initial commit

6 files changed, 1768 insertions, 0 deletions

diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
new file mode 100644
index 0000000..145191c
--- /dev/null
+++ b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
diff --git a/roles/space_server/files/radius/getusers.service b/roles/space_server/files/radius/getusers.service
new file mode 100644
index 0000000..7ac5082
--- /dev/null
+++ b/roles/space_server/files/radius/getusers.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Download radius users
+
+[Service]
+Type=oneshot
+ExecStart=/etc/raddb/getusers.sh
+User=root
+Group=radiusd
+ProtectSystem=yes
+ProtectHome=yes
diff --git a/roles/space_server/files/radius/getusers.timer b/roles/space_server/files/radius/getusers.timer
new file mode 100644
index 0000000..9ef4eb3
--- /dev/null
+++ b/roles/space_server/files/radius/getusers.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Download radius users every 10 minutes
+
+[Timer]
+Unit=getusers.service
+# Time to wait after booting before we run first time
+OnBootSec=10min
+# Time between running each consecutive time
+OnUnitActiveSec=10min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap
new file mode 100644
index 0000000..87593b0
--- /dev/null
+++ b/roles/space_server/files/radius/mods-available/eap
@@ -0,0 +1,883 @@
+# -*- text -*-
+##
+##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+##	$Id: 2621e183c3d9eafacb03bbea57a4a1fb71bf0383 $
+
+#######################################################################
+#
+#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
+#  is smart enough to figure this out on its own.  The most
+#  common side effect of setting 'Auth-Type := EAP' is that the
+#  users then cannot use ANY other authentication method.
+#
+eap {
+	#  Invoke the default supported EAP type when
+	#  EAP-Identity response is received.
+	#
+	#  The incoming EAP messages DO NOT specify which EAP
+	#  type they will be using, so it MUST be set here.
+	#
+	#  For now, only one default EAP type may be used at a time.
+	#
+	#  If the EAP-Type attribute is set by another module,
+	#  then that EAP type takes precedence over the
+	#  default type configured here.
+	#
+	default_eap_type = ttls
+
+	#  A list is maintained to correlate EAP-Response
+	#  packets with EAP-Request packets.  After a
+	#  configurable length of time, entries in the list
+	#  expire, and are deleted.
+	#
+	timer_expire     = 60
+
+	#  There are many EAP types, but the server has support
+	#  for only a limited subset.  If the server receives
+	#  a request for an EAP type it does not support, then
+	#  it normally rejects the request.  By setting this
+	#  configuration to "yes", you can tell the server to
+	#  instead keep processing the request.  Another module
+	#  MUST then be configured to proxy the request to
+	#  another RADIUS server which supports that EAP type.
+	#
+	#  If another module is NOT configured to handle the
+	#  request, then the request will still end up being
+	#  rejected.
+	ignore_unknown_eap_types = no
+
+	# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
+	# a User-Name attribute in an Access-Accept, it copies one
+	# more byte than it should.
+	#
+	# We can work around it by configurably adding an extra
+	# zero byte.
+	cisco_accounting_username_bug = no
+
+	#
+	#  Help prevent DoS attacks by limiting the number of
+	#  sessions that the server is tracking.  For simplicity,
+	#  this is taken from the "max_requests" directive in
+	#  radiusd.conf.
+	max_sessions = ${max_requests}
+
+	# Supported EAP-types
+
+	#
+	#  We do NOT recommend using EAP-MD5 authentication
+	#  for wireless connections.  It is insecure, and does
+	#  not provide for dynamic WEP keys.
+	#
+	md5 {
+	}
+
+	#
+	# EAP-pwd -- secure password-based authentication
+	#
+#	pwd {
+#		group = 19
+
+		#
+#		server_id = theserver@example.com
+
+		#  This has the same meaning as for TLS.
+#		fragment_size = 1020
+
+		# The virtual server which determines the
+		# "known good" password for the user.
+		# Note that unlike TLS, only the "authorize"
+		# section is processed.  EAP-PWD requests can be
+		# distinguished by having a User-Name, but
+		# no User-Password, CHAP-Password, EAP-Message, etc.
+#		virtual_server = "inner-tunnel"
+#	}
+
+	# Cisco LEAP
+	#
+	#  We do not recommend using LEAP in new deployments.  See:
+	#  http://www.securiteam.com/tools/5TP012ACKE.html
+	#
+	#  Cisco LEAP uses the MS-CHAP algorithm (but not
+	#  the MS-CHAP attributes) to perform it's authentication.
+	#
+	#  As a result, LEAP *requires* access to the plain-text
+	#  User-Password, or the NT-Password attributes.
+	#  'System' authentication is impossible with LEAP.
+	#
+	leap {
+	}
+
+	#  Generic Token Card.
+	#
+	#  Currently, this is only permitted inside of EAP-TTLS,
+	#  or EAP-PEAP.  The module "challenges" the user with
+	#  text, and the response from the user is taken to be
+	#  the User-Password.
+	#
+	#  Proxying the tunneled EAP-GTC session is a bad idea,
+	#  the users password will go over the wire in plain-text,
+	#  for anyone to see.
+	#
+	gtc {
+		#  The default challenge, which many clients
+		#  ignore..
+		#challenge = "Password: "
+
+		#  The plain-text response which comes back
+		#  is put into a User-Password attribute,
+		#  and passed to another module for
+		#  authentication.  This allows the EAP-GTC
+		#  response to be checked against plain-text,
+		#  or crypt'd passwords.
+		#
+		#  If you say "Local" instead of "PAP", then
+		#  the module will look for a User-Password
+		#  configured for the request, and do the
+		#  authentication itself.
+		#
+		auth_type = PAP
+	}
+
+	## Common TLS configuration for TLS-based EAP types
+	#
+	#  See raddb/certs/README for additional comments
+	#  on certificates.
+	#
+	#  If OpenSSL was not found at the time the server was
+	#  built, the "tls", "ttls", and "peap" sections will
+	#  be ignored.
+	#
+	#  If you do not currently have certificates signed by
+	#  a trusted CA you may use the 'snakeoil' certificates.
+	#  Included with the server in raddb/certs.
+	#
+	#  If these certificates have not been auto-generated:
+	#    cd raddb/certs
+	#    make
+	#
+	#  These test certificates SHOULD NOT be used in a normal
+	#  deployment.  They are created only to make it easier
+	#  to install the server, and to perform some simple
+	#  tests with EAP-TLS, TTLS, or PEAP.
+	#
+	#  See also:
+	#
+	#  http://www.dslreports.com/forum/remark,9286052~mode=flat
+	#
+	#  Note that you should NOT use a globally known CA here!
+	#  e.g. using a Verisign cert as a "known CA" means that
+	#  ANYONE who has a certificate signed by them can
+	#  authenticate via EAP-TLS!  This is likely not what you want.
