scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-30 01:52:51 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

WIFI-838: Dynamic discovery of HSPs/IDPs

Browse Source 
Dynamically discover RADSEC endpoint based on NAPTR DNS records.

Signed-off-by: Arif Alam <arif.alam@netexperience.com>
This commit is contained in:
Arif Alam
2021-05-20 14:04:11 -04:00
committed by Rick Sommerville
parent 490adac587
commit b9e54ac20e
4 changed files with 78 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
feeds/wlan-ap/opensync/files/bin/dynamic_lookup.sh Executable file
View File

@@ -0,0 +1,55 @@
#! /bin/sh
usage() {
echo "Usage: ${0} <realm>"
exit 1
}
test -n "${1}" || usage
REALM="${1}"
DIGCMD=$(command -v dig)
PRINTCMD=$(command -v printf)
validate_host() {
echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$'
}
validate_port() {
echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$'
}
srv_lookup() {
${DIGCMD} +short srv $SRV_HOST | sort -n -k1 |
while read line ; do
set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4)
if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then
$PRINTCMD "\thost ${HOST%.}:${PORT}\n"
fi
done
}
naptr_lookup() {
${DIGCMD} +short naptr ${REALM} | grep aaa+auth:radius.tls.tcp | sort -n -k1 |
while read line; do
set $line ; TYPE=$3 ; HOST=$6
if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then
SRV_HOST=${HOST%.}
srv_lookup
fi
done
}
if test -x "${DIGCMD}" ; then
SERVERS=$(naptr_lookup)
else
echo "${0} requires \"dig\" command."
exit 1
fi
if test -n "${SERVERS}" ; then
$PRINTCMD "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}\n"
exit 0
fi
exit 10 # No server found.

11
feeds/wlan-ap/opensync/patches/34-radsec-schema-consts.patch
View File

@@ -1,6 +1,6 @@
--- a/interfaces/opensync.ovsschema
+++ b/interfaces/opensync.ovsschema
@@ -9492,6 +9492,137 @@
@@ -9493,6 +9493,146 @@
},
"isRoot": true,
"maxRows": 1
@@ -25,6 +25,15 @@
+ "max": 1
+ }
+ },
+ "auto_discover": {
+ "type": {
+ "key": {
+ "type": "boolean"
+ },
+ "min": 1,
+ "max": 1
+ }
+ },
+ "server": {
+ "type": {
+ "key": {

15
feeds/wlan-ap/opensync/src/platform/openwrt/src/lib/target/src/radius_proxy.c
View File

@@ -55,6 +55,7 @@ enum {
RADIUS_PROXY_SERVER_STATUS,
RADIUS_PROXY_SERVER_TLS,
RADIUS_PROXY_SERVER_CERT_NAME_CHECK,
RADIUS_PROXY_SERVER_DYNAMIC_LOOKUP,
__RADIUS_PROXY_SERVER_MAX
};
@@ -104,6 +105,7 @@ static const struct blobmsg_policy radius_proxy_server_policy[__RADIUS_PROXY_SER
[RADIUS_PROXY_SERVER_STATUS] = { .name = "statusServer", BLOBMSG_TYPE_BOOL },
[RADIUS_PROXY_SERVER_TLS] = { .name = "tls", BLOBMSG_TYPE_STRING },
[RADIUS_PROXY_SERVER_CERT_NAME_CHECK] = { .name = "certificateNameCheck", BLOBMSG_TYPE_BOOL },
[RADIUS_PROXY_SERVER_DYNAMIC_LOOKUP] = { .name = "dynamicLookupCommand", BLOBMSG_TYPE_STRING },
};
static const struct blobmsg_policy radius_proxy_realm_policy[__RADIUS_PROXY_REALM_MAX] = {
@@ -290,12 +292,19 @@ static bool radius_proxy_config_set(struct schema_Radius_Proxy_Config *conf)
"tls", uci_buf.head, &radius_proxy_tls_param, NULL);
blob_buf_init(&uci_buf, 0);
if (conf->auto_discover)
{ /* auto discover radsec server address via realm DNS NAPTR record */
blobmsg_add_string(&uci_buf, "dynamicLookupCommand", "/bin/dynamic_lookup.sh");
}
else
{
blobmsg_add_string(&uci_buf, "host", conf->server);
blobmsg_add_u32(&uci_buf, "port", conf->port);
blobmsg_add_string(&uci_buf, "secret", "radsec");
}
blobmsg_add_string(&uci_buf, "name", server_name);
blobmsg_add_string(&uci_buf, "host", conf->server);
blobmsg_add_string(&uci_buf, "type", "tls");
blobmsg_add_string(&uci_buf, "tls", tls_name);
blobmsg_add_u32(&uci_buf, "port", conf->port);
blobmsg_add_string(&uci_buf, "secret", "radsec");
blobmsg_add_bool(&uci_buf, "statusServer", 0);
blobmsg_add_bool(&uci_buf, "certificateNameCheck", 0);
blob_to_uci_section(uci, "radsecproxy", server_name, "server",

1
profiles/wlan-ap.yml
View File

@@ -82,6 +82,7 @@ packages:
- radsecproxy
- logrotate
- kmod-ledtrig-heartbeat
- bind-dig
diffconfig: |
CONFIG_OPENSSL_ENGINE=y