roles/freeradius/templates/etc/raddb/sites-available/inner-tunnel.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

server inner-tunnel {
  listen {
    ipaddr = 127.0.0.1
    port = 18120
    type = auth
  }

  authorize {
    filter_username
    chap
    suffix

    update control {
      &Proxy-To-Realm := LOCAL
    }

    eap {
      ok = return
    }

    ldap
    if (ok || updated) {
      update {
        control:Auth-Type := ldap
      }
    }

    expiration
    logintime
    pap
  }

  authenticate {
    Auth-Type PAP {
      pap
    }

    Auth-Type CHAP {
      chap
    }

    Auth-Type LDAP {
      ldap
    }

    eap
  }

  session {
    radutmp
  }


  post-auth {
    -sql
    update reply {
      User-Name !* ANY
      Message-Authenticator !* ANY
      EAP-Message !* ANY
      Proxy-State !* ANY
      MS-MPPE-Encryption-Types !* ANY
      MS-MPPE-Encryption-Policy !* ANY
      MS-MPPE-Send-Key !* ANY
      MS-MPPE-Recv-Key !* ANY
    }

    update {
      &outer.session-state: += &reply:
    }

    Post-Auth-Type REJECT {
      -sql
      attr_filter.access_reject

      update outer.session-state {
        &Module-Failure-Message := &request:Module-Failure-Message
      }
    }

    if (LDAP-Group != "{{ freeradius_access_group }}") {
      reject
    }
  }

  pre-proxy { }

  post-proxy {
    eap
  }
}