+	tls-config tls-common {
+		private_key_password = whatever
+		private_key_file = ${certdir}/server.pem
+
+		#  If Private key & Certificate are located in
+		#  the same file, then private_key_file &
+		#  certificate_file must contain the same file
+		#  name.
+		#
+		#  If ca_file (below) is not used, then the
+		#  certificate_file below MUST include not
+		#  only the server certificate, but ALSO all
+		#  of the CA certificates used to sign the
+		#  server certificate.
+		certificate_file = ${certdir}/server.pem
+
+		#  Trusted Root CA list
+		#
+		#  ALL of the CA's in this list will be trusted
+		#  to issue client certificates for authentication.
+		#
+		#  In general, you should use self-signed
+		#  certificates for 802.1x (EAP) authentication.
+		#  In that case, this CA file should contain
+		#  *one* CA certificate.
+		#
+		ca_file = ${cadir}/ca.pem
+
+	 	#  OpenSSL will automatically create certificate chains,
+	 	#  unless we tell it to not do that.  The problem is that
+	 	#  it sometimes gets the chains right from a certificate
+	 	#  signature view, but wrong from the clients view.
+		#
+		#  When setting "auto_chain = no", the server certificate
+		#  file MUST include the full certificate chain.
+	#	auto_chain = yes
+
+		#
+		#  If OpenSSL supports TLS-PSK, then we can use
+		#  a PSK identity and (hex) password.  When the
+		#  following two configuration items are specified,
+		#  then certificate-based configuration items are
+		#  not allowed.  e.g.:
+		#
+		#	private_key_password
+		#	private_key_file
+		#	certificate_file
+		#	ca_file
+		#	ca_path
+		#
+		#  For now, the identity is fixed, and must be the
+		#  same on the client.  The passphrase must be a hex
+		#  value, and can be up to 256 hex digits.
+		#
+		#  Future versions of the server may be able to
+		#  look up the shared key (hexphrase) based on the
+		#  identity.
+		#
+	#	psk_identity = "test"
+	#	psk_hexphrase = "036363823"
+
+		#
+		#  For DH cipher suites to work, you have to
+		#  run OpenSSL to create the DH file first:
+		#
+		#  	openssl dhparam -out certs/dh 2048
+		#
+		dh_file = ${certdir}/dh
+
+		#
+		#  If your system doesn't have /dev/urandom,
+		#  you will need to create this file, and
+		#  periodically change its contents.
+		#
+		#  For security reasons, FreeRADIUS doesn't
+		#  write to files in its configuration
+		#  directory.
+		#
+	#	random_file = /dev/urandom
+
+		#
+		#  This can never exceed the size of a RADIUS
+		#  packet (4096 bytes), and is preferably half
+		#  that, to accommodate other attributes in
+		#  RADIUS packet.  On most APs the MAX packet
+		#  length is configured between 1500 - 1600
+		#  In these cases, fragment size should be
+		#  1024 or less.
+		#
+	#	fragment_size = 1024
+
+		#  include_length is a flag which is
+		#  by default set to yes If set to
+		#  yes, Total Length of the message is
+		#  included in EVERY packet we send.
+		#  If set to no, Total Length of the
+		#  message is included ONLY in the
+		#  First packet of a fragment series.
+		#
+	#	include_length = yes
+
+
+		#  Check the Certificate Revocation List
+		#
+		#  1) Copy CA certificates and CRLs to same directory.
+		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+		#    'c_rehash' is OpenSSL's command.
+		#  3) uncomment the lines below.
+		#  5) Restart radiusd
+	#	check_crl = yes
+
+		# Check if intermediate CAs have been revoked.
+	#	check_all_crl = yes
+
+		ca_path = ${cadir}
+
+		#
+		#  If check_cert_issuer is set, the value will
+		#  be checked against the DN of the issuer in
+		#  the client certificate.  If the values do not
+		#  match, the certificate verification will fail,
+		#  rejecting the user.
+		#
+		#  In 2.1.10 and later, this check can be done
+		#  more generally by checking the value of the
+		#  TLS-Client-Cert-Issuer attribute.  This check
+		#  can be done via any mechanism you choose.
+		#
+	#	check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+		#
+		#  If check_cert_cn is set, the value will
+		#  be xlat'ed and checked against the CN
+		#  in the client certificate.  If the values
+		#  do not match, the certificate verification
+		#  will fail rejecting the user.
+		#
+		#  This check is done only if the previous
+		#  "check_cert_issuer" is not set, or if
+		#  the check succeeds.
+		#
+		#  In 2.1.10 and later, this check can be done
+		#  more generally by checking the value of the
+		#  TLS-Client-Cert-CN attribute.  This check
+		#  can be done via any mechanism you choose.
+		#
+	#	check_cert_cn = %{User-Name}
+		#
+		# Set this option to specify the allowed
+		# TLS cipher suites.  The format is listed
+		# in "man 1 ciphers".
+		#
+		# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+		#
+		cipher_list = "PROFILE=SYSTEM"
+
+		# If enabled, OpenSSL will use server cipher list
+		# (possibly defined by cipher_list option above)
+		# for choosing right cipher suite rather than
+		# using client-specified list which is OpenSSl default
+		# behavior. Having it set to yes is a current best practice
+		# for TLS
+		cipher_server_preference = no
+
+		# Work-arounds for OpenSSL nonsense
+		# OpenSSL 1.0.1f and 1.0.1g do not calculate
+		# the EAP keys correctly.  The fix is to upgrade
+		# OpenSSL, or disable TLS 1.2 here. 
+		#
+		#  For EAP-FAST, this MUST be set to "yes".
+		#
+#		disable_tlsv1_2 = no
+
+		#
+
+		#
+		#  Elliptical cryptography configuration
+		#
+		#  Only for OpenSSL >= 0.9.8.f
+		#
+		ecdh_curve = "prime256v1"
+
+		#
+		#  Session resumption / fast reauthentication
+		#  cache.
+		#
+		#  The cache contains the following information:
+		#
+		#  session Id - unique identifier, managed by SSL
+		#  User-Name  - from the Access-Accept
+		#  Stripped-User-Name - from the Access-Request
+		#  Cached-Session-Policy - from the Access-Accept
+		#
+		#  The "Cached-Session-Policy" is the name of a
+		#  policy which should be applied to the cached
+		#  session.  This policy can be used to assign
+		#  VLANs, IP addresses, etc.  It serves as a useful
+		#  way to re-apply the policy from the original
+		#  Access-Accept to the subsequent Access-Accept
+		#  for the cached session.
+		#
+		#  On session resumption, these attributes are
+		#  copied from the cache, and placed into the
+		#  reply list.
+		#
+		#  You probably also want "use_tunneled_reply = yes"
+		#  when using fast session resumption.
