDAP debugging on the screen.
-	#  You should only use this if you are an LDAP expert.
-	#
-	#	default: 0x0000 (no debugging messages)
-	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
-	#ldap_debug = 0x0028 
-}""" % {'password': secrets.ldap_readonly_password, 'server': ldap_host}