freeradius: configure eap module + remove more modules

This commit is contained in:
jeltz 2022-08-31 03:40:26 +02:00
parent 953403d0b3
commit 3d6e0f21b6
Signed by: jeltz
GPG key ID: 800882B66C0C3326
4 changed files with 62 additions and 4 deletions

10
filter_plugins/enquote.py Normal file
View file

@ -0,0 +1,10 @@
class FilterModule:
def filters(self):
return {
"enquote": enquote,
}
def enquote(text, quote='"'):
escaped = text.replace(quote, f"\\{quote}")
return f"{quote}{escaped}{quote}"

View file

@ -8,7 +8,6 @@ radiusd__enabled_modules_minimal:
- cache_eap # TODO
- detail # TODO
- detail.log # TODO
- digest # TODO
- dynamic_clients # TODO
- eap # TODO
- expiration # TODO
@ -17,12 +16,13 @@ radiusd__enabled_modules_minimal:
- linelog # TODO
- logintime # TODO
- mschap # TODO
- passwd # TODO
- preprocess # TODO
- radutmp # TODO
- realm # TODO
- sradutmp # TODO
- unpack # TODO
- utf8
radiusd__enabled_modules: []
radiusd__tls_cipher_list: DEFAULT
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
...

View file

@ -67,6 +67,7 @@
- dictionary
- mods-available/utf8
- mods-available/always
- mods-available/eap
notify:
- Restart freeradius

View file

@ -0,0 +1,47 @@
{{ ansible_managed | comment }}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = {{ radiusd__tls_private_key_file }}
certificate_file = {{ radiusd__tls_certificate_file }}
ca_file = {{ radiusd__tls_ca_file }}
dh_file = ${certdir}/dh
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
cipher_server_preferences = yes
tls_min_version = "1.2"
tls_max_version = "1.2" # TODO: 1.3
# TODO
# cache {
# enable = yes
# lifetime = 24
# name = "eap"
# persistdir = "${logdir}/tlscache"
# store {
# Tunnel-Private-Group-Id
# }
# }
}
peap {
tls = tls-common
default_eap_type = gtc
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
gtc {
auth_type = local
}
mschapv2 {
}
}