+		#
+		cache {
+			#
+			#  Enable it.  The default is "no". Deleting the entire "cache"
+			#  subsection also disables caching.
+			#
+			#  As of version 3.0.14, the session cache requires the use
+			#  of the "name" and "persist_dir" configuration items, below.
+			#
+			#  The internal OpenSSL session cache has been permanently
+			#  disabled.
+			#
+			#  You can disallow resumption for a particular user by adding the
+			#  following attribute to the control item list:
+			#
+			#    Allow-Session-Resumption = No
+			#
+			#  If "enable = no" below, you CANNOT enable resumption for just one
+			#  user by setting the above attribute to "yes".
+			#
+			enable = no
+
+			#
+			#  Lifetime of the cached entries, in hours. The sessions will be
+			#  deleted/invalidated after this time.
+			#
+			lifetime = 24 # hours
+
+			#
+			#  Internal "name" of the session cache. Used to
+			#  distinguish which TLS context sessions belong to.
+			#
+			#  The server will generate a random value if unset.
+			#  This will change across server restart so you MUST
+			#  set the "name" if you want to persist sessions (see
+			#  below).
+			#
+			#name = "EAP module"
+
+			#
+			#  Simple directory-based storage of sessions.
+			#  Two files per session will be written, the SSL
+			#  state and the cached VPs. This will persist session
+			#  across server restarts.
+			#
+			#  The default directory is ${logdir}, for historical
+			#  reasons.  You should ${db_dir} instead.  And check
+			#  the value of db_dir in the main radiusd.conf file.
+			#  It should not point to ${raddb}
+			#
+			#  The server will need write perms, and the directory
+			#  should be secured from anyone else. You might want
+			#  a script to remove old files from here periodically:
+			#
+			#    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+			#
+			#  This feature REQUIRES "name" option be set above.
+			#
+			#persist_dir = "${logdir}/tlscache"
+		}
+
+		#
+		#  As of version 2.1.10, client certificates can be
+		#  validated via an external command.  This allows
+		#  dynamic CRLs or OCSP to be used.
+		#
+		#  This configuration is commented out in the
+		#  default configuration.  Uncomment it, and configure
+		#  the correct paths below to enable it.
+		#
+		#  If OCSP checking is enabled, and the OCSP checks fail,
+		#  the verify section is not run.
+		#
+		#  If OCSP checking is disabled, the verify section is
+		#  run on successful certificate validation.
+		#
+		verify {
+			#  If the OCSP checks succeed, the verify section
+			#  is run to allow additional checks.
+			#
+			#  If you want to skip verify on OCSP success,
+			#  uncomment this configuration item, and set it
+			#  to "yes".
+	#		skip_if_ocsp_ok = no
+
+			#  A temporary directory where the client
+			#  certificates are stored.  This directory
+			#  MUST be owned by the UID of the server,
+			#  and MUST not be accessible by any other
+			#  users.  When the server starts, it will do
+			#  "chmod go-rwx" on the directory, for
+			#  security reasons.  The directory MUST
+			#  exist when the server starts.
+			#
+			#  You should also delete all of the files
+			#  in the directory when the server starts.
+	#		tmpdir = /var/run/radiusd/tmp
+
+			#  The command used to verify the client cert.
+			#  We recommend using the OpenSSL command-line
+			#  tool.
+			#
+			#  The ${..ca_path} text is a reference to
+			#  the ca_path variable defined above.
+			#
+			#  The %{TLS-Client-Cert-Filename} is the name
+			#  of the temporary file containing the cert
+			#  in PEM format.  This file is automatically
+			#  deleted by the server when the command
+			#  returns.
+	#		client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		}
+
+		#
+		#  OCSP Configuration
+		#  Certificates can be verified against an OCSP
+		#  Responder. This makes it possible to immediately
+		#  revoke certificates without the distribution of
+		#  new Certificate Revocation Lists (CRLs).
+		#
+		ocsp {
+			#
+			#  Enable it.  The default is "no".
+			#  Deleting the entire "ocsp" subsection
+			#  also disables ocsp checking
+			#
+			enable = no
+
+			#
+			#  The OCSP Responder URL can be automatically
+			#  extracted from the certificate in question.
+			#  To override the OCSP Responder URL set
+			#  "override_cert_url = yes".
+			#
+			override_cert_url = yes
+
+			#
+			#  If the OCSP Responder address is not extracted from
+			#  the certificate, the URL can be defined here.
+			#
+			url = "http://127.0.0.1/ocsp/"
+
+			#
+			# If the OCSP Responder can not cope with nonce
+			# in the request, then it can be disabled here.
+			#
+			# For security reasons, disabling this option
+			# is not recommended as nonce protects against
+			# replay attacks.
+			#
+			# Note that Microsoft AD Certificate Services OCSP
+			# Responder does not enable nonce by default. It is
+			# more secure to enable nonce on the responder than
+			# to disable it in the query here.
+			# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+			#
+			# use_nonce = yes
+
+			#
+			# Number of seconds before giving up waiting
+			# for OCSP response. 0 uses system default.
+			#
+			# timeout = 0
+
+			#
+			# Normally an error in querying the OCSP
+			# responder (no response from server, server did
+			# not understand the request, etc) will result in
+			# a validation failure.
+			#
+			# To treat these errors as 'soft' failures and
+			# still accept the certificate, enable this
+			# option.
+			#
+			# Warning: this may enable clients with revoked
+			# certificates to connect if the OCSP responder
+			# is not available. Use with caution.
+			#
+			# softfail = no
+		}
+	}
+
+	## EAP-TLS
+	#
+	#  As of Version 3.0, the TLS configuration for TLS-based
+	#  EAP types is above in the "tls-config" section.
+	#
+	tls {
+		# Point to the common TLS configuration
+		tls = tls-common
+
+		#
+		# As part of checking a client certificate, the EAP-TLS
+		# sets some attributes such as TLS-Client-Cert-CN. This
+		# virtual server has access to these attributes, and can
+		# be used to accept or reject the request.
+		#
+	#	virtual_server = check-eap-tls
+	}
+
+
+	## EAP-TTLS
+	#
+	#  The TTLS module implements the EAP-TTLS protocol,
+	#  which can be described as EAP inside of Diameter,
+	#  inside of TLS, inside of EAP, inside of RADIUS...
+	#
+	#  Surprisingly, it works quite well.
+	#
+	ttls {
+		#  Which tls-config section the TLS negotiation parameters
+		#  are in - see EAP-TLS above for an explanation.
+		#
+		#  In the case that an old configuration from FreeRADIUS
+		#  v2.x is being used, all the options of the tls-config
+		#  section may also appear instead in the 'tls' section
+		#  above. If that is done, the tls= option here (and in
+		#  tls above) MUST be commented out.
