From 505f69ee1540581eef2465dc420525213d278473 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sat, 18 Nov 2017 19:34:34 +0100
Subject: space_server: radius: clean up configuration

Disable all the unused auth methods
---
 .../files/radius/sites-available/labitat           | 17 +-------
 .../files/radius/sites-available/labitat-inner     | 46 ++++++++++++++++++++++
 2 files changed, 48 insertions(+), 15 deletions(-)
 create mode 100644 roles/space_server/files/radius/sites-available/labitat-inner

(limited to 'roles/space_server/files/radius/sites-available')

diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
index cb1bb45..fcdbda7 100644
--- a/roles/space_server/files/radius/sites-available/labitat
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -7,8 +7,8 @@ server labitat {
 
 		limit {
 			max_connections = 16
-				lifetime = 0
-				idle_timeout = 30
+			lifetime = 0
+			idle_timeout = 30
 		}
 	}
 
@@ -33,15 +33,6 @@ server labitat {
 			pap
 		}
 
-		Auth-Type CHAP {
-			chap
-		}
-
-		Auth-Type MS-CHAP {
-			mschap
-		}
-
-		digest
 		eap
 	}
 
@@ -53,8 +44,6 @@ server labitat {
 	}
 
 	accounting {
-		unix
-		-sql
 		exec
 		attr_filter.accounting_response
 	}
@@ -63,12 +52,10 @@ server labitat {
 	}
 
 	post-auth {
-		-sql
 		exec
 		remove_reply_message_if_eap
 
 		Post-Auth-Type REJECT {
-			-sql
 			attr_filter.access_reject
 			eap
 			remove_reply_message_if_eap
diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner
new file mode 100644
index 0000000..94d5643
--- /dev/null
+++ b/roles/space_server/files/radius/sites-available/labitat-inner
@@ -0,0 +1,46 @@
+server labitat-inner {
+
+	authorize {
+		filter_username
+		filter_inner_identity
+		suffix
+
+		update control {
+			&Proxy-To-Realm := LOCAL
+		}
+
+		eap {
+			ok = return
+		}
+
+		files
+		expiration
+		logintime
+		pap
+	}
+
+	authenticate {
+		Auth-Type PAP {
+			pap
+		}
+
+		eap
+	}
+
+	post-auth {
+		Post-Auth-Type REJECT {
+			attr_filter.access_reject
+
+			update outer.session-state {
+				&Module-Failure-Message := &request:Module-Failure-Message
+			}
+		}
+	}
+
+	pre-proxy {
+	}
+
+	post-proxy {
+		eap
+	}
+}
-- 
cgit v1.2.1