Merge branch 'radius' into new-infra

This commit is contained in:
jeltz 2023-06-22 17:39:00 +02:00
commit 4a5b3bbfde
Signed by: jeltz
GPG key ID: 800882B66C0C3326
31 changed files with 610 additions and 1249 deletions

18
playbooks/freeradius.yml Executable file
View file

@ -0,0 +1,18 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- radius-1.isp.infra.auro.re
vars:
radiusd__clients:
localhost:
addr: 127.0.0.1
secret: abcdef
wifi-ap-v4:
addr: 10.102.0.0/16
secret: abcdef
wifi-ap-v6:
addr: 2a09:6840:102::/56
secret: abcdef
roles:
- freeradius
...

View file

@ -58,6 +58,14 @@
addresses: addresses:
- 2a09:6840:129::10:102/56 - 2a09:6840:129::10:102/56
- 10.129.10.102/16 - 10.129.10.102/16
radius-1.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::208/56
- 10.128.0.208/16
dns-1.int.infra.auro.re: dns-1.int.infra.auro.re:
adm0: adm0:
addresses: addresses:

View file

@ -0,0 +1,30 @@
---
radiusd__max_attributes: 200
radiusd__status_server: true
radiusd__clients: {}
radiusd__enabled_modules_minimal:
- always
- attr_filter
- cache_eap # TODO
- dynamic_clients # TODO
- eap # TODO
- expiration # TODO
- expr # TODO
- linelog # TODO
- logintime # TODO
- realm # TODO
- unpack # TODO
- eap_inner
- ldap
- pap
- utf8
radiusd__enabled_modules: []
radiusd__tls_cipher_list: DEFAULT
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
radiusd__enabled_sites_minimal:
- default
- inner-tunnel
radiusd__enabled_sites: []
...

View file

@ -0,0 +1,6 @@
---
- name: Restart freeradius
systemd:
name: freeradius.service
state: restarted
...

View file

@ -0,0 +1,132 @@
---
- name: Install freeradius
apt:
name: freeradius
install_recommends: false
- name: Remove unused files
file:
path: "/etc/freeradius/3.0/{{ item }}"
state: absent
loop:
- templates.conf
- trigger.conf
- README.rst
- panic.gdb
- experimental.conf
- certs/ca.cnf
- certs/bootstrap
- certs/client.cnf
- certs/inner-server.cnf
- certs/server.cnf
- certs/README
- certs/Makefile
- certs/xpextensions
- policy.d/accounting
- policy.d/rfc7542
- policy.d/dhcp
- policy.d/debug
- policy.d/control
- policy.d/abfab-tr
- policy.d/moonshot-targeted-ids
- policy.d/operator-name
- mods-config/unbound/
- mods-config/perl/
- mods-config/python3/
- mods-config/sql/
- mods-config/files/
- mods-config/preprocess/
- mods-config/README.rst
- users
- hints
- huntgroups
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
owner: root
group: freerad
mode: u=rw,g=r,o=
loop:
- radiusd.conf
#- proxy.conf
- clients.conf
- dictionary
- mods-available/utf8
- mods-available/always
- mods-available/eap
- mods-available/eap_inner
- mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject
- sites-available/inner-tunnel
- sites-available/default
notify:
- Restart freeradius
- name: Enumerate available modules
find:
paths: /etc/freeradius/3.0/mods-available
register: available_modules
- name: Disable modules
file:
path: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
state: absent
loop: "{{ available_modules.files
| map(attribute='path')
| map('basename')
| difference(radiusd__enabled_modules_minimal
| union(radiusd__enabled_modules)) }}"
notify:
- Restart freeradius
- name: Enable modules
file:
src: "/etc/freeradius/3.0/mods-available/{{ item }}"
dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
state: link
owner: root
group: freerad
mode: u=rw,g=r,o=
loop: "{{ radiusd__enabled_modules_minimal
| union(radiusd__enabled_modules) }}"
notify:
- Restart freeradius
- name: Enumerate available sites
find:
paths: /etc/freeradius/3.0/sites-available
register: available_sites
- name: Disable sites
file:
path: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
state: absent
loop: "{{ available_sites.files
| map(attribute='path')
| map('basename')
| difference(radiusd__enabled_sites_minimal
| union(radiusd__enabled_sites)) }}"
notify:
- Restart freeradius
- name: Enable sites
file:
src: "/etc/freeradius/3.0/sites-available/{{ item }}"
dest: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
state: link
owner: root
group: freerad
mode: u=rw,g=r,o=
loop: "{{ radiusd__enabled_sites_minimal
| union(radiusd__enabled_sites) }}"
notify:
- Restart freeradius
- name: Enable and start freeradius
systemd:
name: freeradius.service
state: started
enabled: true
...

