Merge branch 'radius' into new-infra
This commit is contained in:
commit
4a5b3bbfde
31 changed files with 610 additions and 1249 deletions
18
playbooks/freeradius.yml
Executable file
18
playbooks/freeradius.yml
Executable file
|
@ -0,0 +1,18 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts:
|
||||
- radius-1.isp.infra.auro.re
|
||||
vars:
|
||||
radiusd__clients:
|
||||
localhost:
|
||||
addr: 127.0.0.1
|
||||
secret: abcdef
|
||||
wifi-ap-v4:
|
||||
addr: 10.102.0.0/16
|
||||
secret: abcdef
|
||||
wifi-ap-v6:
|
||||
addr: 2a09:6840:102::/56
|
||||
secret: abcdef
|
||||
roles:
|
||||
- freeradius
|
||||
...
|
|
@ -58,6 +58,14 @@
|
|||
addresses:
|
||||
- 2a09:6840:129::10:102/56
|
||||
- 10.129.10.102/16
|
||||
radius-1.isp.infra.auro.re:
|
||||
ens18:
|
||||
gateways:
|
||||
- 2a09:6840:128::254
|
||||
- 10.128.0.254
|
||||
addresses:
|
||||
- 2a09:6840:128::208/56
|
||||
- 10.128.0.208/16
|
||||
dns-1.int.infra.auro.re:
|
||||
adm0:
|
||||
addresses:
|
||||
|
|
30
roles/freeradius/defaults/main.yml
Normal file
30
roles/freeradius/defaults/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
radiusd__max_attributes: 200
|
||||
radiusd__status_server: true
|
||||
radiusd__clients: {}
|
||||
radiusd__enabled_modules_minimal:
|
||||
- always
|
||||
- attr_filter
|
||||
- cache_eap # TODO
|
||||
- dynamic_clients # TODO
|
||||
- eap # TODO
|
||||
- expiration # TODO
|
||||
- expr # TODO
|
||||
- linelog # TODO
|
||||
- logintime # TODO
|
||||
- realm # TODO
|
||||
- unpack # TODO
|
||||
- eap_inner
|
||||
- ldap
|
||||
- pap
|
||||
- utf8
|
||||
radiusd__enabled_modules: []
|
||||
radiusd__tls_cipher_list: DEFAULT
|
||||
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
radiusd__enabled_sites_minimal:
|
||||
- default
|
||||
- inner-tunnel
|
||||
radiusd__enabled_sites: []
|
||||
...
|
6
roles/freeradius/handlers/main.yml
Normal file
6
roles/freeradius/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Restart freeradius
|
||||
systemd:
|
||||
name: freeradius.service
|
||||
state: restarted
|
||||
...
|
132
roles/freeradius/tasks/main.yml
Normal file
132
roles/freeradius/tasks/main.yml
Normal file
|
@ -0,0 +1,132 @@
|
|||
---
|
||||
- name: Install freeradius
|
||||
apt:
|
||||
name: freeradius
|
||||
install_recommends: false
|
||||
|
||||
- name: Remove unused files
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- templates.conf
|
||||
- trigger.conf
|
||||
- README.rst
|
||||
- panic.gdb
|
||||
- experimental.conf
|
||||
- certs/ca.cnf
|
||||
- certs/bootstrap
|
||||
- certs/client.cnf
|
||||
- certs/inner-server.cnf
|
||||
- certs/server.cnf
|
||||
- certs/README
|
||||
- certs/Makefile
|
||||
- certs/xpextensions
|
||||
- policy.d/accounting
|
||||
- policy.d/rfc7542
|
||||
- policy.d/dhcp
|
||||
- policy.d/debug
|
||||
- policy.d/control
|
||||
- policy.d/abfab-tr
|
||||
- policy.d/moonshot-targeted-ids
|
||||
- policy.d/operator-name
|
||||
- mods-config/unbound/
|
||||
- mods-config/perl/
|
||||
- mods-config/python3/
|
||||
- mods-config/sql/
|
||||
- mods-config/files/
|
||||
- mods-config/preprocess/
|
||||
- mods-config/README.rst
|
||||
- users
|
||||
- hints
|
||||
- huntgroups
|
||||
|
||||
- name: Configure freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop:
|
||||
- radiusd.conf
|
||||
#- proxy.conf
|
||||
- clients.conf
|
||||
- dictionary
|
||||
- mods-available/utf8
|
||||
- mods-available/always
|
||||
- mods-available/eap
|
||||
- mods-available/eap_inner
|
||||
- mods-config/attr_filter/access_challenge
|
||||
- mods-config/attr_filter/access_reject
|
||||
- sites-available/inner-tunnel
|
||||
- sites-available/default
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enumerate available modules
|
||||
find:
|
||||
paths: /etc/freeradius/3.0/mods-available
|
||||
register: available_modules
|
||||
|
||||
- name: Disable modules
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ available_modules.files
|
||||
| map(attribute='path')
|
||||
| map('basename')
|
||||
| difference(radiusd__enabled_modules_minimal
|
||||
| union(radiusd__enabled_modules)) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable modules
|
||||
file:
|
||||
src: "/etc/freeradius/3.0/mods-available/{{ item }}"
|
||||
dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||
state: link
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop: "{{ radiusd__enabled_modules_minimal
|
||||
| union(radiusd__enabled_modules) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enumerate available sites
|
||||
find:
|
||||
paths: /etc/freeradius/3.0/sites-available
|
||||
register: available_sites
|
||||
|
||||
- name: Disable sites
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ available_sites.files
|
||||
| map(attribute='path')
|
||||
| map('basename')
|
||||
| difference(radiusd__enabled_sites_minimal
|
||||
| union(radiusd__enabled_sites)) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable sites
|
||||
file:
|
||||
src: "/etc/freeradius/3.0/sites-available/{{ item }}"
|
||||
dest: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop: "{{ radiusd__enabled_sites_minimal
|
||||
| union(radiusd__enabled_sites) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable and start freeradius
|
||||
systemd:
|
||||
name: freeradius.service
|
||||
state: started
|
||||
enabled: true
|
||||
...