+		#
+		tls = tls-common
+
+		#  The tunneled EAP session needs a default EAP type
+		#  which is separate from the one for the non-tunneled
+		#  EAP module.  Inside of the TTLS tunnel, we recommend
+		#  using EAP-MD5.  If the request does not contain an
+		#  EAP conversation, then this configuration entry is
+		#  ignored.
+		#
+		default_eap_type = md5
+
+		#  The tunneled authentication request does not usually
+		#  contain useful attributes like 'Calling-Station-Id',
+		#  etc.  These attributes are outside of the tunnel,
+		#  and normally unavailable to the tunneled
+		#  authentication request.
+		#
+		#  By setting this configuration entry to 'yes',
+		#  any attribute which is NOT in the tunneled
+		#  authentication request, but which IS available
+		#  outside of the tunnel, is copied to the tunneled
+		#  request.
+		#
+		#  allowed values: {no, yes}
+		#
+		copy_request_to_tunnel = no
+
+		#
+		#  As of version 3.0.5, this configuration item
+		#  is deprecated.  Instead, you should use
+		#
+		# 	update outer.session-state {
+		#		...
+		#
+		#	}
+		#
+		#  This will cache attributes for the final Access-Accept.
+		#
+		#  The reply attributes sent to the NAS are usually
+		#  based on the name of the user 'outside' of the
+		#  tunnel (usually 'anonymous').  If you want to send
+		#  the reply attributes based on the user name inside
+		#  of the tunnel, then set this configuration entry to
+		#  'yes', and the reply to the NAS will be taken from
+		#  the reply to the tunneled request.
+		#
+		#  allowed values: {no, yes}
+		#
+		use_tunneled_reply = no
+
+		#
+		#  The inner tunneled request can be sent
+		#  through a virtual server constructed
+		#  specifically for this purpose.
+		#
+		#  If this entry is commented out, the inner
+		#  tunneled request will be sent through
+		#  the virtual server that processed the
+		#  outer requests.
+		#
+		virtual_server = "inner-tunnel"
+
+		#  This has the same meaning, and overwrites, the
+		#  same field in the "tls" configuration, above.
+		#  The default value here is "yes".
+		#
+	#	include_length = yes
+
+		#
+		# Unlike EAP-TLS, EAP-TTLS does not require a client
+		# certificate. However, you can require one by setting the
+		# following option. You can also override this option by
+		# setting
+		#
+		#	EAP-TLS-Require-Client-Cert = Yes
+		#
+		# in the control items for a request.
+		#
+	#	require_client_cert = yes
+	}
+
+
+	## EAP-PEAP
+	#
+
+	##################################################
+	#
+	#  !!!!! WARNINGS for Windows compatibility  !!!!!
+	#
+	##################################################
+	#
+	#  If you see the server send an Access-Challenge,
+	#  and the client never sends another Access-Request,
+	#  then
+	#
+	#		STOP!
+	#
+	#  The server certificate has to have special OID's
+	#  in it, or else the Microsoft clients will silently
+	#  fail.  See the "scripts/xpextensions" file for
+	#  details, and the following page:
+	#
+	#	http://support.microsoft.com/kb/814394/en-us
+	#
+	#  For additional Windows XP SP2 issues, see:
+	#
+	#	http://support.microsoft.com/kb/885453/en-us
+	#
+	#
+	#  If is still doesn't work, and you're using Samba,
+	#  you may be encountering a Samba bug.  See:
+	#
+	#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+	#
+	#  Note that we do not necessarily agree with their
+	#  explanation... but the fix does appear to work.
+	#
+	##################################################
+
+	#
+	#  The tunneled EAP session needs a default EAP type
+	#  which is separate from the one for the non-tunneled
+	#  EAP module.  Inside of the TLS/PEAP tunnel, we
+	#  recommend using EAP-MS-CHAPv2.
+	#
+	peap {
+		#  Which tls-config section the TLS negotiation parameters
+		#  are in - see EAP-TLS above for an explanation.
+		#
+		#  In the case that an old configuration from FreeRADIUS
+		#  v2.x is being used, all the options of the tls-config
+		#  section may also appear instead in the 'tls' section
+		#  above. If that is done, the tls= option here (and in
+		#  tls above) MUST be commented out.
+		#
+		tls = tls-common
+
+		#  The tunneled EAP session needs a default
+		#  EAP type which is separate from the one for
+		#  the non-tunneled EAP module.  Inside of the
+		#  PEAP tunnel, we recommend using MS-CHAPv2,
+		#  as that is the default type supported by
+		#  Windows clients.
+		#
+		default_eap_type = mschapv2
+
+		#  The PEAP module also has these configuration
+		#  items, which are the same as for TTLS.
+		#
+		copy_request_to_tunnel = no
+
+		#
+		#  As of version 3.0.5, this configuration item
+		#  is deprecated.  Instead, you should use
+		#
+		# 	update outer.session-state {
+		#		...
+		#
+		#	}
+		#
+		#  This will cache attributes for the final Access-Accept.
+		#
+		use_tunneled_reply = no
+
+		#  When the tunneled session is proxied, the
+		#  home server may not understand EAP-MSCHAP-V2.
+		#  Set this entry to "no" to proxy the tunneled
+		#  EAP-MSCHAP-V2 as normal MSCHAPv2.
+		#
+	#	proxy_tunneled_request_as_eap = yes
+
+		#
+		#  The inner tunneled request can be sent
+		#  through a virtual server constructed
+		#  specifically for this purpose.
+		#
+		#  If this entry is commented out, the inner
+		#  tunneled request will be sent through
+		#  the virtual server that processed the
+		#  outer requests.
+		#
+		virtual_server = "inner-tunnel"
+
+		# This option enables support for MS-SoH
+		# see doc/SoH.txt for more info.
+		# It is disabled by default.
+		#
+	#	soh = yes
+
+		#
+		# The SoH reply will be turned into a request which
+		# can be sent to a specific virtual server:
+		#
+	#	soh_virtual_server = "soh-server"
+
+		#
+		# Unlike EAP-TLS, PEAP does not require a client certificate.
+		# However, you can require one by setting the following
+		# option. You can also override this option by setting
+		#
+		#	EAP-TLS-Require-Client-Cert = Yes
+		#
+		# in the control items for a request.
+		#
+	#	require_client_cert = yes
+	}
+
+	#
+	#  This takes no configuration.
+	#
+	#  Note that it is the EAP MS-CHAPv2 sub-module, not
+	#  the main 'mschap' module.
+	#
+	#  Note also that in order for this sub-module to work,
+	#  the main 'mschap' module MUST ALSO be configured.
+	#
+	#  This module is the *Microsoft* implementation of MS-CHAPv2
+	#  in EAP.  There is another (incompatible) implementation
+	#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+	#  currently support.
