diff --git a/feeds/wlan-ap/opensync/files/bin/dynamic_lookup.sh b/feeds/wlan-ap/opensync/files/bin/dynamic_lookup.sh new file mode 100755 index 000000000..00f3a8b98 --- /dev/null +++ b/feeds/wlan-ap/opensync/files/bin/dynamic_lookup.sh @@ -0,0 +1,55 @@ +#! /bin/sh + +usage() { + echo "Usage: ${0} " + exit 1 +} + +test -n "${1}" || usage + +REALM="${1}" +DIGCMD=$(command -v dig) +PRINTCMD=$(command -v printf) + +validate_host() { + echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$' +} + +validate_port() { + echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$' +} + +srv_lookup() { + ${DIGCMD} +short srv $SRV_HOST | sort -n -k1 | + while read line ; do + set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4) + if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then + $PRINTCMD "\thost ${HOST%.}:${PORT}\n" + fi + done +} + +naptr_lookup() { + ${DIGCMD} +short naptr ${REALM} | grep aaa+auth:radius.tls.tcp | sort -n -k1 | + while read line; do + set $line ; TYPE=$3 ; HOST=$6 + if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then + SRV_HOST=${HOST%.} + srv_lookup + fi + done +} + +if test -x "${DIGCMD}" ; then + SERVERS=$(naptr_lookup) +else + echo "${0} requires \"dig\" command." + exit 1 +fi + +if test -n "${SERVERS}" ; then + $PRINTCMD "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}\n" + exit 0 +fi + +exit 10 # No server found. diff --git a/feeds/wlan-ap/opensync/patches/34-radsec-schema-consts.patch b/feeds/wlan-ap/opensync/patches/34-radsec-schema-consts.patch index 94fed49a4..e17294de2 100644 --- a/feeds/wlan-ap/opensync/patches/34-radsec-schema-consts.patch +++ b/feeds/wlan-ap/opensync/patches/34-radsec-schema-consts.patch @@ -1,6 +1,6 @@ --- a/interfaces/opensync.ovsschema +++ b/interfaces/opensync.ovsschema -@@ -9492,6 +9492,137 @@ +@@ -9493,6 +9493,146 @@ }, "isRoot": true, "maxRows": 1 @@ -25,6 +25,15 @@ + "max": 1 + } + }, ++ "auto_discover": { ++ "type": { ++ "key": { ++ "type": "boolean" ++ }, ++ "min": 1, ++ "max": 1 ++ } ++ }, + "server": { + "type": { + "key": { diff --git a/feeds/wlan-ap/opensync/src/platform/openwrt/src/lib/target/src/radius_proxy.c b/feeds/wlan-ap/opensync/src/platform/openwrt/src/lib/target/src/radius_proxy.c index ac764dafb..12bb42c11 100644 --- a/feeds/wlan-ap/opensync/src/platform/openwrt/src/lib/target/src/radius_proxy.c +++ b/feeds/wlan-ap/opensync/src/platform/openwrt/src/lib/target/src/radius_proxy.c @@ -55,6 +55,7 @@ enum { RADIUS_PROXY_SERVER_STATUS, RADIUS_PROXY_SERVER_TLS, RADIUS_PROXY_SERVER_CERT_NAME_CHECK, + RADIUS_PROXY_SERVER_DYNAMIC_LOOKUP, __RADIUS_PROXY_SERVER_MAX }; @@ -104,6 +105,7 @@ static const struct blobmsg_policy radius_proxy_server_policy[__RADIUS_PROXY_SER [RADIUS_PROXY_SERVER_STATUS] = { .name = "statusServer", BLOBMSG_TYPE_BOOL }, [RADIUS_PROXY_SERVER_TLS] = { .name = "tls", BLOBMSG_TYPE_STRING }, [RADIUS_PROXY_SERVER_CERT_NAME_CHECK] = { .name = "certificateNameCheck", BLOBMSG_TYPE_BOOL }, + [RADIUS_PROXY_SERVER_DYNAMIC_LOOKUP] = { .name = "dynamicLookupCommand", BLOBMSG_TYPE_STRING }, }; static const struct blobmsg_policy radius_proxy_realm_policy[__RADIUS_PROXY_REALM_MAX] = { @@ -290,12 +292,19 @@ static bool radius_proxy_config_set(struct schema_Radius_Proxy_Config *conf) "tls", uci_buf.head, &radius_proxy_tls_param, NULL); blob_buf_init(&uci_buf, 0); + if (conf->auto_discover) + { /* auto discover radsec server address via realm DNS NAPTR record */ + blobmsg_add_string(&uci_buf, "dynamicLookupCommand", "/bin/dynamic_lookup.sh"); + } + else + { + blobmsg_add_string(&uci_buf, "host", conf->server); + blobmsg_add_u32(&uci_buf, "port", conf->port); + blobmsg_add_string(&uci_buf, "secret", "radsec"); + } blobmsg_add_string(&uci_buf, "name", server_name); - blobmsg_add_string(&uci_buf, "host", conf->server); blobmsg_add_string(&uci_buf, "type", "tls"); blobmsg_add_string(&uci_buf, "tls", tls_name); - blobmsg_add_u32(&uci_buf, "port", conf->port); - blobmsg_add_string(&uci_buf, "secret", "radsec"); blobmsg_add_bool(&uci_buf, "statusServer", 0); blobmsg_add_bool(&uci_buf, "certificateNameCheck", 0); blob_to_uci_section(uci, "radsecproxy", server_name, "server", diff --git a/profiles/wlan-ap.yml b/profiles/wlan-ap.yml index d8b914a7a..76d067ff6 100644 --- a/profiles/wlan-ap.yml +++ b/profiles/wlan-ap.yml @@ -82,6 +82,7 @@ packages: - radsecproxy - logrotate - kmod-ledtrig-heartbeat + - bind-dig diffconfig: | CONFIG_OPENSSL_ENGINE=y