freeradius: configure eap module + remove more modules

2022-08-31 03:40:26 +02:00 · 2022-08-31 03:40:26 +02:00 · 3d6e0f21b6
parent 953403d0b3
commit 3d6e0f21b6
4 changed files with 62 additions and 4 deletions
--- a/filter_plugins/enquote.py
+++ b/filter_plugins/enquote.py
@ -0,0 +1,10 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "enquote": enquote,
+        }
+
+
+def enquote(text, quote='"'):
+    escaped = text.replace(quote, f"\\{quote}")
+    return f"{quote}{escaped}{quote}"
--- a/roles/freeradius/defaults/main.yml
+++ b/roles/freeradius/defaults/main.yml
@ -8,7 +8,6 @@ radiusd__enabled_modules_minimal:
  - cache_eap # TODO
  - detail # TODO
  - detail.log # TODO
-  - digest # TODO
  - dynamic_clients # TODO
  - eap # TODO
  - expiration # TODO
@ -17,12 +16,13 @@ radiusd__enabled_modules_minimal:
  - linelog # TODO
  - logintime # TODO
  - mschap # TODO
-  - passwd # TODO
  - preprocess # TODO
-  - radutmp # TODO
  - realm # TODO
-  - sradutmp # TODO
  - unpack # TODO
  - utf8
 radiusd__enabled_modules: []
+radiusd__tls_cipher_list: DEFAULT
+radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
+radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
 ...
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@ -67,6 +67,7 @@
    - dictionary
    - mods-available/utf8
    - mods-available/always
+    - mods-available/eap
  notify:
    - Restart freeradius

--- a/roles/freeradius/templates/mods-available/eap.j2
+++ b/roles/freeradius/templates/mods-available/eap.j2
@ -0,0 +1,47 @@
+{{ ansible_managed | comment }}
+
+eap {
+
+    default_eap_type = peap
+    timer_expire = 60
+    ignore_unknown_eap_types = no
+    cisco_accounting_username_bug = no
+    max_sessions = ${max_requests}
+
+    tls-config tls-common {
+        private_key_file = {{ radiusd__tls_private_key_file }}
+        certificate_file = {{ radiusd__tls_certificate_file }}
+        ca_file = {{ radiusd__tls_ca_file }}
+        dh_file = ${certdir}/dh
+        cipher_list = {{ radiusd__tls_cipher_list | enquote }}
+        cipher_server_preferences = yes
+        tls_min_version = "1.2"
+        tls_max_version = "1.2" # TODO: 1.3
+        # TODO
+        # cache {
+        #    enable = yes
+        #    lifetime = 24
+        #    name = "eap"
+        #    persistdir = "${logdir}/tlscache"
+        #    store {
+        #        Tunnel-Private-Group-Id
+        #    }
+        # }
+    }
+
+    peap {
+        tls = tls-common
+        default_eap_type = gtc
+        copy_request_to_tunnel = no
+        use_tunneled_reply = no
+        virtual_server = inner-tunnel
+    }
+
+    gtc {
+        auth_type = local
+    }
+
+    mschapv2 {
+    }
+
+}