|
16
roles/freeradius/templates/clients.conf.j2
Normal file
16
roles/freeradius/templates/clients.conf.j2
Normal file
|
@ -0,0 +1,16 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for name, client in radiusd__clients.items() %}
|
||||
client {{ name }} {
|
||||
ipaddr = {{ client.addr }}
|
||||
shortname = {{ name }}
|
||||
proto = *
|
||||
require_message_authenticator = yes
|
||||
nastype = other
|
||||
secret = {{ client.secret }}
|
||||
{% if client.virtual_server is defined %}
|
||||
virtual_server = {{ client.virtual_server }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
1
roles/freeradius/templates/dictionary.j2
Normal file
1
roles/freeradius/templates/dictionary.j2
Normal file
|
@ -0,0 +1 @@
|
|||
{{ ansible_managed | comment }}
|
37
roles/freeradius/templates/mods-available/always.j2
Normal file
37
roles/freeradius/templates/mods-available/always.j2
Normal file
|
@ -0,0 +1,37 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
always reject {
|
||||
rcode = reject
|
||||
}
|
||||
|
||||
always fail {
|
||||
rcode = fail
|
||||
}
|
||||
|
||||
always ok {
|
||||
rcode = ok
|
||||
}
|
||||
|
||||
always handled {
|
||||
rcode = handled
|
||||
}
|
||||
|
||||
always invalid {
|
||||
rcode = invalid
|
||||
}
|
||||
|
||||
always userlock {
|
||||
rcode = userlock
|
||||
}
|
||||
|
||||
always notfound {
|
||||
rcode = notfound
|
||||
}
|
||||
|
||||
always noop {
|
||||
rcode = noop
|
||||
}
|
||||
|
||||
always updated {
|
||||
rcode = updated
|
||||
}
|
11
roles/freeradius/templates/mods-available/attr_filter.j2
Normal file
11
roles/freeradius/templates/mods-available/attr_filter.j2
Normal file
|
@ -0,0 +1,11 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
attr_filter attr_filter.access_reject {
|
||||
key = "%{User-Name}"
|
||||
filename = ${modconfdir}/${.:name}/access_reject
|
||||
}
|
||||
|
||||
attr_filter attr_filter.access_challenge {
|
||||
key = "%{User-Name}"
|
||||
filename = ${modconfdir}/${.:name}/access_challenge
|
||||
}
|
59
roles/freeradius/templates/mods-available/eap.j2
Normal file
59
roles/freeradius/templates/mods-available/eap.j2
Normal file
|
@ -0,0 +1,59 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
eap {
|
||||
|
||||
default_eap_type = peap
|
||||
|
||||
type = peap
|
||||
type = ttls
|
||||
|
||||
ignore_unknown_eap_types = no
|
||||
|
||||
cisco_accounting_username_bug = no
|
||||
|
||||
timer_expire = 60
|
||||
max_sessions = ${max_requests}
|
||||
|
||||
tls-config tls-common {
|
||||
private_key_file = {{ radiusd__tls_private_key_file }}
|
||||
certificate_file = {{ radiusd__tls_certificate_file }}
|
||||
ca_file = {{ radiusd__tls_ca_file }}
|
||||
dh_file = ${certdir}/dh
|
||||
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
||||
cipher_server_preferences = yes
|
||||
tls_min_version = "1.2"
|
||||
tls_max_version = "1.2" # TODO: 1.3
|
||||
# TODO
|
||||
# cache {
|
||||
# enable = yes
|
||||
# lifetime = 24
|
||||
# name = "eap"
|
||||
# persistdir = "${logdir}/tlscache"
|
||||
# store {
|
||||
# Tunnel-Private-Group-Id
|
||||
# }
|
||||
# }
|
||||
ocsp {
|
||||
enable = no
|
||||
}
|
||||
}
|
||||
|
||||
peap {
|
||||
tls = tls-common
|
||||
default_eap_type = gtc
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
}
|
||||
|
||||
ttls {
|
||||
tls = tls-common
|
||||
default_eap_type = pap
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
}
|
||||
|
||||
}
|
14
roles/freeradius/templates/mods-available/eap_inner.j2
Normal file
14
roles/freeradius/templates/mods-available/eap_inner.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
eap inner-eap {
|
||||
|
||||
default_eap_type = gtc
|
||||
|
||||
type = gtc
|
||||
type = pap
|
||||
|
||||
gtc {
|
||||
auth_type = LDAP
|
||||
}
|
||||
|
||||
}
|
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
|
@ -0,0 +1,50 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
ldap {
|
||||
|
||||
server = "ldap://ldap-1.int.infra.auro.re"
|
||||
|
||||
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||
identity = "cn=Directory manager"
|
||||
password = "MotDePasseSuperComplique"
|
||||
|
||||
base_dn = "ou=users,dc=auro,dc=re"
|
||||
|
||||
user_dn = "LDAP-UserDn"
|
||||
|
||||
user {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
|
||||
}
|
||||
|
||||
group {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "(objectClass=posixGroup)"
|
||||
membership_attribute = "memberOf"
|
||||
}
|
||||
|
||||
options {
|
||||
# TODO
|
||||
chase_referrals = no
|
||||
rebind = no
|
||||
res_timeout = 10
|
||||
srv_timelimit = 3
|
||||
net_timeout = 1
|
||||
idle = 60
|
||||
probes = 3
|
||||
interval = 3
|
||||
ldap_debug = 0x0028
|
||||
}
|
||||
|
||||
pool {
|
||||
start = ${thread[pool].start_servers}
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
max = ${thread[pool].max_servers}
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
uses = 0
|
||||
retry_delay = 30
|
||||
lifetime = 0
|
||||
idle_timeout = 60
|
||||
}
|
||||
|
||||
}
|
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
pap {
|
||||
normalise = no
|
||||
}
|
4
roles/freeradius/templates/mods-available/utf8.j2
Normal file
4
roles/freeradius/templates/mods-available/utf8.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
