Added Aruba-MPSK-password attribute (#6957)

* Added Aruba-MPSK-password attribute * fix typo * Call SUPER::returnRadiusAccessAccept --------- Co-authored-by: Durand Fabrice <[email protected]>
inverse-inc · Nov 22, 2024 · 4e634bb · 4e634bb
1 parent 41ac29f
commit 4e634bb
Showing 1 changed file with 73 additions and 0 deletions.
diff --git a/lib/pf/Switch/Aruba.pm b/lib/pf/Switch/Aruba.pm
@@ -657,6 +657,79 @@ sub returnAuthorizeRead {
    return [$status, %$radius_reply_ref];
 }
 
+=item returnRadiusAccessAccept
+
+Prepares the RADIUS Access-Accept response for the network device.
+
+Default implementation.
+
+=cut
+
+sub returnRadiusAccessAccept {
+    my ($self, $args) = @_;
+    my $logger = $self->logger();
+
+    $args->{'unfiltered'} = $TRUE;
+    $self->compute_action(\$args);
+    my @super_reply = @{$self->SUPER::returnRadiusAccessAccept($args)};
+    my $status = shift @super_reply;
+    my %radius_reply = @super_reply;
+    my $radius_reply_ref = \%radius_reply;
+    return [$status, %$radius_reply_ref] if($status == $RADIUS::RLM_MODULE_USERLOCK);
+
+    # Inline Vs. VLAN enforcement
+    my $role = "";
+    if ( (!$args->{'wasInline'} || ($args->{'wasInline'} && $args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
+        if(defined($args->{'vlan'}) && $args->{'vlan'} ne "" && $args->{'vlan'} ne 0){
+            $logger->info("(".$self->{'_id'}.") Added VLAN $args->{'vlan'} to the returned RADIUS Access-Accept");
+            $radius_reply_ref = {
+                'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
+                'Tunnel-Type' => $RADIUS::VLAN,
+                'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
+            };
+        }
+        else {
+            $logger->debug("(".$self->{'_id'}.") Received undefined VLAN. No VLAN added to RADIUS Access-Accept");
+        }
+    }
+
+    if ( isenabled($self->{_RoleMap}) && $self->supportsRoleBasedEnforcement()) {
+        $logger->debug("Network device (".$self->{'_id'}.") supports roles. Evaluating role to be returned");
+        if ( defined($args->{'user_role'}) && $args->{'user_role'} ne "" ) {
+            $role = $self->getRoleByName($args->{'user_role'});
+        }
+        if ( defined($role) && $role ne "" ) {
+            $radius_reply_ref = {
+                %$radius_reply_ref,
+                $self->returnRoleAttributes($role),
+            };
+            $logger->info(
+                "(".$self->{'_id'}.") Added role $role to the returned RADIUS Access-Accept"
+            );
+        }
+        else {
+            $logger->debug("(".$self->{'_id'}.") Received undefined role. No Role added to RADIUS Access-Accept");
+        }
+    }
+
+    if ($args->{profile}->dpskEnabled()) {
+        if (defined($args->{owner}->{psk})) {
+            $radius_reply_ref->{'Aruba-MPSK-Passphrase'} = $args->{owner}->{psk};
+        } else {
+            $radius_reply_ref->{'Aruba-MPSK-Passphrase'} = $args->{profile}->{_default_psk_key};
+        }
+    }
+
+    my $status = $RADIUS::RLM_MODULE_OK;
+    if (!isenabled($args->{'unfiltered'})) {
+        my $filter = pf::access_filter::radius->new;
+        my $rule = $filter->test('returnRadiusAccessAccept', $args);
+        ($radius_reply_ref, $status) = $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
+    }
+
+    return [$status, %$radius_reply_ref];
+}
+
 =item
 
 =cut