+	#
+	mschapv2 {
+		#  Prior to version 2.1.11, the module never
+		#  sent the MS-CHAP-Error message to the
+		#  client.  This worked, but it had issues
+		#  when the cached password was wrong.  The
+		#  server *should* send "E=691 R=0" to the
+		#  client, which tells it to prompt the user
+		#  for a new password.
+		#
+		#  The default is to behave as in 2.1.10 and
+		#  earlier, which is known to work.  If you
+		#  set "send_error = yes", then the error
+		#  message will be sent back to the client.
+		#  This *may* help some clients work better,
+		#  but *may* also cause other clients to stop
+		#  working.
+		#
+#		send_error = no
+
+		#  Server identifier to send back in the challenge.
+		#  This should generally be the host name of the
+		#  RADIUS server.  Or, some information to uniquely
+		#  identify it.
+#		identity = "FreeRADIUS"
+	}
+
+	## EAP-FAST
+	#
+	#  The FAST module implements the EAP-FAST protocol
+	#
+#	fast {
+		# Point to the common TLS configuration
+		#
+		# cipher_list though must include "ADH" for anonymous provisioning.
+		# This is not as straight forward as appending "ADH" alongside
+		# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+		# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+		#
+#		tls = tls-common
+
+		# PAC lifetime in seconds (default: seven days)
+		#
+#		pac_lifetime = 604800
+
+		# Authority ID of the server
+		#
+		# if you are running a cluster of RADIUS servers, you should make
+		# the value chosen here (and for "pac_opaque_key") the same on all
+		# your RADIUS servers.  This value should be unique to your
+		# installation.  We suggest using a domain name.
+		#
+#		authority_identity = "1234"
+
+		# PAC Opaque encryption key (must be exactly 32 bytes in size)
+		#
+		# This value MUST be secret, and MUST be generated using
+		# a secure method, such as via 'openssl rand -hex 32'
+		#
+#		pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+		# Same as for TTLS, PEAP, etc.
+		#
+#		virtual_server = inner-tunnel
+#	}
+}
diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf
new file mode 100644
index 0000000..78990e5
--- /dev/null
+++ b/roles/space_server/files/radius/radiusd.conf
@@ -0,0 +1,779 @@
+# -*- text -*-
+##
+## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.15
+##
+##	http://www.freeradius.org/
+##	$Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $
+##
+
+######################################################################
+#
+#	Read "man radiusd" before editing this file.  See the section
+#	titled DEBUGGING.  It outlines a method where you can quickly
+#	obtain the configuration you want, without running into
+#	trouble.
+#
+#	Run the server in debugging mode, and READ the output.
+#
+#		$ radiusd -X
+#
+#	We cannot emphasize this point strongly enough.  The vast
+#	majority of problems can be solved by carefully reading the
+#	debugging output, which includes warnings about common issues,
+#	and suggestions for how they may be fixed.
+#
+#	There may be a lot of output, but look carefully for words like:
+#	"warning", "error", "reject", or "failure".  The messages there
+#	will usually be enough to guide you to a solution.
+#
+#	If you are going to ask a question on the mailing list, then
+#	explain what you are trying to do, and include the output from
+#	debugging mode (radiusd -X).  Failure to do so means that all
+#	of the responses to your question will be people telling you
+#	to "post the output of radiusd -X".
+
+######################################################################
+#
+#  	The location of other config files and logfiles are declared
+#  	in this file.
+#
+#  	Also general configuration for modules can be done in this
+#  	file, it is exported through the API to modules that ask for
+#  	it.
+#
+#	See "man radiusd.conf" for documentation on the format of this
+#	file.  Note that the individual configuration items are NOT
+#	documented in that "man" page.  They are only documented here,
+#	in the comments.
+#
+#	The "unlang" policy language can be used to create complex
+#	if / else policies.  See "man unlang" for details.
+#
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = /usr/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir   = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+db_dir = ${localstatedir}/lib/radiusd
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+#   This should be automatically set at configuration time.
+#
+#   If the server builds and installs, but fails at execution time
+#   with an 'undefined symbol' error, then you can use the libdir
+#   directive to work around the problem.
+#
+#   The cause is usually that a library has been installed on your
+#   system in a place where the dynamic linker CANNOT find it.  When
+#   executing as root (or another user), your personal environment MAY
+#   be set up to allow the dynamic linker to find the library.  When
+#   executing as a daemon, FreeRADIUS MAY NOT have the same
+#   personalized configuration.
+#
+#   To work around the problem, find out which library contains that symbol,
+#   and add the directory containing that library to the end of 'libdir',
+#   with a colon separating the directory names.  NO spaces are allowed.
+#
+#   e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+#   You can also try setting the LD_LIBRARY_PATH environment variable
+#   in a script which starts the server.
+#
+#   If that does not work, then you can re-configure and re-build the
+#   server to NOT use shared libraries, via:
+#
+#	./configure --disable-shared
+#	make
+#	make install
+#
+libdir = /usr/lib64/freeradius
+
+#  pidfile: Where to place the PID of the RADIUS server.
+#
+#  The server may be signalled while it's running by using this
+#  file.
+#
+#  This file is written when ONLY running in daemon mode.
+#
+#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+#
+#  correct_escapes: use correct backslash escaping
+#
+#  Prior to version 3.0.5, the handling of backslashes was a little
+#  awkward, i.e. "wrong".  In some cases, to get one backslash into
+#  a regex, you had to put 4 in the config files.
+#
+#  Version 3.0.5 fixes that.  However, for backwards compatibility,
+#  the new method of escaping is DISABLED BY DEFAULT.  This means
+#  that upgrading to 3.0.5 won't break your configuration.
+#
+#  If you don't have double backslashes (i.e. \\) in your configuration,
+#  this won't matter to you.  If you do have them, fix that to use only
+#  one backslash, and then set "correct_escapes = true".
+#
+#  You can check for this by doing:
+#
+#	$ grep '\\\\' $(find raddb -type f -print)
+#
+correct_escapes = true
+
+#  panic_action: Command to execute if the server dies unexpectedly.
+#
+#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+#  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
+#  PATTACH CAN BE USED AS AN ATTACK VECTOR.
+#
+#  The panic action is a command which will be executed if the server
+#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+#  SIGABRT or SIGFPE.
+#
+#  This can be used to start an interactive debugging session so
+#  that information regarding the current state of the server can
+#  be acquired.
+#
+#  The following string substitutions are available:
+#  - %e   The currently executing program e.g. /sbin/radiusd
+#  - %p   The PID of the currently executing program e.g. 12345
+#
+#  Standard ${} substitutions are also allowed.
+#
+#  An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+#  Again, don't use that on a production system.
+#
+#  An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
+#
+#  That command can be used on a production system.
+#
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+#
+#  Requests which take more time than this to process may be killed, and
+#  a REJECT message is returned.
+#
+#  WARNING: If you notice that requests take a long time to be handled,
+#  then this MAY INDICATE a bug in the server, in one of the modules
+#  used to handle a request, OR in your local configuration.