utf8 {
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
Session-Timeout =* ANY,
|
||||
Idle-Timeout =* ANY
|
|
@ -0,0 +1,10 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Error-Cause =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
MS-CHAP-Error =* ANY,
|
||||
Proxy-State =* ANY
|
23
roles/freeradius/templates/proxy.conf.j2
Normal file
23
roles/freeradius/templates/proxy.conf.j2
Normal file
|
@ -0,0 +1,23 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
dynamic = no
|
||||
}
|
||||
|
||||
{% for name, hs in radiusd__home_servers.items %}
|
||||
home_server {{ name }} {
|
||||
type = auth
|
||||
ipaddr = {{ hs.addr }}
|
||||
port = {{ hs.port | int }}
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
{% for name, realm in radiusd__realms.items() %}
|
||||
realm {{ name }} {
|
||||
auth_pool = auth_pool
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
realm LOCAL {
|
||||
}
|
68
roles/freeradius/templates/radiusd.conf.j2
Normal file
68
roles/freeradius/templates/radiusd.conf.j2
Normal file
|
@ -0,0 +1,68 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
prefix = /usr
|
||||
exec_prefix = /usr
|
||||
sysconfigdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = ${exec_prefix}/sbin
|
||||
logdir = /var/log/freeradius
|
||||
raddbdir = /etc/freeradius/3.0
|
||||
radacctdir = ${logdir}/radacct
|
||||
name = freeradius
|
||||
confdir = ${raddbdir}
|
||||
modconfdir = ${confdir}/mods-config
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
db_dir = ${raddbdir}
|
||||
libdir = /usr/lib/freeradius
|
||||
pidfile = ${run_dir}/${name}.pid
|
||||
checkrad = ${sbindir}/checkrad
|
||||
|
||||
max_request_time = 30
|
||||
cleanup_delay = 5
|
||||
max_requests = 16384
|
||||
hostname_lookups = no
|
||||
correct_escapes = true
|
||||
|
||||
log {
|
||||
destination = syslog
|
||||
syslog_facility = daemon
|
||||
auth = yes
|
||||
}
|
||||
|
||||
security {
|
||||
user = freerad
|
||||
group = freerad
|
||||
allow_core_dumps = no
|
||||
max_attributes = {{ radiusd__max_attributes | int }}
|
||||
status_server = {{ radiusd__status_server | ternary("yes", "no") }}
|
||||
}
|
||||
|
||||
proxy_requests = yes
|
||||
|
||||
$INCLUDE proxy.conf
|
||||
|
||||
$INCLUDE clients.conf
|
||||
|
||||
thread pool {
|
||||
start_servers = 5
|
||||
max_servers = 32
|
||||
min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
max_requests_per_server = 0
|
||||
auto_limit_acct = no
|
||||
}
|
||||
|
||||
modules {
|
||||
$INCLUDE mods-enabled/
|
||||
}
|
||||
|
||||
instantiate {
|
||||
}
|
||||
|
||||
policy {
|
||||
$INCLUDE policy.d/
|
||||
}
|
||||
|
||||
$INCLUDE sites-enabled/
|
69
roles/freeradius/templates/sites-available/default.j2
Normal file
69
roles/freeradius/templates/sites-available/default.j2
Normal file
|
@ -0,0 +1,69 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server default {
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipv6addr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
authorize {
|
||||
filter_username # TODO
|
||||
suffix
|
||||
eap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
eap
|
||||
}
|
||||
|
||||
preacct {
|
||||
}
|
||||
|
||||
accounting {
|
||||
}
|
||||
|
||||
post-auth {
|
||||
if (session-state:User-Name && reply:User-Name \
|
||||
&& request:User-Name \
|
||||
&& (reply:User-Name == request:User-Name)) {
|
||||
update reply {
|
||||
&User-Name !* ANY
|
||||
}
|
||||
}
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
}
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
|
||||
}
|
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
|
@ -0,0 +1,39 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
authorize {
|
||||
# Look for realm using the 'suffix' format (user@realm)
|
||||
suffix
|
||||
# Don't proxy requests from inner tunnel
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
||||
# Must be before 'ldap', so that we don't query the LDAP server
|
||||
# for "internal" packets (cf. documentation for
|
||||
# sites-available/inner-tunnel)
|
||||
inner-eap {
|
||||
ok = return
|
||||
}
|
||||
ldap
|
||||
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||
if ((ok || updated) && User-Password) {
|
||||
update control {
|
||||
Auth-Type := ldap
|
||||
}
|
||||
}
|
||||
pap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
inner-eap
|
||||
# Authenticate using 'Auth-Type = LDAP'
|
||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
# by 389DS is not yet supported by FreeRADIUS 3
|
||||
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
||||
ldap
|
||||
}
|
||||
|
||||
}
|
|
@ -1,263 +0,0 @@
|
|||
---
|
||||
- name: Add backports repositories
|
||||
apt_repository:
|
||||
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
|
||||
loop:
|
||||
- "deb"
|
||||
- "deb-src"
|
||||
|
||||
- name: Ensure /var/www exists
|
||||
file:
|
||||
name: "/var/www"
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Clone re2o repo
|
||||
git:
|
||||
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
||||
dest: "/var/www/re2o"
|
||||
version: "dev"
|
||||
force: true
|
||||
|
||||
- name: Template local re2o settings
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/var/www/re2o/re2o/{{ item }}"
|
||||
mode: 0644
|
||||
loop:
|
||||
- settings_local.py
|
||||
- local_routers.py
|
||||
|
||||
# What follows is a hideous abomination.
|
||||
# Blame freeradius-python3 on backports.
|
||||
|
||||
- name: try to install freeradius-python3 (this will fail on post-install)
|
||||
apt:
|
||||
name: freeradius-python3
|
||||
default_release: buster-backports
|
||||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: fix freeradius-python3 postinstall script
|
||||
template:
|
||||
src: freeradius-python3.postinst.j2
|
||||
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
||||
mode: 0644
|
||||
|
||||
- name: reinstall broken package (this might fail too, for different reasons)
|
||||
apt:
|
||||
name: freeradius-python3
|
||||
default_release: buster-backports
|
||||
force: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: Setup radius symlinks
|
||||
file:
|
||||
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
||||
dest: "/etc/freeradius/3.0/{{ item.filename }}"
|
||||
state: link
|
||||
force: true
|
||||
loop:
|
||||
- local_prefix: ""
|
||||
filename: auth.py
|
||||
- local_prefix: freeradius3/
|
||||
filename: radiusd.conf
|
||||
- local_prefix: freeradius3/
|
||||
filename: mods-enabled/python
|
||||
- local_prefix: freeradius3/
|
||||
filename: mods-enabled/eap
|
||||
|
||||
- name: Configure freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
loop:
|
||||
- sites-enabled/default
|
||||
- sites-enabled/inner-tunnel
|
||||
|
||||
- name: Install Basic Clients/Proxy Files freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
loop:
|
||||
- clients.conf
|
||||
- proxy.conf
|
||||
when: "'aurore_vm' not in group_names"
|
||||
|
||||
- name: Install Clients FedeRez Radius-Aurore
|
||||
template:
|
||||
src: proxy-federez.conf.j2
|
||||
dest: /etc/freeradius/3.0/proxy.conf
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
when: "'aurore_vm' in group_names"
|
||||
|
||||
- name: Install Proxy FedeRez Radius-Aurore
|
||||
template:
|
||||
src: clients-federez.conf.j2
|
||||
dest: /etc/freeradius/3.0/clients.conf
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
when: "'aurore_vm' in group_names"
|
||||
|
||||
- name: Install radius requirements (except freeradius-python3)
|
||||
shell:
|
||||
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
||||
chdir: /var/www/re2o/
|
||||
|
||||
- name: Install PyPi requirements for radius
|
||||
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
|
||||
|
||||
# End of hideousness (hopefully).
|
||||
|
||||
- name: Configure log rotation
|
||||
template:
|
||||
src: "freeradius-logrotate.j2"
|
||||
dest: "/etc/logrotate.d/freeradius"
|
||||
mode: 0644
|
||||
|
||||
|
||||
# Database setup
|
||||
|
||||
|
||||
- name: Install postgresql
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- postgresql-client-11=11.7-0+deb10u1
|
||||
force: true
|
||||
|
||||
- name: Install postgresql ansible module requirement(s)
|
||||
pip:
|
||||
name: psycopg2
|
||||
|
||||
- name: Create read-only user
|
||||
community.general.postgresql_user:
|
||||
name: re2o_ro
|
||||
password: "{{ radius_pg_re2o_ro_password }}"
|
||||
become_user: postgres
|
||||
|
||||
- name: Create replication user
|
||||
community.general.postgresql_user:
|
||||
name: replication
|
||||
password: "{{ radius_pg_replication_password }}"
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Nuking - Stop freeradius
|
||||
systemd:
|
||||
name: freeradius
|
||||
state: stopped
|
||||
when: nuke_radius|default(false)
|
||||
|
||||
- name: Nuking - Remove old subscription if it exists
|
||||
community.general.postgresql_subscription:
|
||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||
db: re2o
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: nuke_radius|default(false)
|
||||
ignore_errors: true
|
||||
|
||||
- name: Nuking - Destroy old local DB if it exists
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: nuke_radius|default(false)
|
||||
|
||||
- name: Create local DB
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
owner: replication
|
||||
state: present
|
||||
encoding: "UTF8"
|
||||
lc_collate: 'fr_FR.UTF-8'
|
||||
lc_ctype: 'fr_FR.UTF-8'
|
||||
become_user: postgres
|
||||
|
||||
- name: Dump radius re2o PostgreSQL database schema from master
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: dump
|
||||
target: /tmp/re2o-schema.sql
|
||||
target_opts: '-s'
|
||||
login_host: 10.128.0.22
|
||||
login_user: replication
|
||||
login_password: "{{ radius_pg_replication_password }}"
|
||||
|
||||
|
||||
- name: Restore DB
|
||||
tags:
|
||||
- restore
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: restore
|
||||
target: /tmp/re2o-schema.sql
|
||||
target_opts: "-s"
|
||||
login_host: localhost
|
||||
login_user: replication
|
||||
login_password: "{{ radius_pg_replication_password }}"
|
||||
|
||||
|
||||
- name: Grant select permissions on all tables to read-only user
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: SELECT
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
- name: Grant usage permission on schema to read-only user
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: USAGE
|
||||
objs: public
|
||||
type: schema
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
- name: Set default privileges in schema
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: SELECT
|
||||
schema: public
|
||||
objs: TABLES
|
||||
type: default_privs
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Set up subscription to main database
|
||||
tags:
|
||||
- sub
|
||||
community.general.postgresql_subscription:
|
||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||
connparams:
|
||||
host: re2o-db.adm.auro.re
|
||||
user: replication
|
||||
password: "{{ radius_pg_replication_password }}"
|
||||
dbname: re2o
|
||||
db: re2o
|
||||
publications:
|
||||
- re2o_pub
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Restart freeradius, ensure enabled
|
||||
systemd:
|
||||
name: freeradius
|
||||
enabled: true
|
||||
state: restarted
|
||||
daemon_reload: true
|
|
@ -1,22 +0,0 @@
|
|||
client radius-aurore {
|
||||
ipaddr = 10.128.0.0
|
||||
netmask = 16
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-wifi
|
||||
}
|
||||
|
||||
# Parangon (federez)
|
||||
client parangon {
|
||||
ipaddr = 185.230.78.47
|
||||
secret = {{ radius_secret_federez }}
|
||||
virtual_server = radius-wifi
|
||||
}
|
||||
|
||||
# Dodecagon (federez)
|
||||
client dodecagon {
|
||||
ipaddr = 195.154.165.76
|
||||
secret = {{ radius_secret_federez }}
|
||||
virtual_server = radius-wifi
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
client radius-filaire {
|
||||
ipaddr = 10.130.{{ apartment_block_id }}.0
|
||||
netmask = 24
|
||||
secret = {{ radius_secret_wired }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-filaire
|
||||
}
|
||||
|
||||
|
||||
client aurore-wifi {
|
||||
ipaddr = 10.{{ subnet_ids.ap }}.0.0
|
||||
netmask = 16
|
||||
secret = {{ radius_secret_wifi }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-wifi
