diff options
Diffstat (limited to 'roles/radius_server')
| -rw-r--r-- | roles/radius_server/tasks/main.yml | 77 | ||||
| -rw-r--r-- | roles/radius_server/templates/clients.conf.j2 | 268 | ||||
| -rw-r--r-- | roles/radius_server/templates/dictionary.client.j2 | 82 | ||||
| -rw-r--r-- | roles/radius_server/templates/dictionary.j2 | 244 | ||||
| -rw-r--r-- | roles/radius_server/templates/dictionary.microsoft.j2 (renamed from roles/radius_server/templates/dictionary.server.j2) | 0 | ||||
| -rw-r--r-- | roles/radius_server/templates/radiusclient.conf.j2 | 82 | ||||
| -rw-r--r-- | roles/radius_server/templates/radiusd.conf.j2 | 408 | ||||
| -rw-r--r-- | roles/radius_server/templates/sql.j2 | 265 |
8 files changed, 987 insertions, 439 deletions
diff --git a/roles/radius_server/tasks/main.yml b/roles/radius_server/tasks/main.yml index aac9059..56f7749 100644 --- a/roles/radius_server/tasks/main.yml +++ b/roles/radius_server/tasks/main.yml @@ -19,11 +19,6 @@ src: "{{ role_path }}/../radius_rpm_files/log4cxx-0.10.0-16.el7.x86_64.rpm" dest: "/tmp/" -- name: "copy radiusclient-ng to destination server" - synchronize: - src: "{{ role_path }}/../radius_rpm_files/radiusclient-ng-0.5.6-9.el7.x86_64.rpm" - dest: "/tmp/" - - name: "copy tncfhh to destination server" synchronize: src: "{{ role_path }}/../radius_rpm_files/tncfhh-0.8.3-16.el7.x86_64.rpm" @@ -45,7 +40,6 @@ dest: "/tmp/" - - name: "install freeradius" yum: @@ -80,68 +74,89 @@ packages: - /tmp/log4cxx-0.10.0-16.el7.x86_64.rpm -- name: "install freeradius-utils" +- name: "install tncfhh" yum: name: "{{ packages }}" state: present vars: packages: - - /tmp/radiusclient-ng-0.5.6-9.el7.x86_64.rpm + - /tmp/tncfhh-0.8.3-16.el7.x86_64.rpm -- name: "install freeradius-utils" +- name: "install tncfhh" yum: name: "{{ packages }}" state: present vars: packages: - - /tmp/ + - /tmp/tncfhh-libs-0.8.3-16.el7.x86_64.rpm -- name: "install freeradius-utils" +- name: "install tncfhh-utils" yum: name: "{{ packages }}" state: present vars: packages: - - /tmp/ + - /tmp/tncfhh-utils-0.8.3-16.el7.x86_64.rpm -- name: "install freeradius-utils" +- name: "install xerces" yum: name: "{{ packages }}" state: present vars: packages: - - /tmp/ - -- name: "install freeradius-utils" - yum: - name: "{{ packages }}" - state: present - vars: - packages: - - /tmp/ + - /tmp/xerces-c-3.1.1-10.el7_7.x86_64.rpm +- name: "Template the radiusd config file" + template: + src: "{{ role_path }}/templates/radiusd.conf.j2" + dest: /etc/raddb/radiusd.conf + tags: template - +- name: "create symbolic link" + shell: ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/ + args: + executable: /bin/bash + tags: shell + +- name: "chgrp file para" + shell: chgrp -h radiusd /etc/raddb/mods-enabled/sql + args: + executable: /bin/bash + tags: shell + +- name: "Template the radiusd.conf file" + template: + src: "{{ role_path }}/templates/radiusd.conf.j2" + dest: /etc/raddb/radiusd.conf + tags: template +- name: "Template the sql file" + template: + src: "{{ role_path }}/templates/sql.j2" + dest: /etc/raddb/mods-available/sql + tags: template + -- name: "Template the options.pptpd config file" +- name: "Template the clients.conf file" template: - src: "{{ role_path }}/templates/options.pptpd.j2" - dest: /etc/ppp/options.pptpd + src: "{{ role_path }}/templates/clients.conf.j2" + dest: /etc/raddb/clients.conf tags: template -- name: "Template the ip-up script file" + +- name: "Template the dictionary.microsoft file" template: - src: "{{ role_path }}/templates/ip-up.j2" - dest: /etc/ppp/ip-up + src: "{{ role_path }}/templates/dictionary.microsoft.j2" + dest: /usr/share/freeradius/dictionary.microsoft tags: template -- name: "enable pptpd service" + +- name: "enable radiusd service" systemd: - name: pptpd + name: radiusd enabled: yes daemon_reload: yes diff --git a/roles/radius_server/templates/clients.conf.j2 b/roles/radius_server/templates/clients.conf.j2 new file mode 100644 index 0000000..3185b56 --- /dev/null +++ b/roles/radius_server/templates/clients.conf.j2 @@ -0,0 +1,268 @@ +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# +# Defines