+#
+#  This problem is most often seen when using an SQL database.  If it takes
+#  more than a second or two to receive an answer from the SQL database,
+#  then it probably means that you haven't indexed the database.  See your
+#  SQL server documentation for more information.
+#
+#  Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+#  a reply which was sent to the NAS.
+#
+#  The RADIUS request is normally cached internally for a short period
+#  of time, after the reply is sent to the NAS.  The reply packet may be
+#  lost in the network, and the NAS will not see it.  The NAS will then
+#  re-send the request, and the server will respond quickly with the
+#  cached reply.
+#
+#  If this value is set too low, then duplicate requests from the NAS
+#  MAY NOT be detected, and will instead be handled as separate requests.
+#
+#  If this value is set too high, then the server will cache too many
+#  requests, and some new requests may get blocked.  (See 'max_requests'.)
+#
+#  Useful range of values: 2 to 10
+#
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+#  track of.  This should be 256 multiplied by the number of clients.
+#  e.g. With 4 clients, this number should be 1024.
+#
+#  If this number is too low, then when the server becomes busy,
+#  it will not respond to any new requests, until the 'cleanup_delay'
+#  time has passed, and it has removed the old requests.
+#
+#  If this number is set too high, then the server will use a bit more
+#  memory for no real benefit.
+#
+#  If you aren't sure what it should be set to, it's better to set it
+#  too high than too low.  Setting it to 1000 per client is probably
+#  the highest it should be.
+#
+#  Useful range of values: 256 to infinity
+#
+max_requests = 16384
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+#  The default is 'off' because it would be overall better for the net
+#  if people had to knowingly turn this feature on, since enabling it
+#  means that each client request will result in AT LEAST one lookup
+#  request to the nameserver.   Enabling hostname_lookups will also
+#  mean that your server may stop randomly for 30 seconds from time
+#  to time, if the DNS requests take too long.
+#
+#  Turning hostname lookups off also means that the server won't block
+#  for 30 seconds, if it sees an IP address which has no name associated
+#  with it.
+#
+#  allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#
+#  Logging section.  The various "log_*" configuration items
+#  will eventually be moved here.
+#
+log {
+	#
+	#  Destination for log messages.  This can be one of:
+	#
+	#	files - log to "file", as defined below.
+	#	syslog - to syslog (see also the "syslog_facility", below.
+	#	stdout - standard output
+	#	stderr - standard error.
+	#
+	#  The command-line option "-X" over-rides this option, and forces
+	#  logging to go to stdout.
+	#
+	destination = syslog
+
+	#
+	#  Highlight important messages sent to stderr and stdout.
+	#
+	#  Option will be ignored (disabled) if output if TERM is not
+	#  an xterm or output is not to a TTY.
+	#
+	colourise = yes
+
+	#
+	#  The logging messages for the server are appended to the
+	#  tail of this file if destination == "files"
+	#
+	#  If the server is running in debugging mode, this file is
+	#  NOT used.
+	#
+	file = ${logdir}/radius.log
+
+	#
+	#  Which syslog facility to use, if ${destination} == "syslog"
+	#
+	#  The exact values permitted here are OS-dependent.  You probably
+	#  don't want to change this.
+	#
+	syslog_facility = daemon
+
+	#  Log the full User-Name attribute, as it was found in the request.
+	#
+	# allowed values: {no, yes}
+	#
+	stripped_names = no
+
+	#  Log authentication requests to the log file.
+	#
+	#  allowed values: {no, yes}
+	#
+	auth = yes
+
+	#  Log passwords with the authentication requests.
+	#  auth_badpass  - logs password if it's rejected
+	#  auth_goodpass - logs password if it's correct
+	#
+	#  allowed values: {no, yes}
+	#
+	auth_badpass = no
+	auth_goodpass = no
+
+	#  Log additional text at the end of the "Login OK" messages.
+	#  for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+	#  configurations above have to be set to "yes".
+	#
+	#  The strings below are dynamically expanded, which means that
+	#  you can put anything you want in them.  However, note that
+	#  this expansion can be slow, and can negatively impact server
+	#  performance.
+	#
+#	msg_goodpass = ""
+#	msg_badpass = ""
+
+	#  The message when the user exceeds the Simultaneous-Use limit.
+	#
+	msg_denied = "You are already logged in - access denied"
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+#
+#  There may be multiple methods of attacking on the server.  This
+#  section holds the configuration items which minimize the impact
+#  of those attacks
+#
+security {
+	#  chroot: directory where the server does "chroot".
+	#
+	#  The chroot is done very early in the process of starting
+	#  the server.  After the chroot has been performed it
+	#  switches to the "user" listed below (which MUST be
+	#  specified).  If "group" is specified, it switches to that
+	#  group, too.  Any other groups listed for the specified
+	#  "user" in "/etc/group" are also added as part of this
+	#  process.
+	#
+	#  The current working directory (chdir / cd) is left
+	#  *outside* of the chroot until all of the modules have been
+	#  initialized.  This allows the "raddb" directory to be left
+	#  outside of the chroot.  Once the modules have been
+	#  initialized, it does a "chdir" to ${logdir}.  This means
+	#  that it should be impossible to break out of the chroot.
+	#
+	#  If you are worried about security issues related to this
+	#  use of chdir, then simply ensure that the "raddb" directory
+	#  is inside of the chroot, end be sure to do "cd raddb"
+	#  BEFORE starting the server.
+	#
+	#  If the server is statically linked, then the only files
+	#  that have to exist in the chroot are ${run_dir} and
+	#  ${logdir}.  If you do the "cd raddb" as discussed above,
+	#  then the "raddb" directory has to be inside of the chroot
+	#  directory, too.
+	#
+#	chroot = /path/to/chroot/directory
+
+	# user/group: The name (or #number) of the user/group to run radiusd as.
+	#
+	#   If these are commented out, the server will run as the
+	#   user/group that started it.  In order to change to a
+	#   different user/group, you MUST be root ( or have root
+	#   privileges ) to start the server.
+	#
+	#   We STRONGLY recommend that you run the server with as few
+	#   permissions as possible.  That is, if you're not using
+	#   shadow passwords, the user and group items below should be
+	#   set to radius'.
+	#
+	#  NOTE that some kernels refuse to setgid(group) when the
+	#  value of (unsigned)group is above 60000; don't use group
+	#  "nobody" on these systems!
+	#
+	#  On systems with shadow passwords, you might have to set
+	#  'group = shadow' for the server to be able to read the
+	#  shadow password file.  If you can authenticate users while
+	#  in debug mode, but not in daemon mode, it may be that the
+	#  debugging mode server is running as a user that can read
+	#  the shadow info, and the user listed below can not.