|
||||
}
|
|
@ -1,50 +0,0 @@
|
|||
# The main server log
|
||||
/var/log/freeradius/radius.log {
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
copytruncate
|
||||
}
|
||||
|
||||
# (in order)
|
||||
# Session monitoring utilities
|
||||
# Session database modules
|
||||
# SQL log files
|
||||
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
|
||||
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
|
||||
/var/log/freeradius/sqllog.sql
|
||||
{
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
nocreate
|
||||
}
|
||||
|
||||
# There are different detail-rotating strategies you can use. One is
|
||||
# to write to a single detail file per IP and use the rotate config
|
||||
# below. Another is to write to a daily detail file per IP with:
|
||||
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
||||
# (or similar) in radiusd.conf, without rotation. If you go with the
|
||||
# second technique, you will need another cron job that removes old
|
||||
# detail files. You do not need to comment out the below for method #2.
|
||||
/var/log/freeradius/radacct/*/detail {
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
nocreate
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
#!/bin/sh
|
||||
# vim:ts=2:sw=2:et
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
invoke-rc.d freeradius restart
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
exit 0
|
|
@ -1,28 +0,0 @@
|
|||
class DbRouter(object):
|
||||
"""
|
||||
A router to control all database operations on models in the
|
||||
auth application.
|
||||
"""
|
||||
def db_for_read(self, model, **hints):
|
||||
"""
|
||||
Attempts to read remote models go to local database.
|
||||
"""
|
||||
return 'local'
|
||||
|
||||
def db_for_write(self, model, **hints):
|
||||
"""
|
||||
Attempts to write remote models go to the remote database.
|
||||
"""
|
||||
return 'default'
|
||||
|
||||
def allow_relation(self, obj1, obj2, **hints):
|
||||
"""
|
||||
Allow relations involving the remote database
|
||||
"""
|
||||
return True
|
||||
|
||||
def allow_migrate(self, db, app_label, model_name=None, **hints):
|
||||
"""
|
||||
Allow migrations on the remote database
|
||||
"""
|
||||
return True
|
|
@ -1,87 +0,0 @@
|
|||
# -*- mode: conf-unix; coding: utf-8 -*-
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
}
|
||||
|
||||
|
||||
realm LOCAL {
|
||||
|
||||
}
|
||||
|
||||
realm NULL {
|
||||
|
||||
}
|
||||
|
||||
#Proxy FedeRez #####
|
||||
|
||||
realm AUROREFEDEREZ {
|
||||
auth_pool = federez_radius_servers
|
||||
# nostrip
|
||||
}
|
||||
|
||||
home_server parangon_v4 {
|
||||
type = auth
|
||||
ipaddr = 185.230.78.47
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server parangon_v6 {
|
||||
type = auth
|
||||
ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server dodecagon_v4 {
|
||||
type = auth
|
||||
ipaddr = 195.154.165.76
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server dodecagon_v6 {
|
||||
type = auth
|
||||
ipaddr = 2001:bc8:273e::1
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server_pool federez_radius_servers {
|
||||
type = fail-over
|
||||
home_server = parangon_v4
|
||||
home_server = dodecagon_v4
|
||||
home_server = dodecagon_v6
|
||||
home_server = parangon_v6
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
# -*- mode: conf-unix; coding: utf-8 -*-
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
}
|
||||
|
||||
|
||||
realm LOCAL {
|
||||
|
||||
}
|
||||
|
||||
realm NULL {
|
||||
|
||||
}
|
||||
|
||||
#Proxy FedeRez #####
|
||||
|
||||
realm AUROREFEDEREZ {
|
||||
auth_pool = aurore_central_radius_servers
|
||||
# nostrip
|
||||
}
|
||||
|
||||
home_server radius_aurore_v4 {
|
||||
type = auth
|
||||
ipaddr = 10.128.0.251
|
||||
port = 1812
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server radius_aurore_v6 {
|
||||
type = auth
|
||||
ipaddr = 2a09:6840:128::251
|
||||
port = 1812
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server_pool aurore_central_radius_servers {
|
||||
type = fail-over
|
||||
home_server = radius_aurore_v4
|
||||
home_server = radius_aurore_v6
|
||||
}
|
|
@ -1,129 +0,0 @@
|
|||
# coding: utf-8
|
||||
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
|
||||
# se veut agnostique au réseau considéré, de manière à être installable en
|
||||
# quelques clics.
|
||||
#
|
||||
# Copyright © 2017 Gabriel Détraz
|
||||
# Copyright © 2017 Goulven Kermarec
|
||||
# Copyright © 2017 Augustin Lemesle
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
"""re2o.settings_locale
|
||||
The file with all the available options for a locale configuration of re2o
|
||||
"""
|
||||
|
||||
from __future__ import unicode_literals
|
||||
|
||||
# A secret key used by the server.
|
||||
SECRET_KEY = "{{ re2o_secret_key }}"
|
||||
|
||||
# The password to access the project database
|
||||
DB_PASSWORD = "{{ re2o_db_password }}"
|
||||
|
||||
# AES key for secret key encryption.
|
||||
# The length must be a multiple of 16
|
||||
AES_KEY = "{{ re2o_aes_key }}"