a RADIUS client. +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +# + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, the string after the word "client" was the IP +# address of the client. In 2.0, the IP address is configured via +# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x +# format is still accepted. +# +client localhost { + # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for + # a client. + # + # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR + # notation '/<mask>' to specify ranges. + # + # ipaddr will accept domain names e.g. example.org resolving + # them via DNS. + # + # If both A and AAAA records are found, A records will be + # used in preference to AAAA. +# ipaddr = 127.0.0.1 + ipaddr = * + # Same as ipaddr but allows v4 addresses only. Requires A + # record for domain names. +# ipv4addr = * # any. 127.0.0.1 == localhost + + # Same as ipaddr but allows v6 addresses only. Requires AAAA + # record for domain names. +# ipv6addr = :: # any. ::1 == localhost + + # + # A note on DNS: We STRONGLY recommend using IP addresses + # rather than host names. Using host names means that the + # server will do DNS lookups when it starts, making it + # dependent on DNS. i.e. If anything goes wrong with DNS, + # the server won't start! + # + # The server also looks up the IP address from DNS once, and + # only once, when it starts. If the DNS record is later + # updated, the server WILL NOT see that update. + # + + # + # The transport protocol. + # + # If unspecified, defaults to "udp", which is the traditional + # RADIUS transport. It may also be "tcp", in which case the + # server will accept connections from this client ONLY over TCP. + # + proto = * + + # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # + # A note on security: The security of the RADIUS protocol + # depends COMPLETELY on this secret! We recommend using a + # shared secret that is composed of: + # + # upper case letters + # lower case letters + # numbers + # + # And is at LEAST 8 characters long, preferably 16 characters in + # length. The secret MUST be random, and should not be words, + # phrase, or anything else that is recognisable. + # + # The default secret below is only for testing, and should + # not be used in any real environment. + # + secret = testing123 + + # + # Old-style clients do not send a Message-Authenticator + # in an Access-Request. RFC 5080 suggests that all clients + # SHOULD include it in an Access-Request. The configuration + # item below allows the server to require it. If a client + # is required to include a Message-Authenticator and it does + # not, then the packet will be silently discarded. + # + # allowed values: yes, no + require_message_authenticator = no + + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # + # It is accepted for compatibility with 1.x, but it is no + # longer necessary in >= 2.0 + # +# shortname = localhost + + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nas_type tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # juniper + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # + nas_type = other # localhost isn't usually a NAS... + + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas + + # + # As of 2.0, clients can also be tied to a virtual server. + # This is done by setting the "virtual_server" configuration + # item, as in the example below. + # +# virtual_server = home1 + + # + # A pointer to the "home_server_pool" OR a "home_server" + # section that contains the CoA configuration for this + # client. For an example of a coa home server or pool, + # see raddb/sites-available/originate-coa +# coa_server = coa + + # + # Response window for proxied packets. If non-zero, + # then the lower of (home, client) response_window + # will be used. + # + # i.e. it can be used to lower the response_window + # packets from one client to a home server. It cannot + # be used to raise the response_window. + # +# response_window = 10.0 + + # + # Connection limiting for clients using "proto = tcp". + # + # This section is ignored for clients sending