Merge branch 'radius' into new-infra
This commit is contained in:
commit
4a5b3bbfde
31 changed files with 610 additions and 1249 deletions
18
playbooks/freeradius.yml
Executable file
18
playbooks/freeradius.yml
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts:
|
||||||
|
- radius-1.isp.infra.auro.re
|
||||||
|
vars:
|
||||||
|
radiusd__clients:
|
||||||
|
localhost:
|
||||||
|
addr: 127.0.0.1
|
||||||
|
secret: abcdef
|
||||||
|
wifi-ap-v4:
|
||||||
|
addr: 10.102.0.0/16
|
||||||
|
secret: abcdef
|
||||||
|
wifi-ap-v6:
|
||||||
|
addr: 2a09:6840:102::/56
|
||||||
|
secret: abcdef
|
||||||
|
roles:
|
||||||
|
- freeradius
|
||||||
|
...
|
|
@ -58,6 +58,14 @@
|
||||||
addresses:
|
addresses:
|
||||||
- 2a09:6840:129::10:102/56
|
- 2a09:6840:129::10:102/56
|
||||||
- 10.129.10.102/16
|
- 10.129.10.102/16
|
||||||
|
radius-1.isp.infra.auro.re:
|
||||||
|
ens18:
|
||||||
|
gateways:
|
||||||
|
- 2a09:6840:128::254
|
||||||
|
- 10.128.0.254
|
||||||
|
addresses:
|
||||||
|
- 2a09:6840:128::208/56
|
||||||
|
- 10.128.0.208/16
|
||||||
dns-1.int.infra.auro.re:
|
dns-1.int.infra.auro.re:
|
||||||
adm0:
|
adm0:
|
||||||
addresses:
|
addresses:
|
||||||
|
|
30
roles/freeradius/defaults/main.yml
Normal file
30
roles/freeradius/defaults/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
radiusd__max_attributes: 200
|
||||||
|
radiusd__status_server: true
|
||||||
|
radiusd__clients: {}
|
||||||
|
radiusd__enabled_modules_minimal:
|
||||||
|
- always
|
||||||
|
- attr_filter
|
||||||
|
- cache_eap # TODO
|
||||||
|
- dynamic_clients # TODO
|
||||||
|
- eap # TODO
|
||||||
|
- expiration # TODO
|
||||||
|
- expr # TODO
|
||||||
|
- linelog # TODO
|
||||||
|
- logintime # TODO
|
||||||
|
- realm # TODO
|
||||||
|
- unpack # TODO
|
||||||
|
- eap_inner
|
||||||
|
- ldap
|
||||||
|
- pap
|
||||||
|
- utf8
|
||||||
|
radiusd__enabled_modules: []
|
||||||
|
radiusd__tls_cipher_list: DEFAULT
|
||||||
|
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
radiusd__enabled_sites_minimal:
|
||||||
|
- default
|
||||||
|
- inner-tunnel
|
||||||
|
radiusd__enabled_sites: []
|
||||||
|
...
|
6
roles/freeradius/handlers/main.yml
Normal file
6
roles/freeradius/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Restart freeradius
|
||||||
|
systemd:
|
||||||
|
name: freeradius.service
|
||||||
|
state: restarted
|
||||||
|
...
|
132
roles/freeradius/tasks/main.yml
Normal file
132
roles/freeradius/tasks/main.yml
Normal file
|
@ -0,0 +1,132 @@
|
||||||
|
---
|
||||||
|
- name: Install freeradius
|
||||||
|
apt:
|
||||||
|
name: freeradius
|
||||||
|
install_recommends: false
|
||||||
|
|
||||||
|
- name: Remove unused files
|
||||||
|
file:
|
||||||
|
path: "/etc/freeradius/3.0/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- templates.conf
|
||||||
|
- trigger.conf
|
||||||
|
- README.rst
|
||||||
|
- panic.gdb
|
||||||
|
- experimental.conf
|
||||||
|
- certs/ca.cnf
|
||||||
|
- certs/bootstrap
|
||||||
|
- certs/client.cnf
|
||||||
|
- certs/inner-server.cnf
|
||||||
|
- certs/server.cnf
|
||||||
|
- certs/README
|
||||||
|
- certs/Makefile
|
||||||
|
- certs/xpextensions
|
||||||
|
- policy.d/accounting
|
||||||
|
- policy.d/rfc7542
|
||||||
|
- policy.d/dhcp
|
||||||
|
- policy.d/debug
|
||||||
|
- policy.d/control
|
||||||
|
- policy.d/abfab-tr
|
||||||
|
- policy.d/moonshot-targeted-ids
|
||||||
|
- policy.d/operator-name
|
||||||
|
- mods-config/unbound/
|
||||||
|
- mods-config/perl/
|
||||||
|
- mods-config/python3/
|
||||||
|
- mods-config/sql/
|
||||||
|
- mods-config/files/
|
||||||
|
- mods-config/preprocess/
|
||||||
|
- mods-config/README.rst
|
||||||
|
- users
|
||||||
|
- hints
|
||||||
|
- huntgroups
|
||||||
|
|
||||||
|
- name: Configure freeradius
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: freerad
|
||||||
|
mode: u=rw,g=r,o=
|
||||||
|
loop:
|
||||||
|
- radiusd.conf
|
||||||
|
#- proxy.conf
|
||||||
|
- clients.conf
|
||||||
|
- dictionary
|
||||||
|
- mods-available/utf8
|
||||||
|
- mods-available/always
|
||||||
|
- mods-available/eap
|
||||||
|
- mods-available/eap_inner
|
||||||
|
- mods-config/attr_filter/access_challenge
|
||||||
|
- mods-config/attr_filter/access_reject
|
||||||
|
- sites-available/inner-tunnel
|
||||||
|
- sites-available/default
|
||||||
|
notify:
|
||||||
|
- Restart freeradius
|
||||||
|
|
||||||
|
- name: Enumerate available modules
|
||||||
|
find:
|
||||||
|
paths: /etc/freeradius/3.0/mods-available
|
||||||
|
register: available_modules
|
||||||
|
|
||||||
|
- name: Disable modules
|
||||||
|
file:
|
||||||
|
path: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop: "{{ available_modules.files
|
||||||
|
| map(attribute='path')
|
||||||
|
| map('basename')
|
||||||
|
| difference(radiusd__enabled_modules_minimal
|
||||||
|
| union(radiusd__enabled_modules)) }}"
|
||||||
|
notify:
|
||||||
|
- Restart freeradius
|
||||||
|
|
||||||
|
- name: Enable modules
|
||||||
|
file:
|
||||||
|
src: "/etc/freeradius/3.0/mods-available/{{ item }}"
|
||||||
|
dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||||
|
state: link
|
||||||
|
owner: root
|
||||||
|
group: freerad
|
||||||
|
mode: u=rw,g=r,o=
|
||||||
|
loop: "{{ radiusd__enabled_modules_minimal
|
||||||
|
| union(radiusd__enabled_modules) }}"
|
||||||
|
notify:
|
||||||
|
- Restart freeradius
|
||||||
|
|
||||||
|
- name: Enumerate available sites
|
||||||
|
find:
|
||||||
|
paths: /etc/freeradius/3.0/sites-available
|
||||||
|
register: available_sites
|
||||||
|
|
||||||
|
- name: Disable sites
|
||||||
|
file:
|
||||||
|
path: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop: "{{ available_sites.files
|
||||||
|
| map(attribute='path')
|
||||||
|
| map('basename')
|
||||||
|
| difference(radiusd__enabled_sites_minimal
|
||||||
|
| union(radiusd__enabled_sites)) }}"
|
||||||
|
notify:
|
||||||
|
- Restart freeradius
|
||||||
|
|
||||||
|
- name: Enable sites
|
||||||
|
file:
|
||||||
|
src: "/etc/freeradius/3.0/sites-available/{{ item }}"
|
||||||
|
dest: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||||
|
state: link
|
||||||
|
owner: root
|
||||||
|
group: freerad
|
||||||
|
mode: u=rw,g=r,o=
|
||||||
|
loop: "{{ radiusd__enabled_sites_minimal
|
||||||
|
| union(radiusd__enabled_sites) }}"
|
||||||
|
notify:
|
||||||
|
- Restart freeradius
|
||||||
|
|
||||||
|
- name: Enable and start freeradius
|
||||||
|
systemd:
|
||||||
|
name: freeradius.service
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
...