|
||||
|
||||
# Should the server run in debug mode ?
|
||||
# SECURITY WARNING: don't run with debug turned on in production!
|
||||
DEBUG = False
|
||||
|
||||
# A list of admins of the services. Receive mails when an error occurs
|
||||
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
|
||||
|
||||
# The list of hostname the server will respond to.
|
||||
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
|
||||
|
||||
# The time zone the server is runned in
|
||||
TIME_ZONE = 'Europe/Paris'
|
||||
|
||||
# The storage systems parameters to use
|
||||
DATABASES = {
|
||||
'default': {
|
||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||
'NAME': 're2o',
|
||||
'USER': 're2o',
|
||||
'PASSWORD': DB_PASSWORD,
|
||||
'HOST': 're2o-db.adm.auro.re',
|
||||
'TEST': {
|
||||
'CHARSET': 'utf8',
|
||||
'COLLATION': 'utf8_general_ci'
|
||||
}
|
||||
},
|
||||
'local': {
|
||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||
'NAME': 're2o',
|
||||
'USER': 're2o_ro',
|
||||
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
|
||||
'HOST': 'localhost',
|
||||
'TEST': {
|
||||
'CHARSET': 'utf8',
|
||||
'COLLATION': 'utf8_general_ci'
|
||||
}
|
||||
},
|
||||
'ldap': {
|
||||
'ENGINE': 'ldapdb.backends.ldap',
|
||||
'NAME': 'ldap://10.128.0.21/',
|
||||
'USER': 'cn=admin,dc=auro,dc=re',
|
||||
'TLS': False,
|
||||
'PASSWORD': '{{ ldap_admin_password }}',
|
||||
}
|
||||
}
|
||||
|
||||
# Security settings for secure https
|
||||
# Activate once https is correctly configured
|
||||
SECURE_CONTENT_TYPE_NOSNIFF = False
|
||||
SECURE_BROWSER_XSS_FILTER = False
|
||||
SESSION_COOKIE_SECURE = False
|
||||
CSRF_COOKIE_SECURE = False
|
||||
CSRF_COOKIE_HTTPONLY = False
|
||||
X_FRAME_OPTIONS = 'DENY'
|
||||
SESSION_COOKIE_AGE = 60 * 60 * 3
|
||||
|
||||
# The path where your organization logo is stored
|
||||
LOGO_PATH = "static_files/logo.png"
|
||||
|
||||
# The mail configuration for Re2o to send mails
|
||||
SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use
|
||||
EMAIL_HOST = 'localhost' # The host to use
|
||||
EMAIL_PORT = 25 # The port to use
|
||||
|
||||
# Settings of the LDAP structure
|
||||
LDAP = {
|
||||
'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
|
||||
'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
|
||||
'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
|
||||
'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
|
||||
'user_gid': 100,
|
||||
}
|
||||
|
||||
# A range of UID to use. Used in linux environement
|
||||
UID_RANGES = {
|
||||
'users': [21001, 30000],
|
||||
'service-users': [20000, 21000],
|
||||
}
|
||||
|
||||
# A range of GID to use. Used in linux environement
|
||||
GID_RANGES = {
|
||||
'posix': [501, 600],
|
||||
}
|
||||
|
||||
# Some optionnal Re2o Apps
|
||||
OPTIONNAL_APPS_RE2O = ()
|
||||
|
||||
# Some Django apps you want to add in you local project
|
||||
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
|
||||
|
||||
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]