UDP traffic + # + limit { + # + # Limit the number of simultaneous TCP connections from a client + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # + idle_timeout = 30 + } +} + +# IPv6 Client +client localhost_ipv6 { + ipv6addr = ::1 + secret = testing123 +} + +# All IPv6 Site-local clients +#client sitelocal_ipv6 { +# ipv6addr = fe80::/16 +# secret = testing123 +#} + +#client example.org { +# ipaddr = radius.example.org +# secret = testing123 +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client private-network-1 { +# ipaddr = 192.0.2.0/24 +# secret = testing123-1 +#} + +#client private-network-2 { +# ipaddr = 198.51.100.0/24 +# secret = testing123-2 +#} + +####################################################################### +# +# Per-socket client lists. The configuration entries are exactly +# the same as above, but they are nested inside of a section. +# +# You can have as many per-socket client lists as you have "listen" +# sections, or you can re-use a list among multiple "listen" sections. +# +# Un-comment this section, and edit a "listen" section to add: +# "clients = per_socket_clients". That IP address/port combination +# will then accept ONLY the clients listed in this section. +# +#clients per_socket_clients { +# client socket_client { +# ipaddr = 192.0.2.4 +# secret = testing123 +# } +#} diff --git a/roles/radius_server/templates/dictionary.client.j2 b/roles/radius_server/templates/dictionary.client.j2 deleted file mode 100644 index 831cf8c..0000000 --- a/roles/radius_server/templates/dictionary.client.j2 +++ /dev/null @@ -1,82 +0,0 @@ -# -# Microsoft's VSA's, from RFC 2548 -# -# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $ -# - -VENDOR Microsoft 311 Microsoft - -BEGIN VENDOR Microsoft -ATTRIBUTE MS-CHAP-Response 1 string Microsoft -ATTRIBUTE MS-CHAP-Error 2 string Microsoft -ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft -ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft -ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft -ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft -ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft -# This is referred to as both singular and plural in the RFC. -# Plural seems to make more sense. -ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft -ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft -ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft -ATTRIBUTE MS-CHAP-Domain 10 string Microsoft -ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft -ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1 -ATTRIBUTE MS-BAP-Usage 13 integer Microsoft -ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft -ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft -ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft -ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft -ATTRIBUTE MS-RAS-Version 18 string Microsoft -ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft -ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft -ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft - -ATTRIBUTE MS-Filter 22 string Microsoft -ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft -ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft - -ATTRIBUTE MS-CHAP2-Response 25 string Microsoft -ATTRIBUTE MS-CHAP2-Success 26 string Microsoft -ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft - -ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr -ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr -ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr -ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr - -#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft - -# -# Integer Translations -# - -# MS-BAP-Usage Values - -VALUE MS-BAP-Usage Not-Allowed 0 -VALUE MS-BAP-Usage Allowed 1 -VALUE MS-BAP-Usage Required 2 - -# MS-ARAP-Password-Change-Reason Values - -VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 -VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 -VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 -VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 - -# MS-Acct-Auth-Type Values - -VALUE MS-Acct-Auth-Type PAP 1 -VALUE MS-Acct-Auth-Type CHAP 2 -VALUE MS-Acct-Auth-Type MS-CHAP-1 3 -VALUE MS-Acct-Auth-Type MS-CHAP-2 4 -VALUE MS-Acct-Auth-Type EAP 5 - -# MS-Acct-EAP-Type Values - -VALUE MS-Acct-EAP-Type MD5 4 -VALUE MS-Acct-EAP-Type OTP 5 -VALUE MS-Acct-EAP-Type Generic-Token-Card 6 -VALUE MS-Acct-EAP-Type TLS 13 - -END-VENDOR Microsoft diff --git a/roles/radius_server/templates/dictionary.j2 b/roles/radius_server/templates/dictionary.j2 deleted file mode 100644 index 83fbbe7..0000000 --- a/roles/radius_server/templates/dictionary.j2 +++ /dev/null @@ -1,244 +0,0 @@ -# -# Updated 97/06/13 to livingston-radius-2.01 [email protected] -# -# This file contains dictionary translations for parsing -# requests and generating responses. All transactions are -# composed of Attribute/Value Pairs. The value of each attribute -# is specified as one of 4 data types. Valid data types are: -# -# string - 0-253 octets -# ipaddr - 4 octets in network byte order -# integer - 32 bit value in big endian order (high byte first) -# date - 32 bit value in big endian order - seconds since -# 00:00:00 GMT, Jan. 1, 1970 -# -# Enumerated values are stored in the user file with dictionary -# VALUE translations for easy administration. -# -# Example: -# -# ATTRIBUTE VALUE -# --------------- ----- -# Framed-Protocol = PPP -# 7 = 1 (integer encoding) -# - -# -# Following are the proper new names. Use these. -# -ATTRIBUTE User-Name 1 string -ATTRIBUTE Password 2 string -ATTRIBUTE CHAP-Password 3 string -ATTRIBUTE NAS-IP-Address 4 ipaddr -ATTRIBUTE NAS-Port-Id 5 integer -ATTRIBUTE Service-Type 6 integer -ATTRIBUTE Framed-Protocol 7 integer -ATTRIBUTE Framed-IP-Address 8 ipaddr -ATTRIBUTE Framed-IP-Netmask 9 ipaddr -ATTRIBUTE Framed-Routing 10 integer -ATTRIBUTE Filter-Id 11 string -ATTRIBUTE Framed-MTU 12 integer -ATTRIBUTE Framed-Compression 13 integer -ATTRIBUTE Login-IP-Host 14 ipaddr -ATTRIBUTE Login-Service 15 integer -ATTRIBUTE Login-TCP-Port 16 integer -ATTRIBUTE Reply-Message 18 string -ATTRIBUTE Callback-Number 19 string -ATTRIBUTE Callback-Id 20 string -ATTRIBUTE Framed-Route 22 string -ATTRIBUTE Framed-IPX-Network 23 ipaddr -ATTRIBUTE State 24 string -ATTRIBUTE Class 25 string -ATTRIBUTE Vendor-Specific 26 string -ATTRIBUTE Session-Timeout 27 integer -ATTRIBUTE Idle-Timeout 28 integer -ATTRIBUTE Termination-Action 29 integer -ATTRIBUTE Called-Station-Id 30 string -ATTRIBUTE Calling-Station-Id 31 string -ATTRIBUTE NAS-Identifier 32 string -ATTRIBUTE Proxy-State 33 string -ATTRIBUTE Login-LAT-Service 34 string -ATTRIBUTE Login-LAT-Node 35 string -ATTRIBUTE Login-LAT-Group 36 string -ATTRIBUTE Framed-AppleTalk-Link 37 integer -ATTRIBUTE Framed-AppleTalk-Network 38 integer -ATTRIBUTE Framed-AppleTalk-Zone 39 string -ATTRIBUTE Acct-Status-Type 40 integer -ATTRIBUTE Acct-Delay-Time 41 integer -ATTRIBUTE Acct-Input-Octets 42 integer -ATTRIBUTE Acct-Output-Octets 43 integer -ATTRIBUTE Acct-Session-Id 44 string -ATTRIBUTE Acct-Authentic 45 integer -ATTRIBUTE Acct-Session-Time 46 integer -ATTRIBUTE Acct-Input-Packets 47 integer -ATTRIBUTE Acct-Output-Packets 48 integer -ATTRIBUTE Acct-Terminate-Cause 49 integer -ATTRIBUTE Acct-Multi-Session-Id 50 string -ATTRIBUTE Acct-Link-Count 51 integer -ATTRIBUTE Event-Timestamp 55 integer -ATTRIBUTE CHAP-Challenge 60 string -ATTRIBUTE NAS-Port-Type 61 integer -ATTRIBUTE Port-Limit 62 integer -ATTRIBUTE Login-LAT-Port 63 integer -ATTRIBUTE Connect-Info 77 string - -# -# RFC3162 IPv6 attributes -# -ATTRIBUTE NAS-IPv6-Address 95 string -ATTRIBUTE Framed-Interface-Id 96 string -ATTRIBUTE Framed-IPv6-Prefix 97 string -ATTRIBUTE Login-IPv6-Host 98 string -ATTRIBUTE Framed-IPv6-Route 99 string -ATTRIBUTE Framed-IPv6-Pool 100 string - -# -# Experimental Non Protocol Attributes used by Cistron-Radiusd -# -ATTRIBUTE Huntgroup-Name 221 string -ATTRIBUTE User-Category 1029 string -ATTRIBUTE Group-Name 1030 string -ATTRIBUTE Simultaneous-Use 1034 integer -ATTRIBUTE Strip-User-Name 1035 integer -ATTRIBUTE Fall-Through 1036 integer -ATTRIBUTE Add-Port-To-IP-Address 1037 integer -ATTRIBUTE Exec-Program 1038 