|
16
roles/freeradius/templates/clients.conf.j2
Normal file
16
roles/freeradius/templates/clients.conf.j2
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
{% for name, client in radiusd__clients.items() %}
|
||||||
|
client {{ name }} {
|
||||||
|
ipaddr = {{ client.addr }}
|
||||||
|
shortname = {{ name }}
|
||||||
|
proto = *
|
||||||
|
require_message_authenticator = yes
|
||||||
|
nastype = other
|
||||||
|
secret = {{ client.secret }}
|
||||||
|
{% if client.virtual_server is defined %}
|
||||||
|
virtual_server = {{ client.virtual_server }}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endfor %}
|
1
roles/freeradius/templates/dictionary.j2
Normal file
1
roles/freeradius/templates/dictionary.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{{ ansible_managed | comment }}
|
37
roles/freeradius/templates/mods-available/always.j2
Normal file
37
roles/freeradius/templates/mods-available/always.j2
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
always reject {
|
||||||
|
rcode = reject
|
||||||
|
}
|
||||||
|
|
||||||
|
always fail {
|
||||||
|
rcode = fail
|
||||||
|
}
|
||||||
|
|
||||||
|
always ok {
|
||||||
|
rcode = ok
|
||||||
|
}
|
||||||
|
|
||||||
|
always handled {
|
||||||
|
rcode = handled
|
||||||
|
}
|
||||||
|
|
||||||
|
always invalid {
|
||||||
|
rcode = invalid
|
||||||
|
}
|
||||||
|
|
||||||
|
always userlock {
|
||||||
|
rcode = userlock
|
||||||
|
}
|
||||||
|
|
||||||
|
always notfound {
|
||||||
|
rcode = notfound
|
||||||
|
}
|
||||||
|
|
||||||
|
always noop {
|
||||||
|
rcode = noop
|
||||||
|
}
|
||||||
|
|
||||||
|
always updated {
|
||||||
|
rcode = updated
|
||||||
|
}
|
11
roles/freeradius/templates/mods-available/attr_filter.j2
Normal file
11
roles/freeradius/templates/mods-available/attr_filter.j2
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
attr_filter attr_filter.access_reject {
|
||||||
|
key = "%{User-Name}"
|
||||||
|
filename = ${modconfdir}/${.:name}/access_reject
|
||||||
|
}
|
||||||
|
|
||||||
|
attr_filter attr_filter.access_challenge {
|
||||||
|
key = "%{User-Name}"
|
||||||
|
filename = ${modconfdir}/${.:name}/access_challenge
|
||||||
|
}
|
59
roles/freeradius/templates/mods-available/eap.j2
Normal file
59
roles/freeradius/templates/mods-available/eap.j2
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
eap {
|
||||||
|
|
||||||
|
default_eap_type = peap
|
||||||
|
|
||||||
|
type = peap
|
||||||
|
type = ttls
|
||||||
|
|
||||||
|
ignore_unknown_eap_types = no
|
||||||
|
|
||||||
|
cisco_accounting_username_bug = no
|
||||||
|
|
||||||
|
timer_expire = 60
|
||||||
|
max_sessions = ${max_requests}
|
||||||
|
|
||||||
|
tls-config tls-common {
|
||||||
|
private_key_file = {{ radiusd__tls_private_key_file }}
|
||||||
|
certificate_file = {{ radiusd__tls_certificate_file }}
|
||||||
|
ca_file = {{ radiusd__tls_ca_file }}
|
||||||
|
dh_file = ${certdir}/dh
|
||||||
|
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
||||||
|
cipher_server_preferences = yes
|
||||||
|
tls_min_version = "1.2"
|
||||||
|
tls_max_version = "1.2" # TODO: 1.3
|
||||||
|
# TODO
|
||||||
|
# cache {
|
||||||
|
# enable = yes
|
||||||
|
# lifetime = 24
|
||||||
|
# name = "eap"
|
||||||
|
# persistdir = "${logdir}/tlscache"
|
||||||
|
# store {
|
||||||
|
# Tunnel-Private-Group-Id
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
ocsp {
|
||||||
|
enable = no
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
peap {
|
||||||
|
tls = tls-common
|
||||||
|
default_eap_type = gtc
|
||||||
|
require_client_cert = no
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
use_tunneled_reply = no
|
||||||
|
virtual_server = inner-tunnel
|
||||||
|
}
|
||||||
|
|
||||||
|
ttls {
|
||||||
|
tls = tls-common
|
||||||
|
default_eap_type = pap
|
||||||
|
require_client_cert = no
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
use_tunneled_reply = no
|
||||||
|
virtual_server = inner-tunnel
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
14
roles/freeradius/templates/mods-available/eap_inner.j2
Normal file
14
roles/freeradius/templates/mods-available/eap_inner.j2
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
eap inner-eap {
|
||||||
|
|
||||||
|
default_eap_type = gtc
|
||||||
|
|
||||||
|
type = gtc
|
||||||
|
type = pap
|
||||||
|
|
||||||
|
gtc {
|
||||||
|
auth_type = LDAP
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
50
roles/freeradius/templates/mods-available/ldap.j2
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
ldap {
|
||||||
|
|
||||||
|
server = "ldap://ldap-1.int.infra.auro.re"
|
||||||
|
|
||||||
|
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||||
|
identity = "cn=Directory manager"
|
||||||
|
password = "MotDePasseSuperComplique"
|
||||||
|
|
||||||
|
base_dn = "ou=users,dc=auro,dc=re"
|
||||||
|
|
||||||
|
user_dn = "LDAP-UserDn"
|
||||||
|
|
||||||
|
user {
|
||||||
|
base_dn = "${..base_dn}"
|
||||||
|
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
|
||||||
|
}
|
||||||
|
|
||||||
|
group {
|
||||||
|
base_dn = "${..base_dn}"
|
||||||
|
filter = "(objectClass=posixGroup)"
|
||||||
|
membership_attribute = "memberOf"
|
||||||
|
}
|
||||||
|
|
||||||
|
options {
|
||||||
|
# TODO
|
||||||
|
chase_referrals = no
|
||||||
|
rebind = no
|
||||||
|
res_timeout = 10
|
||||||
|
srv_timelimit = 3
|
||||||
|
net_timeout = 1
|
||||||
|
idle = 60
|
||||||
|
probes = 3
|
||||||
|
interval = 3
|
||||||
|
ldap_debug = 0x0028
|
||||||
|
}
|
||||||
|
|
||||||
|
pool {
|
||||||
|
start = ${thread[pool].start_servers}
|
||||||
|
min = ${thread[pool].min_spare_servers}
|
||||||
|
max = ${thread[pool].max_servers}
|
||||||
|
spare = ${thread[pool].max_spare_servers}
|
||||||
|
uses = 0
|
||||||
|
retry_delay = 30
|
||||||
|
lifetime = 0
|
||||||
|
idle_timeout = 60
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
5
roles/freeradius/templates/mods-available/pap.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
pap {
|
||||||
|
normalise = no
|
||||||
|
}
|
4
roles/freeradius/templates/mods-available/utf8.j2
Normal file
4
roles/freeradius/templates/mods-available/utf8.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
utf8 {
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
Proxy-State =* ANY,
|
||||||
|
Session-Timeout =* ANY,
|
||||||
|
Idle-Timeout =* ANY
|
|
@ -0,0 +1,10 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Error-Cause =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