|
|
@ -1,239 +0,0 @@
|
|||
######################################################################
|
||||
#
|
||||
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
||||
# "server" section, and configuration directives.
|
||||
#
|
||||
# Virtual hosts should be put into the "sites-available"
|
||||
# directory. Soft links should be created in the "sites-enabled"
|
||||
# directory to these files. This is done in a normal installation.
|
||||
#
|
||||
# If you are using 802.1X (EAP) authentication, please see also
|
||||
# the "inner-tunnel" virtual server. You will likely have to edit
|
||||
# that, too, for authentication to work.
|
||||
#
|
||||
# $Id: 083407596aa5074d665adac9606e7de655b634aa $
|
||||
#
|
||||
######################################################################
|
||||
#
|
||||
# Read "man radiusd" before editing this file. See the section
|
||||
# titled DEBUGGING. It outlines a method where you can quickly
|
||||
# obtain the configuration you want, without running into
|
||||
# trouble. See also "man unlang", which documents the format
|
||||
# of this file.
|
||||
#
|
||||
# This configuration is designed to work in the widest possible
|
||||
# set of circumstances, with the widest possible number of
|
||||
# authentication methods. This means that in general, you should
|
||||
# need to make very few changes to this file.
|
||||
#
|
||||
# The best way to configure the server for your local system
|
||||
# is to CAREFULLY edit this file. Most attempts to make large
|
||||
# edits to this file will BREAK THE SERVER. Any edits should
|
||||
# be small, and tested by running the server with "radiusd -X".
|
||||
# Once the edits have been verified to work, save a copy of these
|
||||
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
||||
# make more edits, and test, as above.
|
||||
#
|
||||
# There are many "commented out" references to modules such
|
||||
# as ldap, sql, etc. These references serve as place-holders.
|
||||
# If you need the functionality of that module, then configure
|
||||
# it in radiusd.conf, and un-comment the references to it in
|
||||
# this file. In most cases, those small changes will result
|
||||
# in the server being able to connect to the DB, and to
|
||||
# authenticate users.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
server default {
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = *
|
||||
port = 0
|
||||
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
ipaddr = *
|
||||
port = 0
|
||||
type = acct
|
||||
|
||||
limit {
|
||||
}
|
||||
}
|
||||
|
||||
# IPv6 versions of the above - read their full config to understand options
|
||||
listen {
|
||||
type = auth
|
||||
ipv6addr = :: # any. ::1 == localhost
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
ipv6addr = ::
|
||||
port = 0
|
||||
type = acct
|
||||
|
||||
limit {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
server radius-wifi {
|
||||
authorize {
|
||||
rewrite_calling_station_id
|
||||
|
||||
if (User-Name =~ /^(.*)@(.*)/){
|
||||
if (User-Name !~ /^(.*)@(.*)auro(.*)/){
|
||||
update control{
|
||||
Proxy-To-Realm := 'AUROREFEDEREZ'
|
||||
}
|
||||
}
|
||||
|
||||
if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
|
||||
update request{
|
||||
Stripped-User-Name := "%{1}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
filter_username
|
||||
|
||||
preprocess
|
||||
|
||||
suffix
|
||||
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
|
||||
expiration
|
||||
logintime
|
||||
|
||||
pap
|
||||
|
||||
}
|
||||
|
||||
authenticate {
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
|
||||
mschap
|
||||
|
||||
digest
|
||||
|
||||
eap
|
||||
}
|
||||
|
||||
|
||||
preacct {
|
||||
preprocess
|
||||
|
||||
acct_unique
|
||||
|
||||
suffix
|
||||
files
|
||||
}
|
||||
|
||||
accounting {
|
||||
|
||||
detail
|
||||
|
||||
unix
|
||||
exec
|
||||
|
||||
}
|
||||
|
||||
session {
|
||||
}
|
||||
|
||||
post-auth {
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
}
|
||||
|
||||
exec
|
||||
|
||||
|
||||
remove_reply_message_if_eap
|
||||
|
||||
Post-Auth-Type REJECT {
|
||||
-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
eap
|
||||
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
server radius-filaire{
|
||||
authorize{
|
||||
|
||||
re2o
|
||||
expiration
|
||||
logintime
|
||||
pap
|
||||
}
|
||||
authenticate{
|
||||
Auth-Type PAP{
|
||||
pap
|
||||
}
|
||||
Auth-Type CHAP{
|
||||
chap
|
||||
}
|
||||
Auth-Type MS-CHAP{
|
||||
mschap
|
||||
}
|
||||
digest
|
||||
eap
|
||||
|
||||
}
|
||||
preacct{
|
||||
preprocess
|
||||
acct_unique
|
||||
suffix
|
||||
files
|
||||
}
|
||||
accounting{
|
||||
}
|
||||
session{
|
||||
}
|
||||
post-auth{
|
||||
re2o
|
||||
exec
|
||||
}
|
||||
pre-proxy{
|
||||
}
|
||||
post-proxy{
|
||||
eap
|
||||
}
|
||||
}
|
|
@ -1,345 +0,0 @@
|
|||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# This is a virtual server that handles *only* inner tunnel
|
||||
# requests for EAP-TTLS and PEAP types.
|
||||
#
|
||||
# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
|
||||
#
|
||||
######################################################################
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
#
|
||||
# This next section is here to allow testing of the "inner-tunnel"
|
||||
# authentication methods, independently from the "default" server.
|
||||
# It is listening on "localhost", so that it can only be used from
|
||||
# the same machine.
|
||||
#
|
||||
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If it works, you have configured the inner tunnel correctly. To check
|
||||
# if PEAP will work, use:
|
||||
#
|
||||
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If that works, PEAP should work. If that command doesn't work, then
|
||||
#
|
||||
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||
#
|
||||
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||
#
|
||||
listen {
|
||||
ipaddr = 127.0.0.1
|
||||
port = 18120
|
||||
type = auth
|
||||
}
|
||||
|
||||
|
||||
# Authorization. First preprocess (hints and huntgroups files),
|
||||
# then realms, and finally look in the "users" file.
|
||||
#
|
||||
# The order of the realm modules will determine the order that
|
||||
# we try to find a matching realm.
|
||||
#
|
||||
# Make *sure* that 'preprocess' comes before any realm if you
|
||||
# need to setup hints for the remote radius server
|
||||
authorize {
|
||||
if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
|
||||
update request{
|
||||
Stripped-User-Name := "%{1}"