+	#
+	#  The server will also try to use "initgroups" to read
+	#  /etc/groups.  It will join all groups where "user" is a
+	#  member.  This can allow for some finer-grained access
+	#  controls.
+	#
+	user = radiusd
+	group = radiusd
+
+	#  Core dumps are a bad thing.  This should only be set to
+	#  'yes' if you're debugging a problem with the server.
+	#
+	#  allowed values: {no, yes}
+	#
+	allow_core_dumps = no
+
+	#
+	#  max_attributes: The maximum number of attributes
+	#  permitted in a RADIUS packet.  Packets which have MORE
+	#  than this number of attributes in them will be dropped.
+	#
+	#  If this number is set too low, then no RADIUS packets
+	#  will be accepted.
+	#
+	#  If this number is set too high, then an attacker may be
+	#  able to send a small number of packets which will cause
+	#  the server to use all available memory on the machine.
+	#
+	#  Setting this number to 0 means "allow any number of attributes"
+	max_attributes = 200
+
+	#
+	#  reject_delay: When sending an Access-Reject, it can be
+	#  delayed for a few seconds.  This may help slow down a DoS
+	#  attack.  It also helps to slow down people trying to brute-force
+	#  crack a users password.
+	#
+	#  Setting this number to 0 means "send rejects immediately"
+	#
+	#  If this number is set higher than 'cleanup_delay', then the
+	#  rejects will be sent at 'cleanup_delay' time, when the request
+	#  is deleted from the internal cache of requests.
+	#
+	#  As of Version 3.0.5, "reject_delay" has sub-second resolution.
+	#  e.g. "reject_delay =  1.4" seconds is possible.
+	#
+	#  Useful ranges: 1 to 5
+	reject_delay = 1
+
+	#
+	#  status_server: Whether or not the server will respond
+	#  to Status-Server requests.
+	#
+	#  When sent a Status-Server message, the server responds with
+	#  an Access-Accept or Accounting-Response packet.
+	#
+	#  This is mainly useful for administrators who want to "ping"
+	#  the server, without adding test users, or creating fake
+	#  accounting packets.
+	#
+	#  It's also useful when a NAS marks a RADIUS server "dead".
+	#  The NAS can periodically "ping" the server with a Status-Server
+	#  packet.  If the server responds, it must be alive, and the
+	#  NAS can start using it for real requests.
+	#
+	#  See also raddb/sites-available/status
+	#
+	status_server = yes
+
+
+}
+
+# PROXY CONFIGURATION
+#
+#  proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+#  The server has proxying turned on by default.  If your system is NOT
+#  set up to proxy requests to another server, then you can turn proxying
+#  off here.  This will save a small amount of resources on the server.
+#
+#  If you have proxying turned off, and your configuration files say
+#  to proxy a request, then an error message will be logged.
+#
+#  To disable proxying, change the "yes" to "no", and comment the
+#  $INCLUDE line.
+#
+#  allowed values: {no, yes}
+#
+proxy_requests  = no
+#$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+#  Client configuration is defined in "clients.conf".
+#
+
+#  The 'clients.conf' file contains all of the information from the old
+#  'clients' and 'naslist' configuration files.  We recommend that you
+#  do NOT use 'client's or 'naslist', although they are still
+#  supported.
+#
+#  Anything listed in 'clients.conf' will take precedence over the
+#  information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+#  The thread pool is a long-lived group of threads which
+#  take turns (round-robin) handling any incoming requests.
+#
+#  You probably want to have a few spare threads around,
+#  so that high-load situations can be handled immediately.  If you
+#  don't have any spare threads, then the request handling will
+#  be delayed while a new thread is created, and added to the pool.
+#
+#  You probably don't want too many spare threads around,
+#  otherwise they'll be sitting there taking up resources, and
+#  not doing anything productive.
+#
+#  The numbers given below should be adequate for most situations.
+#
+thread pool {
+	#  Number of servers to start initially --- should be a reasonable
+	#  ballpark figure.
+	start_servers = 5
+
+	#  Limit on the total number of servers running.
+	#
+	#  If this limit is ever reached, clients will be LOCKED OUT, so it
+	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
+	#  keep a runaway server from taking the system with it as it spirals
+	#  down...
+	#
+	#  You may find that the server is regularly reaching the
+	#  'max_servers' number of threads, and that increasing
+	#  'max_servers' doesn't seem to make much difference.
+	#
+	#  If this is the case, then the problem is MOST LIKELY that
+	#  your back-end databases are taking too long to respond, and
+	#  are preventing the server from responding in a timely manner.
+	#
+	#  The solution is NOT do keep increasing the 'max_servers'
+	#  value, but instead to fix the underlying cause of the
+	#  problem: slow database, or 'hostname_lookups=yes'.
+	#
+	#  For more information, see 'max_request_time', above.
+	#
+	max_servers = 32
+
+	#  Server-pool size regulation.  Rather than making you guess
+	#  how many servers you need, FreeRADIUS dynamically adapts to
+	#  the load it sees, that is, it tries to maintain enough
+	#  servers to handle the current load, plus a few spare
+	#  servers to handle transient load spikes.
+	#
+	#  It does this by periodically checking how many servers are
+	#  waiting for a request.  If there are fewer than
+	#  min_spare_servers, it creates a new spare.  If there are
+	#  more than max_spare_servers, some of the spares die off.
+	#  The default values are probably OK for most sites.
+	#
+	min_spare_servers = 3
+	max_spare_servers = 10
+
+	#  When the server receives a packet, it places it onto an
+	#  internal queue, where the worker threads (configured above)
+	#  pick it up for processing.  The maximum size of that queue
+	#  is given here.
+	#
+	#  When the queue is full, any new packets will be silently
+	#  discarded.
+	#
+	#  The most common cause of the queue being full is that the
+	#  server is dependent on a slow database, and it has received
+	#  a large "spike" of traffic.  When that happens, there is
+	#  very little you can do other than make sure the server
+	#  receives less traffic, or make sure that the database can
+	#  handle the load.
+	#
+#	max_queue_size = 65536
+
+	#  There may be memory leaks or resource allocation problems with
+	#  the server.  If so, set this value to 300 or so, so that the
+	#  resources will be cleaned up periodically.
+	#
+	#  This should only be necessary if there are serious bugs in the
+	#  server which have not yet been fixed.
+	#
+	#  '0' is a special value meaning 'infinity', or 'the servers never
+	#  exit'
+	max_requests_per_server = 0
+
+	#  Automatically limit the number of accounting requests.
+	#  This configuration item tracks how many requests per second
+	#  the server can handle.  It does this by tracking the
+	#  packets/s received by the server for processing, and
+	#  comparing that to the packets/s handled by the child
+	#  threads.
+	#
+
+	#  If the received PPS is larger than the processed PPS, *and*
+	#  the queue is more than half full, then new accounting
+	#  requests are probabilistically discarded.  This lowers the
+	#  number of packets that the server needs to process.  Over
+	#  time, the server will "catch up" with the traffic.