MS-CHAP-Error =* ANY,
|
||||||
|
Proxy-State =* ANY
|
23
roles/freeradius/templates/proxy.conf.j2
Normal file
23
roles/freeradius/templates/proxy.conf.j2
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
proxy server {
|
||||||
|
default_fallback = no
|
||||||
|
dynamic = no
|
||||||
|
}
|
||||||
|
|
||||||
|
{% for name, hs in radiusd__home_servers.items %}
|
||||||
|
home_server {{ name }} {
|
||||||
|
type = auth
|
||||||
|
ipaddr = {{ hs.addr }}
|
||||||
|
port = {{ hs.port | int }}
|
||||||
|
}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for name, realm in radiusd__realms.items() %}
|
||||||
|
realm {{ name }} {
|
||||||
|
auth_pool = auth_pool
|
||||||
|
}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
realm LOCAL {
|
||||||
|
}
|
68
roles/freeradius/templates/radiusd.conf.j2
Normal file
68
roles/freeradius/templates/radiusd.conf.j2
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
prefix = /usr
|
||||||
|
exec_prefix = /usr
|
||||||
|
sysconfigdir = /etc
|
||||||
|
localstatedir = /var
|
||||||
|
sbindir = ${exec_prefix}/sbin
|
||||||
|
logdir = /var/log/freeradius
|
||||||
|
raddbdir = /etc/freeradius/3.0
|
||||||
|
radacctdir = ${logdir}/radacct
|
||||||
|
name = freeradius
|
||||||
|
confdir = ${raddbdir}
|
||||||
|
modconfdir = ${confdir}/mods-config
|
||||||
|
certdir = ${confdir}/certs
|
||||||
|
cadir = ${confdir}/certs
|
||||||
|
run_dir = ${localstatedir}/run/${name}
|
||||||
|
db_dir = ${raddbdir}
|
||||||
|
libdir = /usr/lib/freeradius
|
||||||
|
pidfile = ${run_dir}/${name}.pid
|
||||||
|
checkrad = ${sbindir}/checkrad
|
||||||
|
|
||||||
|
max_request_time = 30
|
||||||
|
cleanup_delay = 5
|
||||||
|
max_requests = 16384
|
||||||
|
hostname_lookups = no
|
||||||
|
correct_escapes = true
|
||||||
|
|
||||||
|
log {
|
||||||
|
destination = syslog
|
||||||
|
syslog_facility = daemon
|
||||||
|
auth = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
security {
|
||||||
|
user = freerad
|
||||||
|
group = freerad
|
||||||
|
allow_core_dumps = no
|
||||||
|
max_attributes = {{ radiusd__max_attributes | int }}
|
||||||
|
status_server = {{ radiusd__status_server | ternary("yes", "no") }}
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_requests = yes
|
||||||
|
|
||||||
|
$INCLUDE proxy.conf
|
||||||
|
|
||||||
|
$INCLUDE clients.conf
|
||||||
|
|
||||||
|
thread pool {
|
||||||
|
start_servers = 5
|
||||||
|
max_servers = 32
|
||||||
|
min_spare_servers = 3
|
||||||
|
max_spare_servers = 10
|
||||||
|
max_requests_per_server = 0
|
||||||
|
auto_limit_acct = no
|
||||||
|
}
|
||||||
|
|
||||||
|
modules {
|
||||||
|
$INCLUDE mods-enabled/
|
||||||
|
}
|
||||||
|
|
||||||
|
instantiate {
|
||||||
|
}
|
||||||
|
|
||||||
|
policy {
|
||||||
|
$INCLUDE policy.d/
|
||||||
|
}
|
||||||
|
|
||||||
|
$INCLUDE sites-enabled/
|
69
roles/freeradius/templates/sites-available/default.j2
Normal file
69
roles/freeradius/templates/sites-available/default.j2
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
server default {
|
||||||
|
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipaddr = *
|
||||||
|
port = 0
|
||||||
|
limit {
|
||||||
|
max_connections = 16
|
||||||
|
lifetime = 0
|
||||||
|
idle_timeout = 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipv6addr = *
|
||||||
|
port = 0
|
||||||
|
limit {
|
||||||
|
max_connections = 16
|
||||||
|
lifetime = 0
|
||||||
|
idle_timeout = 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
filter_username # TODO
|
||||||
|
suffix
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
preacct {
|
||||||
|
}
|
||||||
|
|
||||||
|
accounting {
|
||||||
|
}
|
||||||
|
|
||||||
|
post-auth {
|
||||||
|
if (session-state:User-Name && reply:User-Name \
|
||||||
|
&& request:User-Name \
|
||||||
|
&& (reply:User-Name == request:User-Name)) {
|
||||||
|
update reply {
|
||||||
|
&User-Name !* ANY
|
||||||
|
}
|
||||||
|
}
|
||||||
|
update {
|
||||||
|
&reply: += &session-state:
|
||||||
|
}
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
attr_filter.access_reject
|
||||||
|
eap
|
||||||
|
remove_reply_message_if_eap
|
||||||
|
}
|
||||||
|
remove_reply_message_if_eap
|
||||||
|
}
|
||||||
|
|
||||||
|
pre-proxy {
|
||||||
|
}
|
||||||
|
|
||||||
|
post-proxy {
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
39
roles/freeradius/templates/sites-available/inner-tunnel.j2
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
server inner-tunnel {
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
# Look for realm using the 'suffix' format (user@realm)
|
||||||
|
suffix
|
||||||
|
# Don't proxy requests from inner tunnel
|
||||||
|
update control {
|
||||||
|
&Proxy-To-Realm := LOCAL
|
||||||
|
}
|
||||||
|
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
||||||
|
# Must be before 'ldap', so that we don't query the LDAP server
|
||||||
|
# for "internal" packets (cf. documentation for
|
||||||
|
# sites-available/inner-tunnel)
|
||||||
|
inner-eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
ldap
|
||||||
|
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||||
|
if ((ok || updated) && User-Password) {
|
||||||
|
update control {
|
||||||
|
Auth-Type := ldap
|
||||||
|
}
|
||||||
|
}
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
inner-eap
|
||||||
|
# Authenticate using 'Auth-Type = LDAP'
|
||||||
|
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||||
|
# sites-available/default), but the password hashing scheme used
|
||||||
|
# by 389DS is not yet supported by FreeRADIUS 3
|
||||||
|
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
||||||
|
ldap
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -1,263 +0,0 @@
|
||||||
---
|
|
||||||
- name: Add backports repositories
|
|
||||||
apt_repository:
|
|
||||||
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
|
|
||||||
loop:
|
|
||||||
- "deb"
|
|
||||||
- "deb-src"
|
|
||||||
|
|
||||||
- name: Ensure /var/www exists
|
|
||||||
file:
|
|
||||||
name: "/var/www"
|
|
||||||
state: directory
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Clone re2o repo
|
|
||||||
git:
|
|
||||||
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
|
||||||
dest: "/var/www/re2o"
|
|
||||||
version: "dev"
|
|
||||||
force: true
|
|
||||||
|
|
||||||
- name: Template local re2o settings
|
|
||||||
template:
|
|
||||||
src: "{{ item }}.j2"
|
|
||||||
dest: "/var/www/re2o/re2o/{{ item }}"
|
|
||||||
mode: 0644
|
|
||||||
loop:
|
|
||||||
- settings_local.py
|
|
||||||
- local_routers.py
|
|
||||||
|
|
||||||
# What follows is a hideous abomination.
|
|
||||||
# Blame freeradius-python3 on backports.
|
|
||||||
|
|
||||||
- name: try to install freeradius-python3 (this will fail on post-install)
|
|
||||||
apt:
|
|
||||||
name: freeradius-python3
|
|
||||||
default_release: buster-backports
|
|
||||||
update_cache: true
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: fix freeradius-python3 postinstall script
|
|
||||||
template:
|
|
||||||
src: freeradius-python3.postinst.j2
|
|
||||||
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: reinstall broken package (this might fail too, for different reasons)
|
|
||||||
apt:
|
|
||||||
name: freeradius-python3
|
|
||||||
default_release: buster-backports
|
|
||||||
force: true
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Setup radius symlinks
|
|
||||||
file:
|
|
||||||
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
|
||||||
dest: "/etc/freeradius/3.0/{{ item.filename }}"
|
|
||||||
state: link
|
|
||||||
force: true
|
|
||||||
loop:
|
|
||||||
- local_prefix: ""
|
|
||||||
filename: auth.py
|
|
||||||
- local_prefix: freeradius3/
|
|
||||||
filename: radiusd.conf
|
|
||||||
- local_prefix: freeradius3/
|
|
||||||
filename: mods-enabled/python
|
|
||||||
- local_prefix: freeradius3/
|
|
||||||
filename: mods-enabled/eap
|
|
||||||
|
|
||||||
- name: Configure freeradius
|
|
||||||
template:
|
|
||||||
src: "{{ item }}.j2"
|
|
||||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
|
||||||
mode: 0640
|
|
||||||
owner: freerad
|
|
||||||
loop:
|
|
||||||
- sites-enabled/default
|
|
||||||
- sites-enabled/inner-tunnel
|
|
||||||
|
|
||||||
- name: Install Basic Clients/Proxy Files freeradius
|
|
||||||
template:
|
|
||||||
src: "{{ item }}.j2"
|
|
||||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
|
||||||
mode: 0640
|
|
||||||
owner: freerad
|
|
||||||
loop:
|
|
||||||
- clients.conf
|
|
||||||
- proxy.conf
|
|
||||||
when: "'aurore_vm' not in group_names"
|
|
||||||
|
|
||||||
- name: Install Clients FedeRez Radius-Aurore
|
|
||||||
template:
|
|
||||||
src: proxy-federez.conf.j2
|
|
||||||
dest: /etc/freeradius/3.0/proxy.conf
|
|
||||||
mode: 0640
|
|
||||||
owner: freerad
|
|
||||||
when: "'aurore_vm' in group_names"
|
|
||||||
|
|
||||||
- name: Install Proxy FedeRez Radius-Aurore
|
|
||||||
template:
|
|
||||||
src: clients-federez.conf.j2
|
|
||||||
dest: /etc/freeradius/3.0/clients.conf
|
|
||||||
mode: 0640
|
|
||||||
owner: freerad
|
|
||||||
when: "'aurore_vm' in group_names"
|
|
||||||
|
|
||||||
- name: Install radius requirements (except freeradius-python3)
|
|
||||||
shell:
|
|
||||||
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
|
||||||
chdir: /var/www/re2o/
|
|
||||||
|
|
||||||
- name: Install PyPi requirements for radius
|
|
||||||
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
|
|
||||||
|
|
||||||
# End of hideousness (hopefully).
|
|
||||||
|
|
||||||
- name: Configure log rotation
|
|
||||||
template:
|
|
||||||
src: "freeradius-logrotate.j2"
|
|
||||||
dest: "/etc/logrotate.d/freeradius"
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
|
|
||||||
# Database setup
|
|
||||||
|
|
||||||
|
|
||||||
- name: Install postgresql
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postgresql
|
|
||||||
- postgresql-client-11=11.7-0+deb10u1
|
|
||||||
force: true
|
|
||||||
|
|
||||||
- name: Install postgresql ansible module requirement(s)
|
|
||||||
pip:
|
|
||||||
name: psycopg2
|
|
||||||
|
|
||||||
- name: Create read-only user
|
|
||||||
community.general.postgresql_user:
|
|
||||||
name: re2o_ro
|
|
||||||
password: "{{ radius_pg_re2o_ro_password }}"
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Create replication user
|
|
||||||
community.general.postgresql_user:
|
|
||||||
name: replication
|
|
||||||
password: "{{ radius_pg_replication_password }}"
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
|
|
||||||
- name: Nuking - Stop freeradius
|
|
||||||
systemd:
|
|
||||||
name: freeradius
|
|
||||||
state: stopped
|
|
||||||
when: nuke_radius|default(false)
|
|
||||||
|
|
||||||
- name: Nuking - Remove old subscription if it exists
|
|
||||||
community.general.postgresql_subscription:
|
|
||||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
|
||||||
db: re2o
|
|
||||||
state: absent
|
|
||||||
become_user: postgres
|
|
||||||
when: nuke_radius|default(false)
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Nuking - Destroy old local DB if it exists
|
|
||||||
community.general.postgresql_db:
|
|
||||||
name: re2o
|
|
||||||
state: absent
|
|
||||||
become_user: postgres
|
|
||||||
when: nuke_radius|default(false)
|
|
||||||
|
|
||||||
- name: Create local DB
|
|
||||||
community.general.postgresql_db:
|
|
||||||
name: re2o
|
|
||||||
owner: replication
|
|
||||||
state: present
|
|
||||||
encoding: "UTF8"
|
|
||||||
lc_collate: 'fr_FR.UTF-8'
|
|
||||||
lc_ctype: 'fr_FR.UTF-8'
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Dump radius re2o PostgreSQL database schema from master
|
|
||||||
community.general.postgresql_db:
|
|
||||||
name: re2o
|
|
||||||
state: dump
|
|
||||||
target: /tmp/re2o-schema.sql
|
|
||||||
target_opts: '-s'
|
|
||||||
login_host: 10.128.0.22
|
|
||||||
login_user: replication
|
|
||||||
login_password: "{{ radius_pg_replication_password }}"
|
|
||||||
|
|
||||||
|
|
||||||
- name: Restore DB
|
|
||||||
tags:
|
|
||||||
- restore
|
|
||||||
community.general.postgresql_db:
|
|
||||||
name: re2o
|
|
||||||
state: restore
|
|
||||||
target: /tmp/re2o-schema.sql
|
|
||||||
target_opts: "-s"
|
|
||||||
login_host: localhost
|
|
||||||
login_user: replication
|
|
||||||
login_password: "{{ radius_pg_replication_password }}"
|
|
||||||
|
|
||||||
|
|
||||||
- name: Grant select permissions on all tables to read-only user
|
|
||||||
tags:
|
|
||||||
- perms
|
|
||||||
community.general.postgresql_privs:
|
|
||||||
database: re2o
|
|
||||||
privs: SELECT
|
|
||||||
objs: ALL_IN_SCHEMA
|
|
||||||
schema: public
|
|
||||||
roles: re2o_ro
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Grant usage permission on schema to read-only user
|
|
||||||
tags:
|
|
||||||
- perms
|
|
||||||
community.general.postgresql_privs:
|
|
||||||
database: re2o
|
|
||||||
privs: USAGE
|
|
||||||
objs: public
|
|
||||||
type: schema
|
|
||||||
roles: re2o_ro
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Set default privileges in schema
|
|
||||||
tags:
|
|
||||||
- perms
|
|
||||||
community.general.postgresql_privs:
|
|
||||||
database: re2o
|
|
||||||
privs: SELECT
|
|
||||||
schema: public
|
|
||||||
objs: TABLES
|
|
||||||
type: default_privs
|
|
||||||
roles: re2o_ro
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
|
|
||||||
- name: Set up subscription to main database
|
|
||||||
tags:
|
|
||||||
- sub
|
|
||||||
community.general.postgresql_subscription:
|
|
||||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
|
||||||
connparams:
|
|
||||||
host: re2o-db.adm.auro.re
|
|
||||||
user: replication
|
|
||||||
password: "{{ radius_pg_replication_password }}"
|
|
||||||
dbname: re2o
|
|
||||||
db: re2o
|
|
||||||
publications:
|
|
||||||
- re2o_pub
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
|
|
||||||
- name: Restart freeradius, ensure enabled
|
|
||||||
systemd:
|
|
||||||
name: freeradius
|
|
||||||
enabled: true
|
|
||||||
state: restarted
|
|
||||||
daemon_reload: true
|
|
|
@ -1,22 +0,0 @@
|
||||||
client radius-aurore {
|
|
||||||
ipaddr = 10.128.0.0
|
|
||||||
netmask = 16
|
|
||||||
secret = {{ radius_secret_aurore }}
|
|
||||||
require_message_authenticator = no
|
|
||||||
nastype = other
|
|
||||||