View file

@ -0,0 +1,16 @@
{{ ansible_managed | comment }}
{% for name, client in radiusd__clients.items() %}
client {{ name }} {
ipaddr = {{ client.addr }}
shortname = {{ name }}
proto = *
require_message_authenticator = yes
nastype = other
secret = {{ client.secret }}
{% if client.virtual_server is defined %}
virtual_server = {{ client.virtual_server }}
{% endif %}
}
{% endfor %}

View file

@ -0,0 +1 @@
{{ ansible_managed | comment }}

View file

@ -0,0 +1,37 @@
{{ ansible_managed | comment }}
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

View file

@ -0,0 +1,11 @@
{{ ansible_managed | comment }}
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}

View file

@ -0,0 +1,59 @@
{{ ansible_managed | comment }}
eap {
default_eap_type = peap
type = peap
type = ttls
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
timer_expire = 60
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = {{ radiusd__tls_private_key_file }}
certificate_file = {{ radiusd__tls_certificate_file }}
ca_file = {{ radiusd__tls_ca_file }}
dh_file = ${certdir}/dh
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
cipher_server_preferences = yes
tls_min_version = "1.2"
tls_max_version = "1.2" # TODO: 1.3
# TODO
# cache {
# enable = yes
# lifetime = 24
# name = "eap"
# persistdir = "${logdir}/tlscache"
# store {
# Tunnel-Private-Group-Id
# }
# }
ocsp {
enable = no
}
}
peap {
tls = tls-common
default_eap_type = gtc
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
ttls {
tls = tls-common
default_eap_type = pap
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
}

View file

@ -0,0 +1,14 @@
{{ ansible_managed | comment }}
eap inner-eap {
default_eap_type = gtc
type = gtc
type = pap
gtc {
auth_type = LDAP
}
}

View file

@ -0,0 +1,50 @@
{{ ansible_managed | comment }}
ldap {
server = "ldap://ldap-1.int.infra.auro.re"
# TODO: quand on passera en prod, créer un utilisation dédié
identity = "cn=Directory manager"
password = "MotDePasseSuperComplique"
base_dn = "ou=users,dc=auro,dc=re"
user_dn = "LDAP-UserDn"
user {
base_dn = "${..base_dn}"
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
}
group {
base_dn = "${..base_dn}"
filter = "(objectClass=posixGroup)"
membership_attribute = "memberOf"
}
options {
# TODO
chase_referrals = no
rebind = no
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
pap {
normalise = no
}

View file

@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
utf8 {
}

View file

@ -0,0 +1,10 @@
{{ ansible_managed | comment }}
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

View file

@ -0,0 +1,10 @@
{{ ansible_managed | comment }}
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

View file

@ -0,0 +1,23 @@
{{ ansible_managed | comment }}
proxy server {
default_fallback = no
dynamic = no
}
{% for name, hs in radiusd__home_servers.items %}
home_server {{ name }} {
type = auth
ipaddr = {{ hs.addr }}
port = {{ hs.port | int }}
}
{% endfor %}
{% for name, realm in radiusd__realms.items() %}
realm {{ name }} {
auth_pool = auth_pool
}
{% endfor %}
realm LOCAL {
}

View file

@ -0,0 +1,68 @@
{{ ansible_managed | comment }}
prefix = /usr
exec_prefix = /usr
sysconfigdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
checkrad = ${sbindir}/checkrad
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
correct_escapes = true
log {
destination = syslog
syslog_facility = daemon
auth = yes
}
security {
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = {{ radiusd__max_attributes | int }}
status_server = {{ radiusd__status_server | ternary("yes", "no") }}
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
$INCLUDE mods-enabled/
}
instantiate {
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