|
||||
}
|
||||
}
|
||||
#
|
||||
# Take a User-Name, and perform some checks on it, for spaces and other
|
||||
# invalid characters. If the User-Name appears invalid, reject the
|
||||
# request.
|
||||
#
|
||||
# See policy.d/filter for the definition of the filter_username policy.
|
||||
#
|
||||
filter_username
|
||||
|
||||
re2o
|
||||
|
||||
#
|
||||
# Do checks on outer / inner User-Name, so that users
|
||||
# can't spoof us by using incompatible identities
|
||||
#
|
||||
# filter_inner_identity
|
||||
|
||||
#
|
||||
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||
# handling a CHAP request and Auth-Type has not already been set
|
||||
chap
|
||||
|
||||
#
|
||||
# If the users are logging in with an MS-CHAP-Challenge
|
||||
# attribute for authentication, the mschap module will find
|
||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||
# to the request, which will cause the server to then use
|
||||
# the mschap module for authentication.
|
||||
mschap
|
||||
|
||||
#
|
||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||
# using the system API's to get the password. If you want
|
||||
# to read /etc/passwd or /etc/shadow directly, see the
|
||||
# passwd module, above.
|
||||
#
|
||||
# unix
|
||||
|
||||
#
|
||||
# Look for IPASS style 'realm/', and if not found, look for
|
||||
# '@realm', and decide whether or not to proxy, based on
|
||||
# that.
|
||||
# IPASS
|
||||
|
||||
#
|
||||
# If you are using multiple kinds of realms, you probably
|
||||
# want to set "ignore_null = yes" for all of them.
|
||||
# Otherwise, when the first style of realm doesn't match,
|
||||
# the other styles won't be checked.
|
||||
#
|
||||
# Note that proxying the inner tunnel authentication means
|
||||
# that the user MAY use one identity in the outer session
|
||||
# (e.g. "anonymous", and a different one here
|
||||
# (e.g. "user@example.com"). The inner session will then be
|
||||
# proxied elsewhere for authentication. If you are not
|
||||
# careful, this means that the user can cause you to forward
|
||||
# the authentication to another RADIUS server, and have the
|
||||
# accounting logs *not* sent to the other server. This makes
|
||||
# it difficult to bill people for their network activity.
|
||||
#
|
||||
suffix
|
||||
# ntdomain
|
||||
|
||||
#
|
||||
# The "suffix" module takes care of stripping the domain
|
||||
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||
# next few lines ensure that the request is not proxied.
|
||||
#
|
||||
# If you want the inner tunnel request to be proxied, delete
|
||||
# the next few lines.
|
||||
#
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
|
||||
#
|
||||
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||
#
|
||||
# It also sets the EAP-Type attribute in the request
|
||||
# attribute list to the EAP type from the packet.
|
||||
#
|
||||
# The example below uses module failover to avoid querying all
|
||||
# of the following modules if the EAP module returns "ok".
|
||||
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||
# for the many packets that go back and forth to set up TTLS
|
||||
# or PEAP. The load on those servers will therefore be reduced.
|
||||
#
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
|
||||
#
|
||||
# Read the 'users' file
|
||||
#files
|
||||
|
||||
#
|
||||
# Look in an SQL database. The schema of the database
|
||||
# is meant to mirror the "users" file.
|
||||
#
|
||||
# See "Authorization Queries" in sql.conf
|
||||
#-sql
|
||||
|
||||
#
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, the un-comment this line, and
|
||||
# enable the "smbpasswd" module.
|
||||
# smbpasswd
|
||||
|
||||
#
|
||||
# The ldap module reads passwords from the LDAP database.
|
||||
#-ldap
|
||||
|
||||
#
|
||||
# Enforce daily limits on time spent logged in.
|
||||
# daily
|
||||
|
||||
expiration
|
||||
logintime
|
||||
|
||||
#
|
||||
# If no other module has claimed responsibility for
|
||||
# authentication, then try to use PAP. This allows the
|
||||
# other modules listed above to add a "known good" password
|
||||
# to the request, and to do nothing else. The PAP module
|
||||
# will then see that password, and use it to do PAP
|
||||
# authentication.
|
||||
#
|
||||
# This module should be listed last, so that the other modules
|
||||
# get a chance to set Auth-Type for themselves.
|
||||
#
|
||||
pap
|
||||
}
|
||||
|
||||
|
||||
# Authentication.
|
||||
#
|
||||
#
|
||||
# This section lists which modules are available for authentication.
|
||||
# Note that it does NOT mean 'try each module in order'. It means
|
||||
# that a module from the 'authorize' section adds a configuration
|
||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||
# used to pick the appropriate module from the list below.
|
||||
#
|
||||
|
||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||
# will figure it out on its own, and will do the right thing. The
|
||||
# most common side effect of erroneously setting the Auth-Type
|
||||
# attribute is that one authentication method will work, but the
|
||||
# others will not.
|
||||
#
|
||||
# The common reasons to set the Auth-Type attribute by hand
|
||||
# is to either forcibly reject the user, or forcibly accept him.
|
||||
#
|
||||
authenticate {
|
||||
#
|
||||
# PAP authentication, when a back-end database listed
|
||||
# in the 'authorize' section supplies a password. The
|
||||
# password can be clear-text, or encrypted.
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
|
||||
#
|
||||
# Most people want CHAP authentication
|
||||
# A back-end database listed in the 'authorize' section
|
||||
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||
# won't work.
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
|
||||
#
|
||||
# MSCHAP authentication.
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
|
||||
#
|
||||
# For old names, too.
|
||||
#
|
||||
mschap
|
||||
|
||||
#
|
||||
# Allow EAP authentication.
|
||||
eap
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# There are no accounting requests inside of EAP-TTLS or PEAP
|
||||
# tunnels.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||
# or rlm_sql module can handle this.
|
||||
# The rlm_sql module is *much* faster
|
||||
session {
|
||||
radutmp
|
||||
|
||||
#
|
||||
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||
# sql
|
||||
}
|
||||
|
||||
|
||||
# Post-Authentication
|
||||
# Once we KNOW that the user has been authenticated, there are
|
||||
# additional steps we can take.
|
||||
#
|
||||
# Note that the last packet of the inner-tunnel authentication
|
||||
# MAY NOT BE the last packet of the outer session. So updating
|
||||
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
|
||||
# exact functionality depends on both the inner and outer
|
||||
# authentication methods.
|
||||
#
|
||||
# If you need to send a reply attribute in the outer session,
|
||||
# the ONLY safe way is to set "use_tunneled_reply = yes", and
|
||||
# then update the inner-tunnel reply.
|
||||
post-auth {
|
||||
re2o
|
||||
|
||||
Post-Auth-Type REJECT {
|
||||
# log failed authentications in SQL, too.
|
||||
-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
#
|
||||
# Let the outer session know which module failed, and why.
|
||||
#
|
||||
update outer.session-state {
|
||||
&Module-Failure-Message := &request:Module-Failure-Message
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# When the server decides to proxy a request to a home server,
|
||||
# the proxied request is first passed through the pre-proxy
|
||||
# stage. This stage can re-write the request, or decide to
|
||||
# cancel the proxy.
|
||||
#
|
||||
# Only a few modules currently have this method.
|
||||
#
|
||||
pre-proxy {
|
||||
# Uncomment the following line if you want to change attributes
|
||||
# as defined in the preproxy_users file.
|
||||
# files
|
||||
|
||||
# Uncomment the following line if you want to filter requests
|
||||
# sent to remote servers based on the rules defined in the
|
||||
# 'attrs.pre-proxy' file.
|
||||
# attr_filter.pre-proxy
|
||||
|
||||
# If you want to have a log of packets proxied to a home
|
||||
# server, un-comment the following line, and the
|
||||
# 'detail pre_proxy_log' section, above.
|
||||
# pre_proxy_log
|
||||
}
|
||||
|
||||
#
|
||||
# When the server receives a reply to a request it proxied
|
||||
# to a home server, the request may be massaged here, in the
|
||||
# post-proxy stage.
|
||||
#
|
||||
post-proxy {
|
||||
|
||||
# If you want to have a log of replies from a home server,
|
||||
# un-comment the following line, and the 'detail post_proxy_log'
|
||||
# section, above.
|
||||
# post_proxy_log
|
||||
|
||||
# Uncomment the following line if you want to filter replies from
|
||||
# remote proxies based on the rules defined in the 'attrs' file.
|
||||
# attr_filter.post-proxy
|
||||
|
||||
#
|
||||
# If you are proxying LEAP, you MUST configure the EAP
|
||||
# module, and you MUST list it here, in the post-proxy
|
||||
# stage.
|
||||
#
|
||||
# You MUST also use the 'nostrip' option in the 'realm'
|
||||
# configuration. Otherwise, the User-Name attribute
|
||||
# in the proxied request will not match the user name
|
||||
# hidden inside of the EAP packet, and the end server will
|
||||
# reject the EAP request.
|
||||
#
|
||||
eap
|
||||
}
|
||||
|
||||
} # inner-tunnel server block
|
Loading…
Reference in a new issue