virtual_server = radius-wifi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Parangon (federez)
|
|
||||||
client parangon {
|
|
||||||
ipaddr = 185.230.78.47
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
virtual_server = radius-wifi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Dodecagon (federez)
|
|
||||||
client dodecagon {
|
|
||||||
ipaddr = 195.154.165.76
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
virtual_server = radius-wifi
|
|
||||||
}
|
|
|
@ -1,18 +0,0 @@
|
||||||
client radius-filaire {
|
|
||||||
ipaddr = 10.130.{{ apartment_block_id }}.0
|
|
||||||
netmask = 24
|
|
||||||
secret = {{ radius_secret_wired }}
|
|
||||||
require_message_authenticator = no
|
|
||||||
nastype = other
|
|
||||||
virtual_server = radius-filaire
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
client aurore-wifi {
|
|
||||||
ipaddr = 10.{{ subnet_ids.ap }}.0.0
|
|
||||||
netmask = 16
|
|
||||||
secret = {{ radius_secret_wifi }}
|
|
||||||
require_message_authenticator = no
|
|
||||||
nastype = other
|
|
||||||
virtual_server = radius-wifi
|
|
||||||
}
|
|
|
@ -1,50 +0,0 @@
|
||||||
# The main server log
|
|
||||||
/var/log/freeradius/radius.log {
|
|
||||||
# common options
|
|
||||||
daily
|
|
||||||
rotate 365
|
|
||||||
missingok
|
|
||||||
compress
|
|
||||||
delaycompress
|
|
||||||
notifempty
|
|
||||||
|
|
||||||
copytruncate
|
|
||||||
}
|
|
||||||
|
|
||||||
# (in order)
|
|
||||||
# Session monitoring utilities
|
|
||||||
# Session database modules
|
|
||||||
# SQL log files
|
|
||||||
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
|
|
||||||
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
|
|
||||||
/var/log/freeradius/sqllog.sql
|
|
||||||
{
|
|
||||||
# common options
|
|
||||||
daily
|
|
||||||
rotate 365
|
|
||||||
missingok
|
|
||||||
compress
|
|
||||||
delaycompress
|
|
||||||
notifempty
|
|
||||||
|
|
||||||
nocreate
|
|
||||||
}
|
|
||||||
|
|
||||||
# There are different detail-rotating strategies you can use. One is
|
|
||||||
# to write to a single detail file per IP and use the rotate config
|
|
||||||
# below. Another is to write to a daily detail file per IP with:
|
|
||||||
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
|
||||||
# (or similar) in radiusd.conf, without rotation. If you go with the
|
|
||||||
# second technique, you will need another cron job that removes old
|
|
||||||
# detail files. You do not need to comment out the below for method #2.
|
|
||||||
/var/log/freeradius/radacct/*/detail {
|
|
||||||
# common options
|
|
||||||
daily
|
|
||||||
rotate 365
|
|
||||||
missingok
|
|
||||||
compress
|
|
||||||
delaycompress
|
|
||||||
notifempty
|
|
||||||
|
|
||||||
nocreate
|
|
||||||
}
|
|
|
@ -1,14 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# vim:ts=2:sw=2:et
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
configure)
|
|
||||||
invoke-rc.d freeradius restart
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -1,28 +0,0 @@
|
||||||
class DbRouter(object):
|
|
||||||
"""
|
|
||||||
A router to control all database operations on models in the
|
|
||||||
auth application.
|
|
||||||
"""
|
|
||||||
def db_for_read(self, model, **hints):
|
|
||||||
"""
|
|
||||||
Attempts to read remote models go to local database.
|
|
||||||
"""
|
|
||||||
return 'local'
|
|
||||||
|
|
||||||
def db_for_write(self, model, **hints):
|
|
||||||
"""
|
|
||||||
Attempts to write remote models go to the remote database.
|
|
||||||
"""
|
|
||||||
return 'default'
|
|
||||||
|
|
||||||
def allow_relation(self, obj1, obj2, **hints):
|
|
||||||
"""
|
|
||||||
Allow relations involving the remote database
|
|
||||||
"""
|
|
||||||
return True
|
|
||||||
|
|
||||||
def allow_migrate(self, db, app_label, model_name=None, **hints):
|
|
||||||
"""
|
|
||||||
Allow migrations on the remote database
|
|
||||||
"""
|
|
||||||
return True
|
|
|
@ -1,87 +0,0 @@
|
||||||
# -*- mode: conf-unix; coding: utf-8 -*-
|
|
||||||
proxy server {
|
|
||||||
default_fallback = no
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
realm LOCAL {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
realm NULL {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#Proxy FedeRez #####
|
|
||||||
|
|
||||||
realm AUROREFEDEREZ {
|
|
||||||
auth_pool = federez_radius_servers
|
|
||||||
# nostrip
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server parangon_v4 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 185.230.78.47
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server parangon_v6 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server dodecagon_v4 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 195.154.165.76
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server dodecagon_v6 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 2001:bc8:273e::1
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_federez }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server_pool federez_radius_servers {
|
|
||||||
type = fail-over
|
|
||||||
home_server = parangon_v4
|
|
||||||
home_server = dodecagon_v4
|
|
||||||
home_server = dodecagon_v6
|
|
||||||
home_server = parangon_v6
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,54 +0,0 @@
|
||||||
# -*- mode: conf-unix; coding: utf-8 -*-
|
|
||||||
proxy server {
|
|
||||||
default_fallback = no
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
realm LOCAL {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
realm NULL {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#Proxy FedeRez #####
|
|
||||||
|
|
||||||
realm AUROREFEDEREZ {
|
|
||||||
auth_pool = aurore_central_radius_servers
|
|
||||||
# nostrip
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server radius_aurore_v4 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 10.128.0.251
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_aurore }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server radius_aurore_v6 {
|
|
||||||
type = auth
|
|
||||||
ipaddr = 2a09:6840:128::251
|
|
||||||
port = 1812
|
|
||||||
secret = {{ radius_secret_aurore }}
|
|
||||||
require_message_authenticator =yes
|
|
||||||
response_window = 20
|
|
||||||
zombie_period = 40
|
|
||||||
revive_interval = 120
|
|
||||||
status_check = status-server
|
|
||||||
check_interval = 30
|
|
||||||
num_answers_to_alive = 3
|
|
||||||
}
|
|
||||||
|
|
||||||
home_server_pool aurore_central_radius_servers {
|
|
||||||
type = fail-over
|
|
||||||
home_server = radius_aurore_v4
|
|
||||||
home_server = radius_aurore_v6
|
|
||||||
}
|
|
|
@ -1,129 +0,0 @@
|
||||||
# coding: utf-8
|
|
||||||
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
|
|
||||||
# se veut agnostique au réseau considéré, de manière à être installable en
|
|
||||||
# quelques clics.
|
|
||||||
#
|
|
||||||
# Copyright © 2017 Gabriel Détraz
|
|
||||||
# Copyright © 2017 Goulven Kermarec
|
|
||||||
# Copyright © 2017 Augustin Lemesle
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation; either version 2 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License along
|
|
||||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
||||||
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
"""re2o.settings_locale
|
|
||||||
The file with all the available options for a locale configuration of re2o
|
|
||||||
"""
|
|
||||||
|
|
||||||
from __future__ import unicode_literals
|
|
||||||
|
|
||||||
# A secret key used by the server.
|
|
||||||
SECRET_KEY = "{{ re2o_secret_key }}"
|
|
||||||
|
|
||||||
# The password to access the project database
|
|
||||||
DB_PASSWORD = "{{ re2o_db_password }}"
|
|
||||||
|
|
||||||
# AES key for secret key encryption.
|
|
||||||
# The length must be a multiple of 16
|
|
||||||
AES_KEY = "{{ re2o_aes_key }}"
