Skip to content

rlm_dpsk: add generic reply attributes and optional VLAN replies #5830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hshimomura wants to merge 1 commit into
base: v3.2.x
Choose a base branch
from
Open

rlm_dpsk: add generic reply attributes and optional VLAN replies #5830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 27 additions & 12 deletions raddb/mods-available/dpsk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
# if (updated) {
# ... cache &reply:Pre-Shared-Key
# ... cache &reply:PSK-Identity
#
# ok
# }
# }
#
Expand All @@ -75,13 +75,20 @@
# * updated if there are DPSK attributes which match a PSK, and the
# PSK was read from 'filename'.
#
# It also updates the attributes &reply:Pre-Shared-Key
# with the found PSK, along with &reply:PSK-Identity
# with the found identity.
# It also creates &reply:Pairwise-Master-Key. When the
# matching PSK is known, it also creates the attributes
# &reply:Pre-Shared-Key with the found PSK, along with
# &reply:PSK-Identity with the found identity.
#
# When the PSK is read from 'filename', an optional VLAN ID
# can also be returned via the standard reply attributes
# Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, and
# Tunnel-Private-Group-Id.
#
# You can then check the return code for "updated", and
# write those attributes into a database. This step
# ensures that 'filename' is read only as a last resort.
# You can then check the return code for "updated",
# write those attributes into a database, and return
# ok to continue processing. This step ensures that
# 'filename' is read only as a last resort.
# Since the file is read from top to bottom for every
# packet, this process is much slower than using a
# database which is keyed to the PSK Identity.
Expand Down Expand Up @@ -111,7 +118,8 @@ dpsk {
#
# The cache entry is the PSK-Identity and Pre-Shared-Key,
# and/or the PMK which are used to verify the information in
# the Access-Request.
# the Access-Request. When VLAN information is read from the
# file, it is also cached with the entry.
#
# Caching entries can help, even when using a database. It
# is very slow to calculate the PMK from the PSK.
Expand All @@ -126,13 +134,19 @@ dpsk {
#
# PSKs can also be stored in a CSV file. The format of the file is:
#
# identity,psk,mac
# identity,psk[,mac[,vlanid]]
#
# If there are commas in a field, then the field can be
# double quoted: "psk".
#
# The mac field is optional. If it exists, then that PSK
# will be used. It is highly recommended that the MAC *not* be placed
# will be used. The vlanid field is also optional, and if it
# exists then the module will return the standard reply
# attributes Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802,
# and Tunnel-Private-Group-Id. The VLAN field may be present
# even when the MAC field is empty, e.g. 'identity,psk,,2065'.
#
# It is highly recommended that the MAC *not* be placed
# into the CSV file. Instead, the MAC and PSK should be placed into a
# database. The server can then be configured to look up the MAC in the
# database, which returns the PSK. That way this module will only ever
Expand Down Expand Up @@ -160,7 +174,8 @@ dpsk {
#
# Both "cache_size" and "filename" can be configured at the
# same time, which is recommended. When an entry in the file
# is found, the identity, PSK, and MAC are saved in the cache.
# is found, the identity, PSK, optional MAC, and optional VLAN
# are saved in the cache.
#
# If a cache entry is found, then the filename is NOT read.
#
Expand Down Expand Up @@ -190,5 +205,5 @@ dpsk {
# files by location, which can drastically reduce the overall
# search space, and thus the CPU requirements.
#
# filename = "${modconfdir}/${..:name}/psk.csv"
# filename = "${modconfdir}/${.:name}/psk.csv"
}
14 changes: 14 additions & 0 deletions raddb/sites-available/default
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,20 @@ authenticate {
}

# dpsk
#
# The dpsk module can also return standard VLAN tunnel reply
# attributes when a VLAN ID is supplied by the data source.
# Vendor-specific reply attributes should be added in local
# policy using those standard reply attributes.
# Example:
#
# Auth-Type dpsk {
# dpsk
# if (updated) {
# ok
# }
# }
#

#
# Most people want CHAP authentication
Expand Down
6 changes: 6 additions & 0 deletions share/dictionary.meraki
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,11 @@ ATTRIBUTE Meraki-Device-Name 1 string
ATTRIBUTE Meraki-Network-Name 2 string
ATTRIBUTE Meraki-Ap-Name 3 string
ATTRIBUTE Meraki-Ap-Tags 4 string
ATTRIBUTE Meraki-IPSK 5 tlv
ATTRIBUTE Meraki-IPSK-Anonce 5.1 octets
ATTRIBUTE Meraki-IPSK-EAPOL 5.2 octets
ATTRIBUTE Meraki-IPSK-BSSID 5.3 octets
ATTRIBUTE Meraki-IPSK-AP-MAC 5.4 octets
ATTRIBUTE Meraki-IPSK-SSID 5.5 string

END-VENDOR Meraki
Loading