Role freeradius
parent
44a6022885
commit
a7d67b1f87
|
|
@ -42,6 +42,7 @@ adm_subnet: 10.231.136.0/24
|
||||||
#
|
#
|
||||||
# # global server definitions
|
# # global server definitions
|
||||||
glob_smtp: smtp.adm.crans.org
|
glob_smtp: smtp.adm.crans.org
|
||||||
|
glob_mirror: mirror.adm.crans.org
|
||||||
|
|
||||||
glob_ldap:
|
glob_ldap:
|
||||||
servers:
|
servers:
|
||||||
|
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
glob_freeradius:
|
|
||||||
realm: crans
|
|
||||||
proxy_to: FEDEREZ
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
glob_freeradius:
|
||||||
|
realm: crans
|
||||||
|
proxy_to: FEDEREZ
|
||||||
|
infra_switch: "172.16.33.0/24"
|
||||||
|
infra_bornes: "172.16.34.0/24"
|
||||||
|
secret_switch: "ploptotoswitch"
|
||||||
|
secret_bornes: "ploptotobornes"
|
||||||
3
hosts
3
hosts
|
|
@ -25,6 +25,9 @@
|
||||||
# [test_vm]
|
# [test_vm]
|
||||||
# re2o-test.adm.crans.org
|
# re2o-test.adm.crans.org
|
||||||
|
|
||||||
|
[radius]
|
||||||
|
routeur-sam.adm.crans.org
|
||||||
|
|
||||||
[re2o]
|
[re2o]
|
||||||
re2o-newinfra.adm.crans.org
|
re2o-newinfra.adm.crans.org
|
||||||
routeur-sam.adm.crans.org
|
routeur-sam.adm.crans.org
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
# Deploy radius server
|
||||||
|
- hosts: radius
|
||||||
|
vars:
|
||||||
|
freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
|
||||||
|
mirror: '{{ glob_mirror }}'
|
||||||
|
roles:
|
||||||
|
- freeradius
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
- name: Pin freeradius from backports
|
- name: Pin freeradius from backports
|
||||||
template:
|
template:
|
||||||
src: apt/preferences.d/freeradius_python3.j2
|
src: apt/preferences.d/freeradius_python3.j2
|
||||||
dest: /etc/apt/prefederences.d/freeradius_python3
|
dest: /etc/apt/preferences.d/freeradius_python3
|
||||||
|
|
||||||
- name: Install freeradius
|
- name: Install freeradius
|
||||||
apt:
|
apt:
|
||||||
|
|
@ -43,8 +43,16 @@
|
||||||
file:
|
file:
|
||||||
src: /var/www/re2o/freeradius_utils/auth.py
|
src: /var/www/re2o/freeradius_utils/auth.py
|
||||||
dest: /etc/freeradius/3.0/auth.py
|
dest: /etc/freeradius/3.0/auth.py
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
notify: Restart freeradius
|
notify: Restart freeradius
|
||||||
|
|
||||||
|
- name: Ensure ${certdir}/letsencrypt directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/freeradius/3.0/certs/letsencrypt
|
||||||
|
state: directory
|
||||||
|
recurse: yes
|
||||||
|
|
||||||
- name: Symlink radius certificates
|
- name: Symlink radius certificates
|
||||||
file:
|
file:
|
||||||
src: /etc/letsencrypt/live/crans.org/{{ item }}
|
src: /etc/letsencrypt/live/crans.org/{{ item }}
|
||||||
|
|
|
||||||
|
|
@ -184,7 +184,7 @@ eap {
|
||||||
# only the server certificate, but ALSO all
|
# only the server certificate, but ALSO all
|
||||||
# of the CA certificates used to sign the
|
# of the CA certificates used to sign the
|
||||||
# server certificate.
|
# server certificate.
|
||||||
certificate_file = ${certdir}/letsencrypt/privkey.pem
|
certificate_file = ${certdir}/letsencrypt/fullchain.pem
|
||||||
|
|
||||||
# Trusted Root CA list
|
# Trusted Root CA list
|
||||||
#
|
#
|
||||||
|
|
@ -196,7 +196,7 @@ eap {
|
||||||
# In that case, this CA file should contain
|
# In that case, this CA file should contain
|
||||||
# *one* CA certificate.
|
# *one* CA certificate.
|
||||||
#
|
#
|
||||||
ca_file = ${certdir}/ca.crt
|
# ca_file = ${certdir}/ca.crt
|
||||||
|
|
||||||
# OpenSSL will automatically create certificate chains,
|
# OpenSSL will automatically create certificate chains,
|
||||||
# unless we tell it to not do that. The problem is that
|
# unless we tell it to not do that. The problem is that
|
||||||
|
|
@ -363,7 +363,7 @@ eap {
|
||||||
#
|
#
|
||||||
# The values must be in quotes.
|
# The values must be in quotes.
|
||||||
#
|
#
|
||||||
tls_min_version = "1.0"
|
tls_min_version = "1.2"
|
||||||
tls_max_version = "1.2"
|
tls_max_version = "1.2"
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -373,9 +373,10 @@ log {
|
||||||
# this expansion can be slow, and can negatively impact server
|
# this expansion can be slow, and can negatively impact server
|
||||||
# performance.
|
# performance.
|
||||||
#
|
#
|
||||||
|
{% raw %}
|
||||||
msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
|
msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
|
||||||
msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
|
msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
|
||||||
|
{% endraw %}
|
||||||
# The message when the user exceeds the Simultaneous-Use limit.
|
# The message when the user exceeds the Simultaneous-Use limit.
|
||||||
#
|
#
|
||||||
msg_denied = "You are already logged in - access denied"
|
msg_denied = "You are already logged in - access denied"
|
||||||
|
|
@ -479,11 +479,11 @@ preacct {
|
||||||
#
|
#
|
||||||
# The start time is: NOW - delay - session_length
|
# The start time is: NOW - delay - session_length
|
||||||
#
|
#
|
||||||
|
{% raw %}
|
||||||
# update request {
|
# update request {
|
||||||
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
||||||
# }
|
# }
|
||||||
|
{% endraw %}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Ensure that we have a semi-unique identifier for every
|
# Ensure that we have a semi-unique identifier for every
|
||||||
|
|
@ -626,9 +626,6 @@ post-auth {
|
||||||
# The "session-state" attributes are not available here.
|
# The "session-state" attributes are not available here.
|
||||||
#
|
#
|
||||||
Post-Auth-Type REJECT {
|
Post-Auth-Type REJECT {
|
||||||
# TO REMOVE ?
|
|
||||||
# log failed authentications in SQL, too.
|
|
||||||
-sql
|
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
|
|
||||||
# Insert EAP-Failure message if the request was
|
# Insert EAP-Failure message if the request was
|
||||||
|
|
@ -228,7 +228,7 @@ post-auth {
|
||||||
# After authenticating the user, do another SQL query.
|
# After authenticating the user, do another SQL query.
|
||||||
#
|
#
|
||||||
# See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
|
# See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
|
||||||
-sql
|
# -sql
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
@ -271,7 +271,7 @@ post-auth {
|
||||||
#
|
#
|
||||||
Post-Auth-Type REJECT {
|
Post-Auth-Type REJECT {
|
||||||
# log failed authentications in SQL, too.
|
# log failed authentications in SQL, too.
|
||||||
-sql
|
# -sql
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
|
|
||||||
#
|
#
|
||||||
Loading…
Reference in New Issue