|
|
||||||
|
|
||||||
# Should the server run in debug mode ?
|
|
||||||
# SECURITY WARNING: don't run with debug turned on in production!
|
|
||||||
DEBUG = False
|
|
||||||
|
|
||||||
# A list of admins of the services. Receive mails when an error occurs
|
|
||||||
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
|
|
||||||
|
|
||||||
# The list of hostname the server will respond to.
|
|
||||||
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
|
|
||||||
|
|
||||||
# The time zone the server is runned in
|
|
||||||
TIME_ZONE = 'Europe/Paris'
|
|
||||||
|
|
||||||
# The storage systems parameters to use
|
|
||||||
DATABASES = {
|
|
||||||
'default': {
|
|
||||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
|
||||||
'NAME': 're2o',
|
|
||||||
'USER': 're2o',
|
|
||||||
'PASSWORD': DB_PASSWORD,
|
|
||||||
'HOST': 're2o-db.adm.auro.re',
|
|
||||||
'TEST': {
|
|
||||||
'CHARSET': 'utf8',
|
|
||||||
'COLLATION': 'utf8_general_ci'
|
|
||||||
}
|
|
||||||
},
|
|
||||||
'local': {
|
|
||||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
|
||||||
'NAME': 're2o',
|
|
||||||
'USER': 're2o_ro',
|
|
||||||
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
|
|
||||||
'HOST': 'localhost',
|
|
||||||
'TEST': {
|
|
||||||
'CHARSET': 'utf8',
|
|
||||||
'COLLATION': 'utf8_general_ci'
|
|
||||||
}
|
|
||||||
},
|
|
||||||
'ldap': {
|
|
||||||
'ENGINE': 'ldapdb.backends.ldap',
|
|
||||||
'NAME': 'ldap://10.128.0.21/',
|
|
||||||
'USER': 'cn=admin,dc=auro,dc=re',
|
|
||||||
'TLS': False,
|
|
||||||
'PASSWORD': '{{ ldap_admin_password }}',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Security settings for secure https
|
|
||||||
# Activate once https is correctly configured
|
|
||||||
SECURE_CONTENT_TYPE_NOSNIFF = False
|
|
||||||
SECURE_BROWSER_XSS_FILTER = False
|
|
||||||
SESSION_COOKIE_SECURE = False
|
|
||||||
CSRF_COOKIE_SECURE = False
|
|
||||||
CSRF_COOKIE_HTTPONLY = False
|
|
||||||
X_FRAME_OPTIONS = 'DENY'
|
|
||||||
SESSION_COOKIE_AGE = 60 * 60 * 3
|
|
||||||
|
|
||||||
# The path where your organization logo is stored
|
|
||||||
LOGO_PATH = "static_files/logo.png"
|
|
||||||
|
|
||||||
# The mail configuration for Re2o to send mails
|
|
||||||
SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use
|
|
||||||
EMAIL_HOST = 'localhost' # The host to use
|
|
||||||
EMAIL_PORT = 25 # The port to use
|
|
||||||
|
|
||||||
# Settings of the LDAP structure
|
|
||||||
LDAP = {
|
|
||||||
'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
|
|
||||||
'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
|
|
||||||
'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
|
|
||||||
'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
|
|
||||||
'user_gid': 100,
|
|
||||||
}
|
|
||||||
|
|
||||||
# A range of UID to use. Used in linux environement
|
|
||||||
UID_RANGES = {
|
|
||||||
'users': [21001, 30000],
|
|
||||||
'service-users': [20000, 21000],
|
|
||||||
}
|
|
||||||
|
|
||||||
# A range of GID to use. Used in linux environement
|
|
||||||
GID_RANGES = {
|
|
||||||
'posix': [501, 600],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Some optionnal Re2o Apps
|
|
||||||
OPTIONNAL_APPS_RE2O = ()
|
|
||||||
|
|
||||||
# Some Django apps you want to add in you local project
|
|
||||||
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
|
|
||||||
|
|
||||||
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]
|
|
|
@ -1,239 +0,0 @@
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
|
||||||
# "server" section, and configuration directives.
|
|
||||||
#
|
|
||||||
# Virtual hosts should be put into the "sites-available"
|
|
||||||
# directory. Soft links should be created in the "sites-enabled"
|
|
||||||
# directory to these files. This is done in a normal installation.
|
|
||||||
#
|
|
||||||
# If you are using 802.1X (EAP) authentication, please see also
|
|
||||||
# the "inner-tunnel" virtual server. You will likely have to edit
|
|
||||||
# that, too, for authentication to work.
|
|
||||||
#
|
|
||||||
# $Id: 083407596aa5074d665adac9606e7de655b634aa $
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# Read "man radiusd" before editing this file. See the section