string -ATTRIBUTE Exec-Program-Wait 1039 string -ATTRIBUTE Hint 1040 string - -# -# Non-Protocol Attributes -# These attributes are used internally by the server -# -ATTRIBUTE Expiration 21 date -ATTRIBUTE Auth-Type 1000 integer -ATTRIBUTE Menu 1001 string -ATTRIBUTE Termination-Menu 1002 string -ATTRIBUTE Prefix 1003 string -ATTRIBUTE Suffix 1004 string -ATTRIBUTE Group 1005 string -ATTRIBUTE Crypt-Password 1006 string -ATTRIBUTE Connect-Rate 1007 integer - -ATTRIBUTE Acct-Interim-Interval 85 integer - -# -# Integer Translations -# - -# User Types - -VALUE Service-Type Login-User 1 -VALUE Service-Type Framed-User 2 -VALUE Service-Type Callback-Login-User 3 -VALUE Service-Type Callback-Framed-User 4 -VALUE Service-Type Outbound-User 5 -VALUE Service-Type Administrative-User 6 -VALUE Service-Type NAS-Prompt-User 7 - -# Framed Protocols - -VALUE Framed-Protocol PPP 1 -VALUE Framed-Protocol SLIP 2 - -# Framed Routing Values - -VALUE Framed-Routing None 0 -VALUE Framed-Routing Broadcast 1 -VALUE Framed-Routing Listen 2 -VALUE Framed-Routing Broadcast-Listen 3 - -# Framed Compression Types - -VALUE Framed-Compression None 0 -VALUE Framed-Compression Van-Jacobson-TCP-IP 1 - -# Login Services - -VALUE Login-Service Telnet 0 -VALUE Login-Service Rlogin 1 -VALUE Login-Service TCP-Clear 2 -VALUE Login-Service PortMaster 3 - -# Status Types - -VALUE Acct-Status-Type Start 1 -VALUE Acct-Status-Type Stop 2 -VALUE Acct-Status-Type Alive 3 -VALUE Acct-Status-Type Accounting-On 7 -VALUE Acct-Status-Type Accounting-Off 8 - -# Authentication Types - -VALUE Acct-Authentic RADIUS 1 -VALUE Acct-Authentic Local 2 -VALUE Acct-Authentic PowerLink128 100 - -# Termination Options - -VALUE Termination-Action Default 0 -VALUE Termination-Action RADIUS-Request 1 - -# NAS Port Types, available in 3.3.1 and later - -VALUE NAS-Port-Type Async 0 -VALUE NAS-Port-Type Sync 1 -VALUE NAS-Port-Type ISDN 2 -VALUE NAS-Port-Type ISDN-V120 3 -VALUE NAS-Port-Type ISDN-V110 4 - -# Acct Terminate Causes, available in 3.3.2 and later - -VALUE Acct-Terminate-Cause User-Request 1 -VALUE Acct-Terminate-Cause Lost-Carrier 2 -VALUE Acct-Terminate-Cause Lost-Service 3 -VALUE Acct-Terminate-Cause Idle-Timeout 4 -VALUE Acct-Terminate-Cause Session-Timeout 5 -VALUE Acct-Terminate-Cause Admin-Reset 6 -VALUE Acct-Terminate-Cause Admin-Reboot 7 -VALUE Acct-Terminate-Cause Port-Error 8 -VALUE Acct-Terminate-Cause NAS-Error 9 -VALUE Acct-Terminate-Cause NAS-Request 10 -VALUE Acct-Terminate-Cause NAS-Reboot 11 -VALUE Acct-Terminate-Cause Port-Unneeded 12 -VALUE Acct-Terminate-Cause Port-Preempted 13 -VALUE Acct-Terminate-Cause Port-Suspended 14 -VALUE Acct-Terminate-Cause Service-Unavailable 15 -VALUE Acct-Terminate-Cause Callback 16 -VALUE Acct-Terminate-Cause User-Error 17 -VALUE Acct-Terminate-Cause Host-Request 18 - -# -# Non-Protocol Integer Translations -# - -VALUE Auth-Type Local 0 -VALUE Auth-Type System 1 -VALUE Auth-Type SecurID 2 -VALUE Auth-Type Crypt-Local 3 -VALUE Auth-Type Reject 4 - -# -# Cistron extensions -# -VALUE Auth-Type Pam 253 -VALUE Auth-Type Accept 254 - -# -# Experimental Non-Protocol Integer Translations for Cistron-Radiusd -# -VALUE Fall-Through No 0 -VALUE Fall-Through Yes 1 -VALUE Add-Port-To-IP-Address No 0 -VALUE Add-Port-To-IP-Address Yes 1 - -# -# Configuration Values -# uncomment these two lines to turn account expiration on -# - -#VALUE Server-Config Password-Expiration 30 -#VALUE Server-Config Password-Warning 5 - -INCLUDE /usr/share/radiusclient-ng/dictionary.merit -INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft diff --git a/roles/radius_server/templates/dictionary.server.j2 b/roles/radius_server/templates/dictionary.microsoft.j2 index 1c7816a..1c7816a 100644 --- a/roles/radius_server/templates/dictionary.server.j2 +++ b/roles/radius_server/templates/dictionary.microsoft.j2 diff --git a/roles/radius_server/templates/radiusclient.conf.j2 b/roles/radius_server/templates/radiusclient.conf.j2 deleted file mode 100644 index a63f445..0000000 --- a/roles/radius_server/templates/radiusclient.conf.j2 +++ /dev/null @@ -1,82 +0,0 @@ -# General