diff options
Diffstat (limited to 'files/usr/local/etc/raddb')
4 files changed, 221 insertions, 0 deletions
diff --git a/files/usr/local/etc/raddb/clients.conf.radius_server b/files/usr/local/etc/raddb/clients.conf.radius_server new file mode 100644 index 0000000..033b059 --- /dev/null +++ b/files/usr/local/etc/raddb/clients.conf.radius_server @@ -0,0 +1,16 @@ +client icinga { + ipaddr = ${icinga_radius_cidr} + secret = ${icinga_radius_secret} +} + +$(for client_name in $radius_clients; do + eval "client_address=\$radius_${client_name}_address" + eval "client_secret=\$radius_${client_name}_secret" + cat <<EOF +client ${client_name} { + ipaddr = ${client_address} + secret = ${client_secret} +} + +EOF +done) diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server index 5c1aafd..789bc0e 100644 --- a/files/usr/local/etc/raddb/mods-available/eap.radius_server +++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server @@ -39,4 +39,12 @@ eap { tls { tls = tls-common } + + ttls { + tls = tls-common + default_eap_type = md5 + copy_request_to_tunnel = no + use_tunneled_reply = no + virtual_server = "inner-tunnel" + } } diff --git a/files/usr/local/etc/raddb/mods-available/ldap.radius_server b/files/usr/local/etc/raddb/mods-available/ldap.radius_server new file mode 100644 index 0000000..09442f0 --- /dev/null +++ b/files/usr/local/etc/raddb/mods-available/ldap.radius_server @@ -0,0 +1,107 @@ +ldap { + $(printf " server = '%s'\n" ${ldap_hosts}) + + base_dn = '${users_basedn}' + + sasl { + mech = 'GSSAPI' + realm = '${realm}' + } + + update { + control:Password-With-Header += 'userPassword' + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + user_dn = "LDAP-UserDn" + + user { + base_dn = "\${..base_dn}" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + } + + group { + base_dn = '${groups_basedn}' + filter = '(objectClass=groupOfMembers)' + name_attribute = cn + membership_filter = "(member=%{control:\${..user_dn}})" + membership_attribute = 'memberOf' + cacheable_name = 'yes' + cacheable_dn = 'yes' + allow_dangling_group_ref = 'yes' + } + + profile { } + + client { + base_dn = "\${..base_dn}" + filter = '(objectClass=radiusClient)' + + template { } + + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' + } + } + + read_clients = no + + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + post-auth { + update { + description := "Authenticated at %S" + } + } + + options { + chase_referrals = yes + rebind = yes + res_timeout = 10 + srv_timelimit = 3 + net_timeout = 1 + idle = 60 + probes = 3 + interval = 3 + ldap_debug = 0x0000 + } + + tls { } + + pool { + start = \${thread[pool].start_servers} + min = \${thread[pool].min_spare_servers} + max = \${thread[pool].max_servers} + + spare = \${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } +} diff --git a/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server b/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server new file mode 100644 index 0000000..81b2a41 --- /dev/null +++ b/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server @@ -0,0 +1,90 @@ +server inner-tunnel { + listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth + } + + authorize { + filter_username + chap + suffix + + update control { + &Proxy-To-Realm := LOCAL + } + + eap { + ok = return + } + + ldap + if (ok || updated) { + update { + control:Auth-Type := ldap + } + } + + expiration + logintime + pap + } + + authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type LDAP { + ldap + } + + eap + } + + session { + radutmp + } + + + post-auth { + -sql + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + + update { + &outer.session-state: += &reply: + } + + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } + + if (LDAP-Group != "${wifi_access_role}") { + reject + } + } + + pre-proxy { } + + post-proxy { + eap + } +} |