|
|
||||||
# titled DEBUGGING. It outlines a method where you can quickly
|
|
||||||
# obtain the configuration you want, without running into
|
|
||||||
# trouble. See also "man unlang", which documents the format
|
|
||||||
# of this file.
|
|
||||||
#
|
|
||||||
# This configuration is designed to work in the widest possible
|
|
||||||
# set of circumstances, with the widest possible number of
|
|
||||||
# authentication methods. This means that in general, you should
|
|
||||||
# need to make very few changes to this file.
|
|
||||||
#
|
|
||||||
# The best way to configure the server for your local system
|
|
||||||
# is to CAREFULLY edit this file. Most attempts to make large
|
|
||||||
# edits to this file will BREAK THE SERVER. Any edits should
|
|
||||||
# be small, and tested by running the server with "radiusd -X".
|
|
||||||
# Once the edits have been verified to work, save a copy of these
|
|
||||||
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
|
||||||
# make more edits, and test, as above.
|
|
||||||
#
|
|
||||||
# There are many "commented out" references to modules such
|
|
||||||
# as ldap, sql, etc. These references serve as place-holders.
|
|
||||||
# If you need the functionality of that module, then configure
|
|
||||||
# it in radiusd.conf, and un-comment the references to it in
|
|
||||||
# this file. In most cases, those small changes will result
|
|
||||||
# in the server being able to connect to the DB, and to
|
|
||||||
# authenticate users.
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
|
|
||||||
server default {
|
|
||||||
listen {
|
|
||||||
type = auth
|
|
||||||
ipaddr = *
|
|
||||||
port = 0
|
|
||||||
|
|
||||||
limit {
|
|
||||||
max_connections = 16
|
|
||||||
lifetime = 0
|
|
||||||
idle_timeout = 30
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
listen {
|
|
||||||
ipaddr = *
|
|
||||||
port = 0
|
|
||||||
type = acct
|
|
||||||
|
|
||||||
limit {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# IPv6 versions of the above - read their full config to understand options
|
|
||||||
listen {
|
|
||||||
type = auth
|
|
||||||
ipv6addr = :: # any. ::1 == localhost
|
|
||||||
port = 0
|
|
||||||
limit {
|
|
||||||
max_connections = 16
|
|
||||||
lifetime = 0
|
|
||||||
idle_timeout = 30
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
listen {
|
|
||||||
ipv6addr = ::
|
|
||||||
port = 0
|
|
||||||
type = acct
|
|
||||||
|
|
||||||
limit {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server radius-wifi {
|
|
||||||
authorize {
|
|
||||||
rewrite_calling_station_id
|
|
||||||
|
|
||||||
if (User-Name =~ /^(.*)@(.*)/){
|
|
||||||
if (User-Name !~ /^(.*)@(.*)auro(.*)/){
|
|
||||||
update control{
|
|
||||||
Proxy-To-Realm := 'AUROREFEDEREZ'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
|
|
||||||
update request{
|
|
||||||
Stripped-User-Name := "%{1}"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
filter_username
|
|
||||||
|
|
||||||
preprocess
|
|
||||||
|
|
||||||
suffix
|
|
||||||
|
|
||||||
eap {
|
|
||||||
ok = return
|
|
||||||
}
|
|
||||||
|
|
||||||
expiration
|
|
||||||
logintime
|
|
||||||
|
|
||||||
pap
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
authenticate {
|
|
||||||
Auth-Type PAP {
|
|
||||||
pap
|
|
||||||
}
|
|
||||||
|
|
||||||
Auth-Type CHAP {
|
|
||||||
chap
|
|
||||||
}
|
|
||||||
|
|
||||||
Auth-Type MS-CHAP {
|
|
||||||
mschap
|
|
||||||
}
|
|
||||||
|
|
||||||
mschap
|
|
||||||
|
|
||||||
digest
|
|
||||||
|
|
||||||
eap
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
preacct {
|
|
||||||
preprocess
|
|
||||||
|
|
||||||
acct_unique
|
|
||||||
|
|
||||||
suffix
|
|
||||||
files
|
|
||||||
}
|
|
||||||
|
|
||||||
accounting {
|
|
||||||
|
|
||||||
detail
|
|
||||||
|
|
||||||
unix
|
|
||||||
exec
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
session {
|
|
||||||
}
|
|
||||||
|
|
||||||
post-auth {
|
|
||||||
update {
|
|
||||||
&reply: += &session-state:
|
|
||||||
}
|
|
||||||
|
|
||||||
exec
|
|
||||||
|
|
||||||
|
|
||||||
remove_reply_message_if_eap
|
|
||||||
|
|
||||||
Post-Auth-Type REJECT {
|
|
||||||
-sql
|
|
||||||
attr_filter.access_reject
|
|
||||||
|
|
||||||
eap
|
|
||||||
|
|
||||||
remove_reply_message_if_eap
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pre-proxy {
|
|
||||||
}
|
|
||||||
|
|
||||||
post-proxy {
|
|
||||||
eap
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
server radius-filaire{
|
|
||||||
authorize{
|
|
||||||
|
|
||||||
re2o
|
|
||||||
expiration
|
|
||||||
logintime
|
|
||||||
pap
|
|
||||||
}
|
|
||||||
authenticate{
|
|
||||||
Auth-Type PAP{
|
|
||||||
pap
|
|
||||||
}
|
|
||||||
Auth-Type CHAP{
|
|
||||||
chap
|
|
||||||
}
|
|
||||||
Auth-Type MS-CHAP{
|
|
||||||
mschap
|
|
||||||
}
|
|
||||||
digest
|
|
||||||
eap
|
|
||||||
|
|
||||||
}
|
|
||||||
preacct{
|
|
||||||
preprocess
|
|
||||||
acct_unique
|
|
||||||
suffix
|
|
||||||
files
|
|
||||||
}
|
|
||||||
accounting{
|
|
||||||
}
|
|
||||||
session{
|
|
||||||
}
|
|
||||||
post-auth{
|
|
||||||
re2o
|
|
||||||
exec
|
|
||||||
}
|
|
||||||
pre-proxy{
|
|
||||||
}
|
|
||||||
post-proxy{
|
|
||||||
eap
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,345 +0,0 @@
|
||||||
# -*- text -*-
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# This is a virtual server that handles *only* inner tunnel
|
|
||||||
# requests for EAP-TTLS and PEAP types.
|
|
||||||
#
|
|
||||||
# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
|
|
||||||
server inner-tunnel {
|
|
||||||
|
|
||||||
#
|
|
||||||
# This next section is here to allow testing of the "inner-tunnel"
|
|
||||||
# authentication methods, independently from the "default" server.
|
|
||||||
# It is listening on "localhost", so that it can only be used from
|
|
||||||
# the same machine.
|
|
||||||
#
|
|
||||||
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
|
||||||
#
|
|
||||||
# If it works, you have configured the inner tunnel correctly. To check
|
|
||||||
# if PEAP will work, use:
|
|
||||||
#
|
|
||||||
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
|
||||||
#
|
|
||||||
# If that works, PEAP should work. If that command doesn't work, then
|
|
||||||
#
|
|
||||||
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
|
||||||
#
|
|
||||||
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
|
||||||
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
|
||||||
#
|
|
||||||
listen {
|
|
||||||
ipaddr = 127.0.0.1
|
|
||||||
port = 18120
|
|
||||||
type = auth
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Authorization. First preprocess (hints and huntgroups files),
|
|
||||||
# then realms, and finally look in the "users" file.
|
|
||||||
#
|
|
||||||
# The order of the realm modules will determine the order that
|
|
||||||
# we try to find a matching realm.
|
|
||||||
#
|
|
||||||
# Make *sure* that 'preprocess' comes before any realm if you
|
|
||||||
# need to setup hints for the remote radius server
|
|
||||||
authorize {
|
|
||||||
if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
|
|
||||||
update request{
|
|
||||||
Stripped-User-Name := "%{1}"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# Take a User-Name, and perform some checks on it, for spaces and other
|
|
||||||
# invalid characters. If the User-Name appears invalid, reject the
|
|
||||||
# request.
|
|
||||||
#
|
|
||||||
# See policy.d/filter for the definition of the filter_username policy.
|
|
||||||
#
|
|
||||||
filter_username
|
|
||||||
|
|
||||||
re2o
|
|
||||||
|
|
||||||
#
|
|
||||||
# Do checks on outer / inner User-Name, so that users
|
|
||||||
# can't spoof us by using incompatible identities
|
|
||||||
#
|
|
||||||
# filter_inner_identity
|
|
||||||
|
|
||||||
#
|
|
||||||
# The chap module will set 'Auth-Type := CHAP' if we are
|
|
||||||
# handling a CHAP request and Auth-Type has not already been set
|
|
||||||
chap
|
|
||||||
|
|
||||||
#
|
|
||||||
# If the users are logging in with an MS-CHAP-Challenge
|
|
||||||
# attribute for authentication, the mschap module will find
|
|
||||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
|
||||||
# to the request, which will cause the server to then use
|
|
||||||
# the mschap module for authentication.
|
|
||||||
mschap
|
|
||||||
|
|
||||||
#
|
|
||||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
|
||||||
# using the system API's to get the password. If you want
|
|
||||||
# to read /etc/passwd or /etc/shadow directly, see the
|
|
||||||
# passwd module, above.
|
|
||||||
#
|
|
||||||
# unix
|
|
||||||
|
|
||||||
#
|
|
||||||
# Look for IPASS style 'realm/', and if not found, look for
|
|
||||||
# '@realm', and decide whether or not to proxy, based on
|
|
||||||
# that.
|
|
||||||
# IPASS
|
|
||||||
|
|
||||||
#
|
|
||||||
# If you are using multiple kinds of realms, you probably
|
|
||||||
# want to set "ignore_null = yes" for all of them.
|
|
||||||
# Otherwise, when the first style of realm doesn't match,
|
|
||||||
# the other styles won't be checked.
|
|
||||||
#
|
|
||||||
# Note that proxying the inner tunnel authentication means
|
|
||||||
# that the user MAY use one identity in the outer session
|
|
||||||
# (e.g. "anonymous", and a different one here
|
|
||||||
# (e.g. "user@example.com"). The inner session will then be
|
|
||||||
# proxied elsewhere for authentication. If you are not
|
|
||||||
# careful, this means that the user can cause you to forward
|
|
||||||
# the authentication to another RADIUS server, and have the
|
|
||||||
# accounting logs *not* sent to the other server. This makes
|
|
||||||
# it difficult to bill people for their network activity.
|
|
||||||
#
|
|
||||||
suffix
|
|
||||||
# ntdomain
|
|
||||||
|
|
||||||
#
|
|
||||||
# The "suffix" module takes care of stripping the domain
|
|
||||||
# (e.g. "@example.com") from the User-Name attribute, and the
|
|
||||||
# next few lines ensure that the request is not proxied.
|
|
||||||
#
|
|
||||||
# If you want the inner tunnel request to be proxied, delete
|
|
||||||
# the next few lines.
|
|
||||||
#
|
|
||||||
update control {
|
|
||||||
&Proxy-To-Realm := LOCAL
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# This module takes care of EAP-MSCHAPv2 authentication.
