diff options
Diffstat (limited to 'roles/freeradius/templates/etc')
5 files changed, 336 insertions, 0 deletions
diff --git a/roles/freeradius/templates/etc/raddb/clients.conf.j2 b/roles/freeradius/templates/etc/raddb/clients.conf.j2 new file mode 100644 index 0000000..f6396e0 --- /dev/null +++ b/roles/freeradius/templates/etc/raddb/clients.conf.j2 @@ -0,0 +1,6 @@ +{% for client in freeradius_clients %} +client {{ client.name }} { + ipaddr = {{ client.address }} + secret = {{ client.secret }} +} +{% endfor %} diff --git a/roles/freeradius/templates/etc/raddb/mods-available/eap.j2 b/roles/freeradius/templates/etc/raddb/mods-available/eap.j2 new file mode 100644 index 0000000..5db0d1f --- /dev/null +++ b/roles/freeradius/templates/etc/raddb/mods-available/eap.j2 @@ -0,0 +1,54 @@ +eap { + default_eap_type = ttls + timer_expire = 60 + ignore_unknown_eap_types = yes + cisco_accounting_username_bug = no + max_sessions = ${max_requests} + + tls-config tls-common { + private_key_password = + private_key_file = {{ freeradius_certificate_key_path }} + certificate_file = {{ freeradius_certificate_path }} + ca_file = {{ freeradius_certificate_ca_path }} + auto_chain = no + ca_path = ${cadir} + cipher_list = "PROFILE=SYSTEM" + cipher_server_preference = no + tls_min_version = "1.2" + tls_max_version = "1.2" + ecdh_curve = "prime256v1" + + cache { + enable = yes + lifetime = 24 # hours + name = "EAP module" + persist_dir = "${db_dir}/tlscache" + store { + Tunnel-Private-Group-Id + } + } + + verify { + skip_if_ocsp_ok = yes + tmpdir = /var/run/radiusd/tmp + client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + ocsp { + enable = yes + override_cert_url = no + } + } + + tls { + tls = tls-common + } + + ttls { + tls = tls-common + default_eap_type = md5 + copy_request_to_tunnel = no + use_tunneled_reply = no + virtual_server = "inner-tunnel" + } +} diff --git a/roles/freeradius/templates/etc/raddb/mods-available/ldap.j2 b/roles/freeradius/templates/etc/raddb/mods-available/ldap.j2 new file mode 100644 index 0000000..85aede1 --- /dev/null +++ b/roles/freeradius/templates/etc/raddb/mods-available/ldap.j2 @@ -0,0 +1,113 @@ +ldap { +{% for server in freeradius_ldap_servers %} + server = '{{ server }}' +{% endfor %} + + base_dn = '{{ freeipa_user_basedn }}' + + sasl { + mech = 'GSSAPI' + realm = '{{ freeipa_realm }}' + } + + update { + control:Password-With-Header += 'userPassword' + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + user_dn = "LDAP-UserDn" + + user { + base_dn = "${..base_dn}" +{% raw %} + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" +{% endraw %} + } + + group { + base_dn = '{{ freeipa_group_basedn }}' + filter = '(objectClass=ipagroup)' + name_attribute = cn +{% raw %} + membership_filter = "(member=%{control:${..user_dn}})" +{% endraw %} + membership_attribute = 'memberOf' + cacheable_name = 'yes' + cacheable_dn = 'yes' + allow_dangling_group_ref = 'yes' + } + + profile { } + + client { + base_dn = "${..base_dn}" + filter = '(objectClass=radiusClient)' + + template { } + + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' + } + } + + read_clients = no + + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + post-auth { + update { + description := "Authenticated at %S" + } + } + + options { + chase_referrals = yes + rebind = yes + res_timeout = 10 + srv_timelimit = 3 + net_timeout = 1 + idle = 60 + probes = 3 + interval = 3 + ldap_debug = 0x0000 + } + + tls { } + + pool { + start = ${thread[pool].start_servers} + min = ${thread[pool].min_spare_servers} + max = ${thread[pool].max_servers} + + spare = ${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } +} diff --git a/roles/freeradius/templates/etc/raddb/radiusd.conf.j2 b/roles/freeradius/templates/etc/raddb/radiusd.conf.j2 new file mode 100644 index 0000000..ad9b58f --- /dev/null +++ b/roles/freeradius/templates/etc/raddb/radiusd.conf.j2 @@ -0,0 +1,73 @@ +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +name = radiusd + +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd +libdir = /usr/lib64/freeradius +pidfile = ${run_dir}/${name}.pid +correct_escapes = true +max_request_time = 30 +cleanup_delay = 5 +max_requests = 16384 +hostname_lookups = no +log { + destination = stdout + colourise = no + stripped_names = no + auth = yes + auth_badpass = no + auth_goodpass = no + msg_denied = "You are already logged in - access denied" +} + +checkrad = ${sbindir}/checkrad + +ENV { } + +security { + user = radiusd + group = radiusd + allow_core_dumps = no + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +proxy_requests = yes +$INCLUDE proxy.conf + +$INCLUDE clients.conf + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +modules { + $INCLUDE mods-enabled/ +} + +instantiate { } + +policy { + $INCLUDE policy.d/ +} + +$INCLUDE sites-enabled/ diff --git a/roles/freeradius/templates/etc/raddb/sites-available/inner-tunnel.j2 b/roles/freeradius/templates/etc/raddb/sites-available/inner-tunnel.j2 new file mode 100644 index 0000000..043349a --- /dev/null +++ b/roles/freeradius/templates/etc/raddb/sites-available/inner-tunnel.j2 @@ -0,0 +1,90 @@ +server inner-tunnel { + listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth + } + + authorize { + filter_username + chap + suffix + + update control { + &Proxy-To-Realm := LOCAL + } + + eap { + ok = return + } + + ldap + if (ok || updated) { + update { + control:Auth-Type := ldap + } + } + + expiration + logintime + pap + } + + authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type LDAP { + ldap + } + + eap + } + + session { + radutmp + } + + + post-auth { + -sql + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + + update { + &outer.session-state: += &reply: + } + + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } + + if (LDAP-Group != "{{ freeradius_access_group }}") { + reject + } + } + + pre-proxy { } + + post-proxy { + eap + } +} |