Skip to content

Commit

Permalink
add missing radsec features
Browse files Browse the repository at this point in the history
Signed-off-by: John Crispin <john@phrozen.org>
  • Loading branch information
blogic committed May 26, 2022
1 parent cf89dd4 commit 3ff0a8d
Show file tree
Hide file tree
Showing 4 changed files with 719 additions and 195 deletions.
47 changes: 42 additions & 5 deletions renderer/templates/services/radius_proxy.uc
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ set radsecproxy.@client[-1].secret='secret'
certs.ca = files.add_anonymous(location, 'ca' + idx, b64dec(realm.ca_certificate));
certs.cert = files.add_anonymous(location, 'cert' + idx, b64dec(realm.certificate));
certs.key = files.add_anonymous(location, 'key' + idx, b64dec(realm.private_key));
} else {
} else if (realm.protocol == "radsec") {
warn("invalid certificate settings");
continue;
}
%}

{% if (realm.protocol == "radsec"): %}
set radsecproxy.tls{{ idx }}=tls
set radsecproxy.@tls[-1].name='tls{{ idx }}'
set radsecproxy.@tls[-1].CACertificateFile={{ s(certs.ca) }}
Expand All @@ -38,21 +39,57 @@ set radsecproxy.@tls[-1].certificateKeyPassword=''

set radsecproxy.server{{ idx }}=server
set radsecproxy.@server[-1].name='server{{ idx }}'
{% if (realm.auto_discover): %}
{% if (realm.auto_discover): %}
set radsecproxy.@server[-1].dynamicLookupCommand='/usr/libexec/naptr_lookup.sh'
{% else %}
{% else %}
set radsecproxy.@server[-1].host={{ s(realm.host) }}
set radsecproxy.@server[-1].port={{ s(realm.port) }}
set radsecproxy.@server[-1].secret={{ s(realm.secret) }}
{% endif %}
{% endif %}
set radsecproxy.@server[-1].type='tls'
set radsecproxy.@server[-1].tls='tls{{ idx }}'
set radsecproxy.@server[-1].statusServer='0'
set radsecproxy.@server[-1].certificateNameCheck='0'

{% for (name in realm.realm): %}
add radsecproxy realm
set radsecproxy.@realm[-1].name='{{ realm.realm }}'
set radsecproxy.@realm[-1].name='{{ name }}'
set radsecproxy.@realm[-1].server='server{{ idx }}'
set radsecproxy.@realm[-1].accountingServer='server{{ idx }}'
{% endfor %}

{% else if (realm.protocol == "radius"): %}

set radsecproxy.server{{ idx + "auth" }}=server
set radsecproxy.@server[-1].name='server{{ idx }}auth'
set radsecproxy.@server[-1].host={{ s(realm.auth_server) }}
set radsecproxy.@server[-1].port={{ s(realm.auth_port) }}
set radsecproxy.@server[-1].secret={{ s(realm.auth_secret) }}
set radsecproxy.@server[-1].type='udp'

{% if (realm.acct_server): %}
set radsecproxy.server{{ idx + "acct" }}=server
set radsecproxy.@server[-1].name='server{{ idx }}acct'
set radsecproxy.@server[-1].host={{ s(realm.acct_server) }}
set radsecproxy.@server[-1].port={{ s(realm.acct_port) }}
set radsecproxy.@server[-1].secret={{ s(realm.acct_secret) }}
set radsecproxy.@server[-1].type='udp'
{% endif %}

{% for (name in realm.realm): %}
add radsecproxy realm
set radsecproxy.@realm[-1].name='{{ name }}'
set radsecproxy.@realm[-1].server='server{{ idx }}auth'
{% if (realm.acct_server): %}
set radsecproxy.@realm[-1].accountingServer='server{{ idx }}'
{% endif %}
{% endfor %}

{% else %}
{% for (name in realm.realm): %}
add radsecproxy realm
set radsecproxy.@realm[-1].name='{{ name }}'
set radsecproxy.@realm[-1].replyMessage=s(realm.message)
{% endfor %}
{% endif %}
{% endfor %}
191 changes: 140 additions & 51 deletions schema/service.radius-proxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,54 +7,143 @@ properties:
The various realms that we can proxy to.
type: array
items:
type: object
properties:
realm:
description:
The realm that that this server shall be used for.
type: string
default: '*'
auto-discover:
description:
Auto discover radsec server address via realm DNS NAPTR record.
type: boolean
default: false
host:
description:
The remote proxy server that the device shall connect to.
type: string
format: uc-host
examples:
- 192.168.1.10
port:
description:
The remote proxy port that the device shall connect to.
type: integer
maximum: 65535
default: 2083
secret:
description:
The radius secret that will be used for the connection.
type: string
use-local-certificates:
description:
The device will use its local certificate bundle for the TLS setup and
ignores all other certificate options in this section.
type: boolean
default: false
ca-certificate:
description:
The local servers CA bundle.
type: string
certificate:
description:
The local servers certificate.
type: string
private-key:
description:
The local servers private key/
type: string
private-key-password:
description:
The password required to read the private key.
type: string
anyOf:
- type: object
properties:
protocol:
description:
Defines whether the real should use radsec or normal radius.
type: string
enum:
- radsec
default: radsec
realm:
description:
The realm that that this server shall be used for.
type: array
items:
type: string
default: '*'
auto-discover:
description:
Auto discover radsec server address via realm DNS NAPTR record.
type: boolean
default: false
host:
description:
The remote proxy server that the device shall connect to.
type: string
format: uc-host
examples:
- 192.168.1.10
port:
description:
The remote proxy port that the device shall connect to.
type: integer
maximum: 65535
default: 2083
secret:
description:
The radius secret that will be used for the connection.
type: string
use-local-certificates:
description:
The device will use its local certificate bundle for the TLS setup and
ignores all other certificate options in this section.
type: boolean
default: false
ca-certificate:
description:
The local servers CA bundle.
type: string
certificate:
description:
The local servers certificate.
type: string
private-key:
description:
The local servers private key/
type: string
private-key-password:
description:
The password required to read the private key.
type: string
- type: object
properties:
protocol:
description:
Defines whether the real should use radsec or normal radius.
type: string
enum:
- radius
realm:
description:
The realm that that this server shall be used for.
type: array
items:
type: string
default: '*'
auth-server:
description:
The URI of our Radius server.
type: string
format: uc-host
examples:
- 192.168.1.10
auth-port:
description:
The network port of our Radius server.
type: integer
maximum: 65535
minimum: 1024
examples:
- 1812
auth-secret:
description:
The shared Radius authentication secret.
type: string
examples:
- secret
acct-server:
description:
The URI of our Radius server.
type: string
format: uc-host
examples:
- 192.168.1.10
acct-port:
description:
The network port of our Radius server.
type: integer
maximum: 65535
minimum: 1024
examples:
- 1812
acct-secret:
description:
The shared Radius authentication secret.
type: string
examples:
- secret
- type: object
properties:
protocol:
description:
Defines whether the real should use radsec or normal radius.
type: string
enum:
- block
realm:
description:
The realm that that this server shall be used for.
type: array
items:
type: string
default: '*'
message:
description:
The message that is sent when a realm is blocked.
type: string
items:
type: string
default: 'blocked'
Loading

0 comments on commit 3ff0a8d

Please sign in to comment.