rlm_dpsk: add generic reply attributes and optional VLAN replies#5830
Open
hshimomura wants to merge 1 commit intoFreeRADIUS:v3.2.xfrom
Open
rlm_dpsk: add generic reply attributes and optional VLAN replies#5830hshimomura wants to merge 1 commit intoFreeRADIUS:v3.2.xfrom
hshimomura wants to merge 1 commit intoFreeRADIUS:v3.2.xfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This change improves
rlm_dpskso that local policy can build vendor-specific replies from standard reply attributes, while keeping the module itself vendor-neutral.In particular, the module now exposes
Pairwise-Master-Keyin addition to the existingPSK-IdentityandPre-Shared-Key, so local policy has access to all three reply attributes when it needs to construct vendor-specific responses.This change also adds an optional fourth CSV column for VLAN assignment, adds Meraki IPSK test attributes to
dictionary.meraki, and updates the comments inraddb/mods-available/dpskandraddb/sites-available/defaultaccordingly.Details
rlm_dpsknow accepts CSV entries in the following format:identity,psk[,mac[,vlanid]]This is backwards compatible with the existing file format:
identity,pskidentity,psk,macThe VLAN field may also be used when the MAC field is empty, for example:
identity,psk,,2065If
vlanidis present, the module returns the standard tunnel reply attributes:Tunnel-Type = VLANTunnel-Medium-Type = IEEE-802Tunnel-Private-Group-Id = "<vlanid>"The VLAN metadata is cached together with the other DPSK data, so cache hits return the same reply behavior as file lookups.
The sample
filenameexpansion inraddb/mods-available/dpskis also updated from${..:name}to${.:name}intentionally, so the example references the current module instance directly.The Meraki dictionary update provides the IPSK test attributes needed for Meraki request handling and validation in the test environment.
Fix included
While validating MAC-constrained CSV entries, I found that the MAC parsing path compared the decoded output length against
12instead of6. This caused valid 12-hex-character MAC entries to be rejected. This patch corrects that check so MAC-constrained CSV rows work as intended.Documentation
The patch updates:
raddb/mods-available/dpskraddb/sites-available/defaultThe documentation now describes:
filenameexpansionAuth-Type dpskstanza showing the usual pattern for handling the module returningupdatedValidation
Tested against upstream v3.2.
Verified:
identity,psk,,2065return standard VLAN tunnel reply attributesidentity,psk,macnow parse and match correctlyTunnel-Passwordreplydictionary.merakifreeradius -XCpasses with the updated module and configuration