|
|
||||||
#
|
|
||||||
# It also sets the EAP-Type attribute in the request
|
|
||||||
# attribute list to the EAP type from the packet.
|
|
||||||
#
|
|
||||||
# The example below uses module failover to avoid querying all
|
|
||||||
# of the following modules if the EAP module returns "ok".
|
|
||||||
# Therefore, your LDAP and/or SQL servers will not be queried
|
|
||||||
# for the many packets that go back and forth to set up TTLS
|
|
||||||
# or PEAP. The load on those servers will therefore be reduced.
|
|
||||||
#
|
|
||||||
eap {
|
|
||||||
ok = return
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Read the 'users' file
|
|
||||||
#files
|
|
||||||
|
|
||||||
#
|
|
||||||
# Look in an SQL database. The schema of the database
|
|
||||||
# is meant to mirror the "users" file.
|
|
||||||
#
|
|
||||||
# See "Authorization Queries" in sql.conf
|
|
||||||
#-sql
|
|
||||||
|
|
||||||
#
|
|
||||||
# If you are using /etc/smbpasswd, and are also doing
|
|
||||||
# mschap authentication, the un-comment this line, and
|
|
||||||
# enable the "smbpasswd" module.
|
|
||||||
# smbpasswd
|
|
||||||
|
|
||||||
#
|
|
||||||
# The ldap module reads passwords from the LDAP database.
|
|
||||||
#-ldap
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enforce daily limits on time spent logged in.
|
|
||||||
# daily
|
|
||||||
|
|
||||||
expiration
|
|
||||||
logintime
|
|
||||||
|
|
||||||
#
|
|
||||||
# If no other module has claimed responsibility for
|
|
||||||
# authentication, then try to use PAP. This allows the
|
|
||||||
# other modules listed above to add a "known good" password
|
|
||||||
# to the request, and to do nothing else. The PAP module
|
|
||||||
# will then see that password, and use it to do PAP
|
|
||||||
# authentication.
|
|
||||||
#
|
|
||||||
# This module should be listed last, so that the other modules
|
|
||||||
# get a chance to set Auth-Type for themselves.
|
|
||||||
#
|
|
||||||
pap
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Authentication.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# This section lists which modules are available for authentication.
|
|
||||||
# Note that it does NOT mean 'try each module in order'. It means
|
|
||||||
# that a module from the 'authorize' section adds a configuration
|
|
||||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
|
||||||
# used to pick the appropriate module from the list below.
|
|
||||||
#
|
|
||||||
|
|
||||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
|
||||||
# will figure it out on its own, and will do the right thing. The
|
|
||||||
# most common side effect of erroneously setting the Auth-Type
|
|
||||||
# attribute is that one authentication method will work, but the
|
|
||||||
# others will not.
|
|
||||||
#
|
|
||||||
# The common reasons to set the Auth-Type attribute by hand
|
|
||||||
# is to either forcibly reject the user, or forcibly accept him.
|
|
||||||
#
|
|
||||||
authenticate {
|
|
||||||
#
|
|
||||||
# PAP authentication, when a back-end database listed
|
|
||||||
# in the 'authorize' section supplies a password. The
|
|
||||||
# password can be clear-text, or encrypted.
|
|
||||||
Auth-Type PAP {
|
|
||||||
pap
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Most people want CHAP authentication
|
|
||||||
# A back-end database listed in the 'authorize' section
|
|
||||||
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
|
||||||
# won't work.
|
|
||||||
Auth-Type CHAP {
|
|
||||||
chap
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# MSCHAP authentication.
|
|
||||||
Auth-Type MS-CHAP {
|
|
||||||
mschap
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# For old names, too.
|
|
||||||
#
|
|
||||||
mschap
|
|
||||||
|
|
||||||
#
|
|
||||||
# Allow EAP authentication.
|
|
||||||
eap
|
|
||||||
}
|
|
||||||
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# There are no accounting requests inside of EAP-TTLS or PEAP
|
|
||||||
# tunnels.
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
|
|
||||||
|
|
||||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
|
||||||
# or rlm_sql module can handle this.
|
|
||||||
# The rlm_sql module is *much* faster
|
|
||||||
session {
|
|
||||||
radutmp
|
|
||||||
|
|
||||||
#
|
|
||||||
# See "Simultaneous Use Checking Queries" in sql.conf
|
|
||||||
# sql
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Post-Authentication
|
|
||||||
# Once we KNOW that the user has been authenticated, there are
|
|
||||||
# additional steps we can take.
|
|
||||||
#
|
|
||||||
# Note that the last packet of the inner-tunnel authentication
|
|
||||||
# MAY NOT BE the last packet of the outer session. So updating
|
|
||||||
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
|
|
||||||
# exact functionality depends on both the inner and outer
|
|
||||||
# authentication methods.
|
|
||||||
#
|
|
||||||
# If you need to send a reply attribute in the outer session,
|
|
||||||
# the ONLY safe way is to set "use_tunneled_reply = yes", and
|
|
||||||
# then update the inner-tunnel reply.
|
|
||||||
post-auth {
|
|
||||||
re2o
|
|
||||||
|
|
||||||
Post-Auth-Type REJECT {
|
|
||||||
# log failed authentications in SQL, too.
|
|
||||||
-sql
|
|
||||||
attr_filter.access_reject
|
|
||||||
|
|
||||||
#
|
|
||||||
# Let the outer session know which module failed, and why.
|
|
||||||
#
|
|
||||||
update outer.session-state {
|
|
||||||
&Module-Failure-Message := &request:Module-Failure-Message
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# When the server decides to proxy a request to a home server,
|
|
||||||
# the proxied request is first passed through the pre-proxy
|
|
||||||
# stage. This stage can re-write the request, or decide to
|
|
||||||
# cancel the proxy.
|
|
||||||
#
|
|
||||||
# Only a few modules currently have this method.
|
|
||||||
#
|
|
||||||
pre-proxy {
|
|
||||||
# Uncomment the following line if you want to change attributes
|
|
||||||
# as defined in the preproxy_users file.
|
|
||||||
# files
|
|
||||||
|
|
||||||
# Uncomment the following line if you want to filter requests
|
|
||||||
# sent to remote servers based on the rules defined in the
|
|
||||||
# 'attrs.pre-proxy' file.
|
|
||||||
# attr_filter.pre-proxy
|
|
||||||
|
|
||||||
# If you want to have a log of packets proxied to a home
|
|
||||||
# server, un-comment the following line, and the
|
|
||||||
# 'detail pre_proxy_log' section, above.
|
|
||||||
# pre_proxy_log
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# When the server receives a reply to a request it proxied
|
|
||||||
# to a home server, the request may be massaged here, in the
|
|
||||||
# post-proxy stage.
|
|
||||||
#
|
|
||||||
post-proxy {
|
|
||||||
|
|
||||||
# If you want to have a log of replies from a home server,
|
|
||||||
# un-comment the following line, and the 'detail post_proxy_log'
|
|
||||||
# section, above.
|
|
||||||
# post_proxy_log
|
|
||||||
|
|
||||||
# Uncomment the following line if you want to filter replies from
|
|
||||||
# remote proxies based on the rules defined in the 'attrs' file.
|
|
||||||
# attr_filter.post-proxy
|
|
||||||
|
|
||||||
#
|
|
||||||
# If you are proxying LEAP, you MUST configure the EAP
|
|
||||||
# module, and you MUST list it here, in the post-proxy
|
|
||||||
# stage.
|
|
||||||
#
|
|
||||||
# You MUST also use the 'nostrip' option in the 'realm'
|
|
||||||
# configuration. Otherwise, the User-Name attribute
|
|
||||||
# in the proxied request will not match the user name
|
|
||||||
# hidden inside of the EAP packet, and the end server will
|
|
||||||
# reject the EAP request.
|
|
||||||
#
|
|
||||||
eap
|
|
||||||
}
|
|
||||||
|
|
||||||
} # inner-tunnel server block
|
|
Loading…
Reference in a new issue