View file

@ -0,0 +1,69 @@
{{ ansible_managed | comment }}
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = auth
ipv6addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
filter_username # TODO
suffix
eap
}
authenticate {
eap
}
preacct {
}
accounting {
}
post-auth {
if (session-state:User-Name && reply:User-Name \
&& request:User-Name \
&& (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
remove_reply_message_if_eap
}
pre-proxy {
}
post-proxy {
eap
}
}

View file

@ -0,0 +1,39 @@
{{ ansible_managed | comment }}
server inner-tunnel {
authorize {
# Look for realm using the 'suffix' format (user@realm)
suffix
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
}

View file

@ -1,263 +0,0 @@
---
- name: Add backports repositories
apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
loop:
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
state: directory
mode: 0755
- name: Clone re2o repo
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "dev"
force: true
- name: Template local re2o settings
template:
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
mode: 0644
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
# Blame freeradius-python3 on backports.
- name: try to install freeradius-python3 (this will fail on post-install)
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: true
ignore_errors: true
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
mode: 0644
- name: reinstall broken package (this might fail too, for different reasons)
apt:
name: freeradius-python3
default_release: buster-backports
force: true
ignore_errors: true
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link
force: true
loop:
- local_prefix: ""
filename: auth.py
- local_prefix: freeradius3/
filename: radiusd.conf
- local_prefix: freeradius3/
filename: mods-enabled/python
- local_prefix: freeradius3/
filename: mods-enabled/eap
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- sites-enabled/default
- sites-enabled/inner-tunnel
- name: Install Basic Clients/Proxy Files freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- clients.conf
- proxy.conf
when: "'aurore_vm' not in group_names"
- name: Install Clients FedeRez Radius-Aurore
template:
src: proxy-federez.conf.j2
dest: /etc/freeradius/3.0/proxy.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install Proxy FedeRez Radius-Aurore
template:
src: clients-federez.conf.j2
dest: /etc/freeradius/3.0/clients.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install radius requirements (except freeradius-python3)
shell:
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
chdir: /var/www/re2o/
- name: Install PyPi requirements for radius
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
# End of hideousness (hopefully).
- name: Configure log rotation
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
mode: 0644
# Database setup
- name: Install postgresql
apt:
name:
- postgresql
- postgresql-client-11=11.7-0+deb10u1
force: true
- name: Install postgresql ansible module requirement(s)
pip:
name: psycopg2
- name: Create read-only user
community.general.postgresql_user:
name: re2o_ro
password: "{{ radius_pg_re2o_ro_password }}"
become_user: postgres
- name: Create replication user
community.general.postgresql_user:
name: replication
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Nuking - Stop freeradius
systemd:
name: freeradius
state: stopped
when: nuke_radius|default(false)
- name: Nuking - Remove old subscription if it exists
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
db: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
ignore_errors: true
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
name: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
- name: Create local DB
community.general.postgresql_db:
name: re2o
owner: replication
state: present
encoding: "UTF8"
lc_collate: 'fr_FR.UTF-8'
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o
state: dump
target: /tmp/re2o-schema.sql
target_opts: '-s'
login_host: 10.128.0.22
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Restore DB
tags:
- restore
community.general.postgresql_db:
name: re2o
state: restore
target: /tmp/re2o-schema.sql
target_opts: "-s"
login_host: localhost
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Grant select permissions on all tables to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
objs: ALL_IN_SCHEMA
schema: public
roles: re2o_ro
become_user: postgres
- name: Grant usage permission on schema to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: USAGE
objs: public
type: schema
roles: re2o_ro
become_user: postgres
- name: Set default privileges in schema
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
schema: public
objs: TABLES
type: default_privs
roles: re2o_ro
become_user: postgres
- name: Set up subscription to main database
tags:
- sub
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
connparams:
host: re2o-db.adm.auro.re
user: replication
password: "{{ radius_pg_replication_password }}"
dbname: re2o
db: re2o
publications:
- re2o_pub
become_user: postgres
- name: Restart freeradius, ensure enabled
systemd:
name: freeradius
enabled: true
state: restarted
daemon_reload: true

