Role freeradius

2020-08-11 04:04:41 +02:00 · 2020-08-11 04:04:41 +02:00 · a7d67b1f87
parent 44a6022885
commit a7d67b1f87
13 changed files with 39 additions and 16 deletions
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@ -42,6 +42,7 @@ adm_subnet: 10.231.136.0/24
 #
 # # global server definitions
 glob_smtp: smtp.adm.crans.org
+glob_mirror: mirror.adm.crans.org

 glob_ldap:
  servers:
--- a/group_vars/freeradius.yml
+++ b/group_vars/freeradius.yml
@ -1,4 +0,0 @@
---
-glob_freeradius:
-  realm: crans
-  proxy_to: FEDEREZ
--- a/group_vars/radius.yml
+++ b/group_vars/radius.yml
@ -0,0 +1,8 @@
+---
+glob_freeradius:
+  realm: crans
+  proxy_to: FEDEREZ
+  infra_switch: "172.16.33.0/24"
+  infra_bornes: "172.16.34.0/24"
+  secret_switch: "ploptotoswitch"
+  secret_bornes: "ploptotobornes"
--- a/3
+++ b/3
@ -25,6 +25,9 @@
 # [test_vm]
 # re2o-test.adm.crans.org

+[radius]
+routeur-sam.adm.crans.org
+
 [re2o]
 re2o-newinfra.adm.crans.org
 routeur-sam.adm.crans.org
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy radius server
+- hosts: radius
+  vars:
+    freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
+    mirror: '{{ glob_mirror }}'
+  roles:
+    - freeradius
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@ -7,7 +7,7 @@
 - name: Pin freeradius from backports
  template:
    src: apt/preferences.d/freeradius_python3.j2
-    dest: /etc/apt/prefederences.d/freeradius_python3
+    dest: /etc/apt/preferences.d/freeradius_python3

 - name: Install freeradius
  apt:
@ -43,8 +43,16 @@
  file:
    src: /var/www/re2o/freeradius_utils/auth.py
    dest: /etc/freeradius/3.0/auth.py
+    state: link
+    force: yes
  notify: Restart freeradius

+- name: Ensure ${certdir}/letsencrypt directory exists
+  file:
+    path: /etc/freeradius/3.0/certs/letsencrypt
+    state: directory
+    recurse: yes
+
 - name: Symlink radius certificates
  file:
    src: /etc/letsencrypt/live/crans.org/{{ item }}
--- a/roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
+++ b/roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
--- a/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
+++ b/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
--- a/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
+++ b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
@ -184,7 +184,7 @@ eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/letsencrypt/privkey.pem
+		certificate_file = ${certdir}/letsencrypt/fullchain.pem

 		#  Trusted Root CA list
 		#
@ -196,7 +196,7 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		ca_file = ${certdir}/ca.crt
+		# ca_file = ${certdir}/ca.crt

 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
@ -363,7 +363,7 @@ eap {
 		#
 		#  The values must be in quotes.
 		#
-		tls_min_version = "1.0"
+		tls_min_version = "1.2"
 		tls_max_version = "1.2"


--- a/roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
+++ b/roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
--- a/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
+++ b/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
@ -373,9 +373,10 @@ log {
 	#  this expansion can be slow, and can negatively impact server
 	#  performance.
 	#
+{% raw %}
 	msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
 	msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
-
+{% endraw %}
 	#  The message when the user exceeds the Simultaneous-Use limit.
 	#
 	msg_denied = "You are already logged in - access denied"
--- a/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
@ -479,11 +479,11 @@ preacct {
 	#
 	#  The start time is: NOW - delay - session_length
 	#
-
+{% raw %}
 #	update request {
 #	  	&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
 #	}
-
+{% endraw %}

 	#
 	#  Ensure that we have a semi-unique identifier for every
@ -626,9 +626,6 @@ post-auth {
 	#  The "session-state" attributes are not available here.
 	#
 	Post-Auth-Type REJECT {
-        # TO REMOVE ?
-		# log failed authentications in SQL, too.
-		-sql
 		attr_filter.access_reject

 		# Insert EAP-Failure message if the request was
--- a/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
@ -228,7 +228,7 @@ post-auth {
 	#  After authenticating the user, do another SQL query.
 	#
 	#  See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
-	-sql
+	# -sql


 	#
@ -271,7 +271,7 @@ post-auth {
 	#
 	Post-Auth-Type REJECT {
 		# log failed authentications in SQL, too.
-		-sql
+		# -sql
 		attr_filter.access_reject

 		#