migrado de rlm_rest a rlm_sql_postgress y rlm_sql

2025-09-26 12:54:28 -06:00
parent 9f35550e58
commit 142b683357
9 changed files with 229 additions and 178 deletions
--- a/freeradius/Dockerfile
+++ b/freeradius/Dockerfile
@@ -0,0 +1,9 @@
+FROM freeradius/freeradius-server:3.2.2
+
+USER root
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends freeradius-postgresql \
+ && rm -rf /var/lib/apt/lists/*
+
+# Default command preserved by base image
+
--- a/freeradius/mods-available/sql
+++ b/freeradius/mods-available/sql
@@ -0,0 +1,28 @@
+sql {
+    driver = "rlm_sql_postgresql"
+    dialect = "postgresql"
+
+    server = "postgres"
+    port = 5432
+    login = "radius"
+    password = "radius"
+    radius_db = "radius"
+
+    pool {
+        start = 2
+        min = 1
+        max = 5
+        spare = 1
+        uses = 0
+        lifetime = 0
+        cleanup_interval = 30
+    }
+
+    # Leave default queries location
+    # queries = ${modconfdir}/sql/main/${dialect}/queries.conf
+
+    read_clients = no
+
+    # We only use per-user tables; disable group processing to avoid extra schema
+    read_groups = no
+}
--- a/freeradius/mods-config/files/authorize
+++ b/freeradius/mods-config/files/authorize
@@ -1,8 +1,8 @@
 # Managed by Node dashboard; do not edit manually
-user1 Cleartext-Password := "contra1"
-    Tunnel-Type = VLAN,
-    Tunnel-Medium-Type = IEEE-802,
-    Tunnel-Private-Group-Id = "2"
+# user1 Cleartext-Password := "contra1"
+#     Tunnel-Type = VLAN,
+#     Tunnel-Medium-Type = IEEE-802,
+#     Tunnel-Private-Group-Id = "2"

 user2 Cleartext-Password := "contra2"
    Tunnel-Type = VLAN,
@@ -14,10 +14,10 @@ prueba2 Cleartext-Password := "contra2"
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = "2"

-dario Cleartext-Password := "contra1"
-    Tunnel-Type = VLAN,
-    Tunnel-Medium-Type = IEEE-802,
-    Tunnel-Private-Group-Id = "2"
+# dario Cleartext-Password := "contra1"
+#     Tunnel-Type = VLAN,
+#     Tunnel-Medium-Type = IEEE-802,
+#     Tunnel-Private-Group-Id = "2"

 margie Cleartext-Password := "bonita"
    Tunnel-Type = VLAN,
--- a/freeradius/sites-enabled/default
+++ b/freeradius/sites-enabled/default
@@ -17,8 +17,8 @@ server default {
            eap
            return
        }
-        # MAC-Auth / Portal: Llama a la API REST para decidir y añadir atributos
-        rest
+        # Cargar atributos desde SQL (VLAN/bw, etc.)
+        sql
        # Laboratorio: aceptar todo en flujos no EAP
        update control {
            Auth-Type := Accept
@@ -35,12 +35,14 @@ server default {
    }

    accounting {
+        # Enviar eventos de accounting al dashboard (solo logging)
        rest
        ok
    }

    post-auth {
-        # Obtener atributos de VLAN/otros desde el API
+        # Log de eventos post-auth al dashboard (no modifica la respuesta)
        rest.post-auth
+        # Para EAP, los atributos del túnel interno se copian (use_tunneled_reply = yes)
    }
 }
--- a/freeradius/sites-enabled/inner-tunnel
+++ b/freeradius/sites-enabled/inner-tunnel
@@ -6,9 +6,21 @@ server inner-tunnel {
    }

    authorize {
-        # Obtener credenciales del usuario desde el API (debe devolver Cleartext-Password)
-        rest_inner
-        # Fallback/local: también consultar backend 'files' (user1/user2)
+        # Cargar credenciales/atributos del usuario desde SQL
+        sql
+        # En caso de que el módulo SQL no haya poblado Cleartext-Password, obténlo vía xlat
+        update control {
+            Cleartext-Password := "%{sql:SELECT value FROM radcheck WHERE username='%{User-Name}' AND attribute='Cleartext-Password' ORDER BY id DESC LIMIT 1}"
+        }
+        # Cargar atributos de respuesta desde SQL (VLAN y ancho de banda) para PEAP (se copian al outer)
+        update reply {
+            Tunnel-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Type' ORDER BY id DESC LIMIT 1}"
+            Tunnel-Medium-Type := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Medium-Type' ORDER BY id DESC LIMIT 1}"
+            Tunnel-Private-Group-Id := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='Tunnel-Private-Group-Id' ORDER BY id DESC LIMIT 1}"
+            WISPr-Bandwidth-Max-Down := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Down' ORDER BY id DESC LIMIT 1}"
+            WISPr-Bandwidth-Max-Up := "%{sql:SELECT value FROM radreply WHERE username='%{User-Name}' AND attribute='WISPr-Bandwidth-Max-Up' ORDER BY id DESC LIMIT 1}"
+        }
+        # Fallback/local: también consultar backend 'files'
        files
        # Procesar EAP (PEAP) y MS-CHAPv2
        eap
@@ -23,6 +35,6 @@ server inner-tunnel {
    }

    post-auth {
-        # Nada aquí; el outer post-auth añadirá VLAN
+        # Nada: los atributos se copian fuera si use_tunneled_reply = yes
    }
 }