View file

@ -1,22 +0,0 @@
client radius-aurore {
ipaddr = 10.128.0.0
netmask = 16
secret = {{ radius_secret_aurore }}
require_message_authenticator = no
nastype = other
virtual_server = radius-wifi
}
# Parangon (federez)
client parangon {
ipaddr = 185.230.78.47
secret = {{ radius_secret_federez }}
virtual_server = radius-wifi
}
# Dodecagon (federez)
client dodecagon {
ipaddr = 195.154.165.76
secret = {{ radius_secret_federez }}
virtual_server = radius-wifi
}

View file

@ -1,18 +0,0 @@
client radius-filaire {
ipaddr = 10.130.{{ apartment_block_id }}.0
netmask = 24
secret = {{ radius_secret_wired }}
require_message_authenticator = no
nastype = other
virtual_server = radius-filaire
}
client aurore-wifi {
ipaddr = 10.{{ subnet_ids.ap }}.0.0
netmask = 16
secret = {{ radius_secret_wifi }}
require_message_authenticator = no
nastype = other
virtual_server = radius-wifi
}

View file

@ -1,50 +0,0 @@
# The main server log
/var/log/freeradius/radius.log {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
copytruncate
}
# (in order)
# Session monitoring utilities
# Session database modules
# SQL log files
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
/var/log/freeradius/sqllog.sql
{
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/freeradius/radacct/*/detail {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}

View file

@ -1,14 +0,0 @@
#!/bin/sh
# vim:ts=2:sw=2:et
set -e
case "$1" in
configure)
invoke-rc.d freeradius restart
;;
esac
exit 0

View file

@ -1,28 +0,0 @@
class DbRouter(object):
"""
A router to control all database operations on models in the
auth application.
"""
def db_for_read(self, model, **hints):
"""
Attempts to read remote models go to local database.
"""
return 'local'
def db_for_write(self, model, **hints):
"""
Attempts to write remote models go to the remote database.
"""
return 'default'
def allow_relation(self, obj1, obj2, **hints):
"""
Allow relations involving the remote database
"""
return True
def allow_migrate(self, db, app_label, model_name=None, **hints):
"""
Allow migrations on the remote database
"""
return True

View file

@ -1,87 +0,0 @@
# -*- mode: conf-unix; coding: utf-8 -*-
proxy server {
default_fallback = no
}
realm LOCAL {
}
realm NULL {
}
#Proxy FedeRez #####
realm AUROREFEDEREZ {
auth_pool = federez_radius_servers
# nostrip
}
home_server parangon_v4 {
type = auth
ipaddr = 185.230.78.47
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server parangon_v6 {
type = auth
ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server dodecagon_v4 {
type = auth
ipaddr = 195.154.165.76
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server dodecagon_v6 {
type = auth
ipaddr = 2001:bc8:273e::1
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool federez_radius_servers {
type = fail-over
home_server = parangon_v4
home_server = dodecagon_v4
home_server = dodecagon_v6
home_server = parangon_v6
}

View file

@ -1,54 +0,0 @@
# -*- mode: conf-unix; coding: utf-8 -*-
proxy server {
default_fallback = no
}
realm LOCAL {
}
realm NULL {
}
#Proxy FedeRez #####
realm AUROREFEDEREZ {
auth_pool = aurore_central_radius_servers
# nostrip
}
home_server radius_aurore_v4 {
type = auth
ipaddr = 10.128.0.251
port = 1812
secret = {{ radius_secret_aurore }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server radius_aurore_v6 {
type = auth
ipaddr = 2a09:6840:128::251
port = 1812
secret = {{ radius_secret_aurore }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool aurore_central_radius_servers {
type = fail-over
home_server = radius_aurore_v4
home_server = radius_aurore_v6
}