+	#
+	#  Throwing away accounting packets is usually safe and low
+	#  impact.  The NAS will retransmit them in a few seconds, or
+	#  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1
+	#  to see how accounting packets should be retransmitted.  Using
+	#  any other method is likely to cause network meltdowns.
+	#
+	auto_limit_acct = no
+}
+
+######################################################################
+#
+#  SNMP notifications.  Uncomment the following line to enable
+#  snmptraps.  Note that you MUST also configure the full path
+#  to the "snmptrap" command in the "trigger.conf" file.
+#
+#$INCLUDE trigger.conf
+
+# MODULE CONFIGURATION
+#
+#  The names and configuration of each module is located in this section.
+#
+#  After the modules are defined here, they may be referred to by name,
+#  in other sections of this configuration file.
+#
+modules {
+	#
+	#  Each module has a configuration as follows:
+	#
+	#	name [ instance ] {
+	#		config_item = value
+	#		...
+	#	}
+	#
+	#  The 'name' is used to load the 'rlm_name' library
+	#  which implements the functionality of the module.
+	#
+	#  The 'instance' is optional.  To have two different instances
+	#  of a module, it first must be referred to by 'name'.
+	#  The different copies of the module are then created by
+	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+	#
+	#  The instance names can then be used in later configuration
+	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
+	#  for an example.
+	#
+
+	#
+	#  As of 3.0, modules are in mods-enabled/.  Files matching
+	#  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are
+	#  initialized ONLY if they are referenced in a processing
+	#  section, such as authorize, authenticate, accounting,
+	#  pre/post-proxy, etc.
+	#
+	$INCLUDE mods-enabled/
+}
+
+# Instantiation
+#
+#  This section orders the loading of the modules.  Modules
+#  listed here will get loaded BEFORE the later sections like
+#  authorize, authenticate, etc. get examined.
+#
+#  This section is not strictly needed.  When a section like
+#  authorize refers to a module, it's automatically loaded and
+#  initialized.  However, some modules may not be listed in any
+#  of the following sections, so they can be listed here.
+#
+#  Also, listing modules here ensures that you have control over
+#  the order in which they are initialized.  If one module needs
+#  something defined by another module, you can list them in order
+#  here, and ensure that the configuration will be OK.
+#
+#  After the modules listed here have been loaded, all of the modules
+#  in the "mods-enabled" directory will be loaded.  Loading the
+#  "mods-enabled" directory means that unlike Version 2, you usually
+#  don't need to list modules here.
+#
+instantiate {
+	#
+	# We list the counter module here so that it registers
+	# the check_name attribute before any module which sets
+	# it
+#	daily
+
+	# subsections here can be thought of as "virtual" modules.
+	#
+	# e.g. If you have two redundant SQL servers, and you want to
+	# use them in the authorize and accounting sections, you could
+	# place a "redundant" block in each section, containing the
+	# exact same text.  Or, you could uncomment the following
+	# lines, and list "redundant_sql" in the authorize and
+	# accounting sections.
+	#
+	#  The "virtual" module defined here can also be used with
+	#  dynamic expansions, under a few conditions:
+	#
+	#  * The section is "redundant", or "load-balance", or
+	#    "redundant-load-balance"
+	#  * The section contains modules ONLY, and no sub-sections
+	#  * all modules in the section are using the same rlm_
+	#    driver, e.g. They are all sql, or all ldap, etc.
+	#
+	#  When those conditions are satisfied, the server will
+	#  automatically register a dynamic expansion, using the
+	#  name of the "virtual" module.  In the example below,
+	#  it will be "redundant_sql".  You can then use this expansion
+	#  just like any other:
+	#
+	#	update reply {
+	#		Filter-Id := "%{redundant_sql: ... }"
+	#	}
+	#
+	#  In this example, the expansion is done via module "sql1",
+	#  and if that expansion fails, using module "sql2".
+	#
+	#  For best results, configure the "pool" subsection of the
+	#  module so that "retry_delay" is non-zero.  That will allow
+	#  the redundant block to quickly ignore all "down" SQL
+	#  databases.  If instead we have "retry_delay = 0", then
+	#  every time the redundant block is used, the server will try
+	#  to open a connection to every "down" database, causing
+	#  problems.
+	#
+	#redundant redundant_sql {
+	#	sql1
+	#	sql2
+	#}
+}
+
+######################################################################
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantiate" section above.
+#
+#  Defining a policy in one of the policy.d files means that it can be
+#  referenced in multiple places as a *name*, rather than as a series of
+#  conditions to match, and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively. They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+######################################################################
+policy {
+	$INCLUDE policy.d/
+}
+
+######################################################################
+#
+#	Load virtual servers.
+#
+#	This next $INCLUDE line loads files in the directory that
+#	match the regular expression: /[a-zA-Z0-9_.]+/
+#
+#	It allows you to define new virtual servers simply by placing
+#	a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+#	All of the other configuration sections like "authorize {}",
+#	"authenticate {}", "accounting {}", have been moved to the
+#	the file:
+#
+#		raddb/sites-available/default
+#
+#	This is the "default" virtual server that has the same
+#	configuration as in version 1.0.x and 1.1.x.  The default
+#	installation enables this virtual server.  You should
+#	edit it to create policies for your local site.
+#
+#	For more documentation on virtual servers, see:
+#
+#		raddb/sites-available/README
+#
+######################################################################
diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
new file mode 100644
index 0000000..cb1bb45
--- /dev/null
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -0,0 +1,84 @@
+server labitat {
+
+	listen {
+		type = auth
+		ipaddr = 10.42.0.1
+		port = 0
+
+		limit {
+			max_connections = 16
+				lifetime = 0
+				idle_timeout = 30
+		}
+	}
+
+	authorize {
+		filter_username
+		preprocess
+		auth_log
+
+		eap {
+			ok = return
+		}
+
+		files
+
+		expiration
+		logintime
+		pap
+	}
+
+	authenticate {
+		Auth-Type PAP {
+			pap
+		}
+
+		Auth-Type CHAP {
+			chap
+		}
+
+		Auth-Type MS-CHAP {
+			mschap
+		}
+
+		digest
+		eap
+	}
+
+	preacct {
+		preprocess
+		acct_unique
+		suffix
+		files
+	}
+
+	accounting {
+		unix
+		-sql
+		exec
+		attr_filter.accounting_response
+	}
+
+	session {
+	}
+
+	post-auth {
+		-sql
+		exec
+		remove_reply_message_if_eap
+
+		Post-Auth-Type REJECT {
+			-sql
+			attr_filter.access_reject
+			eap
+			remove_reply_message_if_eap
+		}
+	}
+
+	pre-proxy {
+	}
+
+	post-proxy {
+		eap
+	}
+}