wip: auth dynamique des clients (nas) radius

2015-02-25 23:21:29 +01:00 · 2015-02-25 23:21:29 +01:00 · 27c3d1d842
commit 27c3d1d842
parent 4f73302b13
2 changed files with 63 additions and 0 deletions
--- a/freeradius/auth.py
+++ b/freeradius/auth.py
@ -114,8 +114,10 @@ def get_machines(data, conn, is_wifi=True, proprio=None):
            username = username[:-len(suffix)]

    if mac is None:
+        logger.error('Cannot read mac from AP')
        radiusd.radlog(radiusd.L_ERR, 'Cannot read client MAC from AP !')
    if username is None:
+        logger.error('Cannot read username')
        radiusd.radlog(radiusd.L_ERR, 'Cannot read client User-Name !')

    # Liste de recherches ldap à essayer, dans l'ordre
@ -139,6 +141,9 @@ def get_machines(data, conn, is_wifi=True, proprio=None):
        res = conn.search(u'(&%s(macAddress=<automatique>)(host=%s%s))' %
                (base, username, suffix), **opt)

+    if TEST_SERVER:
+        res += conn.search(u'(&%s(host=%s%s))' %
+                (base, username, suffix), **opt)
    return res

 def get_prise_chbre(data):
@ -252,10 +257,12 @@ def authorize_wifi(data):
    items = get_machines(data)

    if not items:
+        logger.error('Nobody found')
        radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Nobody found')
        return radiusd.RLM_MODULE_NOTFOUND

    if len(items) > 1:
+        logger.error('Too many results')
        radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Too many results (took first)')

    machine = items[0]
@ -302,6 +309,27 @@ def authorize_fil(data):
      )

@radius_event
+def authorize_nas(data):
+    """Remplis le mdp d'une borne"""
+    password = "passoirtototo"
+    logger.debug('nas_auth with %r' % data)
+
+    ip = data.get('NAS-Identifier', '')
+    ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6' if ':' in ip else ''), ip)
+
+    return (radiusd.RLM_MODULE_OK,
+	    (),
+        (
+          ip_stm,
+          ("FreeRADIUS-Client-Require-MA", "no"),
+          ("FreeRADIUS-Client-Secret", password),
+          ("FreeRADIUS-Client-Shortname", "wifi"),
+          ("FreeRADIUS-Client-NAS-Type", "other"),
+            # On teste avec une équipe qui marche
+          ("FreeRADIUS-Client-Virtual-Server", "inner-tunnel"),
+        ),
+      )
+@radius_event
 def post_auth_wifi(data):
    """Appelé une fois que l'authentification est ok.
    On peut rajouter quelques éléments dans la réponse radius ici.
--- a/freeradius/rlm_python_nas.conf
+++ b/freeradius/rlm_python_nas.conf
@ -0,0 +1,35 @@
+# Configuration for the Python module.
+#
+#
+
+python crans_nas {
+	mod_instantiate = freeradius.auth
+	func_instantiate = instantiate
+
+    # Spécifique NAS : rempli le mdp
+	mod_authorize = freeradius.auth
+	func_authorize = authorize_nas
+
+    # Que faire avant de quitter
+	mod_detach = freeradius.auth
+	func_detach = detach
+
+    # Le reste est dumb et inutile
+	mod_post_auth = freeradius.auth
+	func_post_auth = dummy_fun
+
+	mod_accounting = freeradius.auth
+	func_accounting = dummy_fun
+
+	mod_pre_proxy = freeradius.auth
+	func_pre_proxy = dummy_fun
+
+	mod_post_proxy = freeradius.auth
+	func_post_proxy = dummy_fun
+
+	mod_recv_coa = freeradius.auth
+	func_recv_coa = dummy_fun
+
+	mod_send_coa = freeradius.auth
+	func_send_coa = dummy_fun
+}