settings - -# specify which authentication comes first respectively which -# authentication is used. possible values are: "radius" and "local". -# if you specify "radius,local" then the RADIUS server is asked -# first then the local one. if only one keyword is specified only -# this server is asked. -auth_order radius,local - -# maximum login tries a user has -login_tries 4 - -# timeout for all login tries -# if this time is exceeded the user is kicked out -login_timeout 60 - -# name of the nologin file which when it exists disables logins. -# it may be extended by the ttyname which will result in -# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable -# logins on /dev/ttyS2) -nologin /etc/nologin - -# name of the issue file. it's only display when no username is passed -# on the radlogin command line -issue /etc/radiusclient-ng/issue - -# RADIUS settings - -# RADIUS server to use for authentication requests. this config -# item can appear more then one time. if multiple servers are -# defined they are tried in a round robin fashion if one -# server is not answering. -# optionally you can specify a the port number on which is remote -# RADIUS listens separated by a colon from the hostname. if -# no port is specified /etc/services is consulted of the radius -# service. if this fails also a compiled in default is used. -#authserver localhost -authserver 192.168.44.4 - -# RADIUS server to use for accouting requests. All that I -# said for authserver applies, too. -#acctserver localhost -acctserver 192.168.44.4 - -# file holding shared secrets used for the communication -# between the RADIUS client and server -servers /etc/radiusclient-ng/servers - -# dictionary of allowed attributes and values -# just like in the normal RADIUS distributions -dictionary /usr/share/radiusclient-ng/dictionary - -# program to call for a RADIUS authenticated login -login_radius /usr/sbin/login.radius - -# file which holds sequence number for communication with the -# RADIUS server -seqfile /var/run/radius.seq - -# file which specifies mapping between ttyname and NAS-Port attribute -mapfile /etc/radiusclient-ng/port-id-map - -# default authentication realm to append to all usernames if no -# realm was explicitly specified by the user -# the radiusd directly form Livingston doesnt use any realms, so leave -# it blank then -default_realm - -# time to wait for a reply from the RADIUS server -radius_timeout 10 - -# resend request this many times before trying the next server -radius_retries 3 - -# local address from which radius packets have to be sent -#bindaddr * - -# LOCAL settings - -# program to execute for local login -# it must support the -f flag for preauthenticated login -login_local /bin/login diff --git a/roles/radius_server/templates/radiusd.conf.j2 b/roles/radius_server/templates/radiusd.conf.j2 new file mode 100644 index 0000000..dc58473 --- /dev/null +++ b/roles/radius_server/templates/radiusd.conf.j2 @@ -0,0 +1,408 @@ +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +name = radiusd + +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd + + +libdir = /usr/lib64/freeradius + + +pidfile = ${run_dir}/${name}.pid + + +correct_escapes = true + +max_request_time = 30 + + +cleanup_delay = 5 + + +max_requests = 16384 + + +hostname_lookups = no + +log { + + destination = files + + # + colourise = yes + + NOT used. + # + file = ${logdir}/radius.log + + + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = yes + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = yes + auth_goodpass = yes + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" +} + +checkrad = ${sbindir}/checkrad + +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # + user = radiusd + group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # As of Version 3.0.5, "reject_delay" has sub-second resolution. + # e.g. "reject_delay = 1.4" seconds is possible. