Menu

Service mobilité pour la communauté RENATER


Configuration FreeRADIUS 3.0.X avec attribut Chargeable-User-Identity (CUI)

README v2019/05/21

A partir de l'installation classique de FreeRADIUS 3.0.X avec l'attribut Operator-Name configuré:

Valider le module CUI

cd mods-enabled; ln -s ../mods-available/cui

Créer un module de traces

Par défaut le CUI n'est pas tracé, il faut utiliser la commande 'linelog' de FreeRADIUS pour avoir des traces. Exemple avec le fichier mods-available/eduroam_cui_logging :

linelog eduroam_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "auth_log.%{%{reply:Packet-Type}:-format}"
    auth_log {
        Access-Accept = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#"
        Access-Reject = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#"
    }
}

linelog eduroam_inner_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}"
    inner_auth_log {
        Access-Accept = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#"
        Access-Reject = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#"
    }
}

Valider ce module de traces

cd mods-enabled; ln -s ../mods-available/eduroam_cui_logging

clients.conf

Ajoutez 'add_cui = yes' dans le paragraphe de définition vos clients wifi locaux. Exemple :

client AP1.ETABLISSEMENT.TLD {
    ipaddr                        = xx.xx.xx.xx
    netmask                       = 32
    secret                        =
    shortname                     = Borne-AP1
    nastype			  = other
    virtual_server                = eduroam
    require_message_authenticator = yes
    add_cui                       = yes
 }

policy.d/cui

Changez le 'cui_hash_key' (si vous avez plusieurs serveurs FreeRADIUS, utilisez la même clé de hachage) et passez 'cui_require_operator_name' à 'yes'

Filtrage du CUI

Dans policy.d/filter rajouter une fonction de filtrage 'filter_cui'. Par exemple :

# Filter the Chargeable-User-Identity attribute
filter_cui {
  if (&reply:Chargeable-User-Identity =~ /REMPLACER-PAR-LE-CUI-A-FILTRER/) {
                        update request {
                                &Module-Failure-Message += "Rejected: CUI matching '%{reply:Chargeable-User-Identity}'"
                        }
                        reject
       }
}

sites-available/eduroam

Ajoutez 'cui' dans les sections authorize, post-auth, pre-proxy. 'eduroam_log' et 'filter_cui' dans la section post-auth:

...

        authorize {
                filter_username
                # Force le format de l'attribut calling_station_id (CSI) pour avoir la même 
                # syntaxe des @MAC quelque soit le NAS utilisé
                rewrite_calling_station_id
                # Ajout de l'attribut Operator-Name pour toute requête ne provenant pas 
                # des proxy eduroam.fr
                if ("%{client:shortname}" !~ /rad[1-2]\.eduroam\.fr/) {
                  update request {
                        Operator-Name := "1ETABLISSEMENT.TLD"
                  }
                }
                cui
                auth_log
                suffix
                # Rejet des authentifications sans realm
                if (Realm == "NULL") {
                        update request {
                                &Module-Failure-Message += 'Rejected: Realm is NULL'
                        }
                reject
                }
                eap
        }
...
        post-auth {
                reply_log
                cui
                eduroam_log
                filter_cui
                Post-Auth-Type REJECT {
                        reply_log
                        eduroam_log
                        }
        }
...
        pre-proxy {
                pre_proxy_log
                cui
                if("%{Packet-Type}" != "Accounting-Request") {
                        attr_filter.pre-proxy
                }
        }
...

sites-available/eduroam-inner-tunnel

Ajouter 'cui-inner' et 'eduroam_inner_log' dans la section post-auth

...
post-auth {
        reply_log
        eduroam_inner_log
        cui-inner
        Post-Auth-Type REJECT {
                reply_log
                eduroam_inner_log
                update outer.session-state {
                        &Module-Failure-Message := &request:Module-Failure-Message
                }
        }
}
...

{tr:about_reveal}