View file

@ -1,129 +0,0 @@
# coding: utf-8
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
# se veut agnostique au réseau considéré, de manière à être installable en
# quelques clics.
#
# Copyright © 2017 Gabriel Détraz
# Copyright © 2017 Goulven Kermarec
# Copyright © 2017 Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""re2o.settings_locale
The file with all the available options for a locale configuration of re2o
"""
from __future__ import unicode_literals
# A secret key used by the server.
SECRET_KEY = "{{ re2o_secret_key }}"
# The password to access the project database
DB_PASSWORD = "{{ re2o_db_password }}"
# AES key for secret key encryption.
# The length must be a multiple of 16
AES_KEY = "{{ re2o_aes_key }}"
# Should the server run in debug mode ?
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = False
# A list of admins of the services. Receive mails when an error occurs
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
# The list of hostname the server will respond to.
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
# The time zone the server is runned in
TIME_ZONE = 'Europe/Paris'
# The storage systems parameters to use
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o',
'PASSWORD': DB_PASSWORD,
'HOST': 're2o-db.adm.auro.re',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
}
},
'local': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o_ro',
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
'HOST': 'localhost',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
}
},
'ldap': {
'ENGINE': 'ldapdb.backends.ldap',
'NAME': 'ldap://10.128.0.21/',
'USER': 'cn=admin,dc=auro,dc=re',
'TLS': False,
'PASSWORD': '{{ ldap_admin_password }}',
}
}
# Security settings for secure https
# Activate once https is correctly configured
SECURE_CONTENT_TYPE_NOSNIFF = False
SECURE_BROWSER_XSS_FILTER = False
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
CSRF_COOKIE_HTTPONLY = False
X_FRAME_OPTIONS = 'DENY'
SESSION_COOKIE_AGE = 60 * 60 * 3
# The path where your organization logo is stored
LOGO_PATH = "static_files/logo.png"
# The mail configuration for Re2o to send mails
SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use
EMAIL_HOST = 'localhost' # The host to use
EMAIL_PORT = 25 # The port to use
# Settings of the LDAP structure
LDAP = {
'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
'user_gid': 100,
}
# A range of UID to use. Used in linux environement
UID_RANGES = {
'users': [21001, 30000],
'service-users': [20000, 21000],
}
# A range of GID to use. Used in linux environement
GID_RANGES = {
'posix': [501, 600],
}
# Some optionnal Re2o Apps
OPTIONNAL_APPS_RE2O = ()
# Some Django apps you want to add in you local project
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]

View file

@ -1,239 +0,0 @@
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id: 083407596aa5074d665adac9606e7de655b634aa $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
# IPv6 versions of the above - read their full config to understand options
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
}
server radius-wifi {
authorize {
rewrite_calling_station_id
if (User-Name =~ /^(.*)@(.*)/){
if (User-Name !~ /^(.*)@(.*)auro(.*)/){
update control{
Proxy-To-Realm := 'AUROREFEDEREZ'
}
}
if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
update request{
Stripped-User-Name := "%{1}"
}
}
}
filter_username
preprocess
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
exec
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
server radius-filaire{
authorize{
re2o
expiration
logintime
pap
}
authenticate{
Auth-Type PAP{
pap
}
Auth-Type CHAP{
chap
}
Auth-Type MS-CHAP{
mschap
}
digest
eap
}
preacct{
preprocess
acct_unique
suffix
files
}
accounting{
}
session{
}
post-auth{
re2o
exec
}
pre-proxy{
}
post-proxy{
eap
}
}

View file

@ -1,345 +0,0 @@
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
#
######################################################################
server inner-tunnel {
#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
update request{
Stripped-User-Name := "%{1}"
}
}
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username
re2o
#
# Do checks on outer / inner User-Name, so that users
# can't spoof us by using incompatible identities
#
# filter_inner_identity
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
&Proxy-To-Realm := LOCAL
}
#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
#
# Read the 'users' file
#files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
#-sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# enable the "smbpasswd" module.
# smbpasswd
#
# The ldap module reads passwords from the LDAP database.
#-ldap
#
# Enforce daily limits on time spent logged in.
# daily
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
#
# Allow EAP authentication.
eap
}
######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
#
# Note that the last packet of the inner-tunnel authentication
# MAY NOT BE the last packet of the outer session. So updating
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
# exact functionality depends on both the inner and outer
# authentication methods.
#
# If you need to send a reply attribute in the outer session,
# the ONLY safe way is to set "use_tunneled_reply = yes", and
# then update the inner-tunnel reply.
post-auth {
re2o
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
#
# Let the outer session know which module failed, and why.
#
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
} # inner-tunnel server block