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + +} + +proxy_requests = yes +$INCLUDE proxy.conf + + +$INCLUDE clients.conf + + +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + + +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + # The "virtual" module defined here can also be used with + # dynamic expansions, under a few conditions: + # + # * The section is "redundant", or "load-balance", or + # "redundant-load-balance" + # * The section contains modules ONLY, and no sub-sections + # * all modules in the section are using the same rlm_ + # driver, e.g. They are all sql, or all ldap, etc. + # + # When those conditions are satisfied, the server will + # automatically register a dynamic expansion, using the + # name of the "virtual" module. In the example below, + # it will be "redundant_sql". You can then use this expansion + # just like any other: + # + # update reply { + # Filter-Id := "%{redundant_sql: ... }" + # } + # + # In this example, the expansion is done via module "sql1", + # and if that expansion fails, using module "sql2". + # + # For best results, configure the "pool" subsection of the + # module so that "retry_delay" is non-zero. That will allow + # the redundant block to quickly ignore all "down" SQL + # databases. If instead we have "retry_delay = 0", then + # every time the redundant block is used, the server will try + # to open a connection to every "down" database, causing + # problems. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +policy { + $INCLUDE policy.d/ +} +$INCLUDE sites-enabled/ +$INCLUDE /etc/raddb/mods-available/sql +$INCLUDE /etc/raddb/mods-available/sqlippool diff --git a/roles/radius_server/templates/sql.j2 b/roles/radius_server/templates/sql.j2 new file mode 100644 index 0000000..4b3afc2 --- /dev/null +++ b/roles/radius_server/templates/sql.j2 @@ -0,0 +1,265 @@ +# -*- text -*- +## +## sql.conf -- SQL modules +## +## $Id: 4a59483c35c77f573fb177919e19ba4434cc3da1 $ + +###################################################################### +# +# Configuration for the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql/<DB>/main/schema.sql Schema +# sql/<DB>/main/queries.conf Authorisation and Accounting queries +# +# Where "DB" is mysql, mssql, oracle, or postgresql. +# +# + +sql { + # The sub-module to use to execute queries. This should match + # the database you're attempting to connect to. + # + # * rlm_sql_mysql + # * rlm_sql_mssql + # * rlm_sql_oracle + # * rlm_sql_postgresql + # * rlm_sql_sqlite + # * rlm_sql_null (log queries to disk) + # + driver = "rlm_sql_mysql" + +# +# Several drivers accept specific options, to set them, a +# config section with the the name as the driver should be added +# to the sql instance. +# +# Driver specific options are: +# +# sqlite { +# # Path to the sqlite database +# filename = "/tmp/freeradius.db" +# +# # How long to wait for write locks on the database to be +# # released (in ms) before giving up. +# busy_timeout = 200 +# +# # If the file above does not exist and bootstrap is set +# # a new database file will be created, and the SQL statements +# # contained within the bootstrap file will be executed. +# bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" +# } +# +# mysql { +# # If any of the files below are set, TLS encryption is enabled +# tls { +# ca_file = "/etc/ssl/certs/my_ca.crt" +# ca_path = "/etc/ssl/certs/" +# certificate_file = "/etc/ssl/certs/private/client.crt" +# private_key_file = "/etc/ssl/certs/private/client.key" +# cipher = "DHE-RSA-AES256-SHA:AES128-SHA" +# } +# +# # If yes, (or auto and libmysqlclient reports warnings are +# # available), will retrieve and log additional warnings from +# # the server if an error has occured. Defaults to 'auto' +# warnings = auto +# } +# +# postgresql { +# +# # unlike MySQL, which has a tls{} connection configuration, postgresql +# # uses its connection parameters - see the radius_db option below in +# # this file +# +# # Send application_name to the postgres server +# # Only supported in PG 9.0 and greater. Defaults to no. +# send_application_name = yes +# } +# + + # The dialect of SQL you want to use, this should usually match + # the driver you selected above. + # + # If you're using rlm_sql_null, then it should be the type of + # database the logged queries