openwisp · atb00ker · Nov 29, 2020 · Dec 23, 2020 · Dec 23, 2020 · Dec 23, 2020
diff --git a/tasks/freeradius.yml b/tasks/freeradius.yml
@@ -142,7 +142,6 @@
     state: absent
   with_items:
     - "{{ freeradius_sites_enabled_dir }}/default"
-    - "{{ freeradius_sites_enabled_dir }}/inner-tunnel"
 
 - name: Site configuration
   template:
@@ -152,3 +151,12 @@
     owner: freerad
     group: freerad
   notify: restart freeradius
+
+- name: Inner tunnel
+  template:
+    src: freeradius/openwisp_site.j2
+    dest: "{{ freeradius_sites_enabled_dir }}/inner-tunnel"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
diff --git a/templates/freeradius/inner-tunnel.j2 b/templates/freeradius/inner-tunnel.j2
@@ -0,0 +1,81 @@
+server inner-tunnel {
+    listen {
+        ipaddr = 127.0.0.1
+        port = 18120
+        type = auth
+    }
+
+    authorize {
+        filter_username
+        rest
+
+        chap
+        mschap
+        suffix
+
+        update control {
+            &Proxy-To-Realm := LOCAL
+        }
+
+        eap {
+            ok = return
+        }
+
+        -ldap
+
+        pap
+
+        dailycounter
+        dailybandwidthcounter
+        noresetcounter
+        expiration
+        logintime
+    }
+
+    authenticate {
+        Auth-Type PAP {
+            pap
+        }
+
+        Auth-Type CHAP {
+            chap
+        }
+
+        Auth-Type MS-CHAP {
+            mschap
+        }
+        eap
+    }
+
+    session {}
+
+    post-auth {
+        if (0) {
+            update reply {
+                User-Name !* ANY
+                Message-Authenticator !* ANY
+                EAP-Message !* ANY
+                Proxy-State !* ANY
+                MS-MPPE-Encryption-Types !* ANY
+                MS-MPPE-Encryption-Policy !* ANY
+                MS-MPPE-Send-Key !* ANY
+                MS-MPPE-Recv-Key !* ANY
+            }
+            update {
+                &outer.session-state: += &reply:
+            }
+        }
+
+        Post-Auth-Type REJECT {
+            attr_filter.access_reject
+            update outer.session-state {
+                &Module-Failure-Message := &request:Module-Failure-Message
+            }
+        }
+    }
+
+    pre-proxy {}
+    post-proxy {
+        eap
+    }
+}