crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip: auth dynamique des clients (nas) radius

Browse source
This commit is contained in:
Daniel STAN 2015-02-25 23:21:29 +01:00
parent 4f73302b13
commit 27c3d1d842
2 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

28
freeradius/auth.py
View file

@ -114,8 +114,10 @@ def get_machines(data, conn, is_wifi=True, proprio=None):
username = username[:-len(suffix)] username = username[:-len(suffix)]
if mac is None: if mac is None:
logger.error('Cannot read mac from AP')
radiusd.radlog(radiusd.L_ERR, 'Cannot read client MAC from AP !') radiusd.radlog(radiusd.L_ERR, 'Cannot read client MAC from AP !')
if username is None: if username is None:
logger.error('Cannot read username')
radiusd.radlog(radiusd.L_ERR, 'Cannot read client User-Name !') radiusd.radlog(radiusd.L_ERR, 'Cannot read client User-Name !')
# Liste de recherches ldap à essayer, dans l'ordre # Liste de recherches ldap à essayer, dans l'ordre
@ -139,6 +141,9 @@ def get_machines(data, conn, is_wifi=True, proprio=None):
res = conn.search(u'(&%s(macAddress=<automatique>)(host=%s%s))' % res = conn.search(u'(&%s(macAddress=<automatique>)(host=%s%s))' %
(base, username, suffix), **opt) (base, username, suffix), **opt)
if TEST_SERVER:
res += conn.search(u'(&%s(host=%s%s))' %
(base, username, suffix), **opt)
return res return res
def get_prise_chbre(data): def get_prise_chbre(data):
@ -252,10 +257,12 @@ def authorize_wifi(data):
items = get_machines(data) items = get_machines(data)
if not items: if not items:
logger.error('Nobody found')
radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Nobody found') radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Nobody found')
return radiusd.RLM_MODULE_NOTFOUND return radiusd.RLM_MODULE_NOTFOUND
if len(items) > 1: if len(items) > 1:
logger.error('Too many results')
radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Too many results (took first)') radiusd.radlog(radiusd.L_ERR, 'lc_ldap: Too many results (took first)')
machine = items[0] machine = items[0]
@ -302,6 +309,27 @@ def authorize_fil(data):
) )
@radius_event @radius_event
def authorize_nas(data):
"""Remplis le mdp d'une borne"""
password = "passoirtototo"
logger.debug('nas_auth with %r' % data)
ip = data.get('NAS-Identifier', '')
ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6' if ':' in ip else ''), ip)
return (radiusd.RLM_MODULE_OK,
(),
(
ip_stm,
("FreeRADIUS-Client-Require-MA", "no"),
("FreeRADIUS-Client-Secret", password),
("FreeRADIUS-Client-Shortname", "wifi"),
("FreeRADIUS-Client-NAS-Type", "other"),
# On teste avec une équipe qui marche
("FreeRADIUS-Client-Virtual-Server", "inner-tunnel"),
),
)
@radius_event
def post_auth_wifi(data): def post_auth_wifi(data):
"""Appelé une fois que l'authentification est ok. """Appelé une fois que l'authentification est ok.
On peut rajouter quelques éléments dans la réponse radius ici. On peut rajouter quelques éléments dans la réponse radius ici.

35
freeradius/rlm_python_nas.conf Normal file
View file

@ -0,0 +1,35 @@
# Configuration for the Python module.
#
#
python crans_nas {
mod_instantiate = freeradius.auth
func_instantiate = instantiate
# Spécifique NAS : rempli le mdp
mod_authorize = freeradius.auth
func_authorize = authorize_nas
# Que faire avant de quitter
mod_detach = freeradius.auth
func_detach = detach
# Le reste est dumb et inutile
mod_post_auth = freeradius.auth
func_post_auth = dummy_fun
mod_accounting = freeradius.auth
func_accounting = dummy_fun
mod_pre_proxy = freeradius.auth
func_pre_proxy = dummy_fun
mod_post_proxy = freeradius.auth
func_post_proxy = dummy_fun
mod_recv_coa = freeradius.auth
func_recv_coa = dummy_fun
mod_send_coa = freeradius.auth
func_send_coa = dummy_fun
}