are going to be executed against. + dialect = "mysql" + + # Connection info: + # + #server = "localhost" + server = "{{wannat_global.common.redis_server_ip}}" + port = 3306 + login = "{{wannat_global.common.bifang_db_username}}" + password = "{{wannat_global.common.bifang_db_password}}" + + # Database table configuration for everything except Oracle + radius_db = "{{wannat_global.common.bifang_radius_db_name}}" + + # If you are using Oracle then use this instead +# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" + + # If you're using postgresql this can also be used instead of the connection info parameters + # # radius_db = "dbname=radius host=localhost user=radius password=raddpass" + + # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to + # use SSL connections then use this form of connection info parameter +# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" + + # If you want both stop and start records logged to the + # same SQL table, leave this as is. If you want them in + # different tables, put the start table in acct_table1 + # and stop table in acct_table2 + acct_table1 = "radacct" + acct_table2 = "radacct" + + # Allow for storing data after authentication + postauth_table = "radpostauth" + + # Tables containing 'check' items + authcheck_table = "radcheck" + groupcheck_table = "radgroupcheck" + + # Tables containing 'reply' items + authreply_table = "radreply" + groupreply_table = "radgroupreply" + + # Table to keep group info + usergroup_table = "radusergroup" + + # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. + # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. +# read_groups = yes + + # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. + # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. +# read_profiles = yes + + # Remove stale session if checkrad does not see a double login + delete_stale_sessions = yes + + # Write SQL queries to a logfile. This is potentially useful for tracing + # issues with authorization queries. See also "logfile" directives in + # mods-config/sql/main/*/queries.conf. You can enable per-section logging + # by enabling "logfile" there, or global logging by enabling "logfile" here. + # + # Per-section logging can be disabled by setting "logfile = ''" +# logfile = ${logdir}/sqllog.sql + + # Set the maximum query duration and connection timeout + # for rlm_sql_mysql. +# query_timeout = 5 + + # As of version 3.0, the "pool" section has replaced the + # following configuration items: + # + # num_sql_socks + # connect_failure_retry_delay + # lifetime + # max_queries + + # + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + # + # If you want to have multiple SQL modules re-use the same + # connection pool, use "pool = name" instead of a "pool" + # section. e.g. + # + # sql1 { + # ... + # pool { + # ... + # } + # } + # + # # sql2 will use the connection pool from sql1 + # sql2 { + # ... + # pool = sql1 + # } + # + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # database being available. + start = ${thread[pool].start_servers} + + # Minimum number of connections to keep open + min = ${thread[pool].min_spare_servers} + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = ${thread[pool].max_servers} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + spare = ${thread[pool].max_spare_servers} + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + retry_delay = 30 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + } + + # Set to 'yes' to read radius clients from the database ('nas' table) + # Clients will ONLY be read on server startup. +# read_clients = yes + + # Table to keep radius client info + client_table = "nas" + + # + # The group attribute specific to this instance of rlm_sql + # + + # This entry should be used for additional instances (sql foo {}) + # of the SQL module. +# group_attribute = "${.:instance}-SQL-Group" + + # This entry should be used for the default instance (sql {}) + # of the SQL module. + group_attribute = "SQL-Group" + + # Read database-specific queries + $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf +} |