diff options
Diffstat (limited to 'roles/space_server/files/radius')
| -rw-r--r-- | roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm | bin | 0 -> 1112554 bytes | |||
| -rw-r--r-- | roles/space_server/files/radius/getusers.service | 10 | ||||
| -rw-r--r-- | roles/space_server/files/radius/getusers.timer | 12 | ||||
| -rw-r--r-- | roles/space_server/files/radius/mods-available/eap | 883 | ||||
| -rw-r--r-- | roles/space_server/files/radius/radiusd.conf | 779 | ||||
| -rw-r--r-- | roles/space_server/files/radius/sites-available/labitat | 84 | 
6 files changed, 1768 insertions, 0 deletions
| diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpmBinary files differ new file mode 100644 index 0000000..145191c --- /dev/null +++ b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm diff --git a/roles/space_server/files/radius/getusers.service b/roles/space_server/files/radius/getusers.service new file mode 100644 index 0000000..7ac5082 --- /dev/null +++ b/roles/space_server/files/radius/getusers.service @@ -0,0 +1,10 @@ +[Unit] +Description=Download radius users + +[Service] +Type=oneshot +ExecStart=/etc/raddb/getusers.sh +User=root +Group=radiusd +ProtectSystem=yes +ProtectHome=yes diff --git a/roles/space_server/files/radius/getusers.timer b/roles/space_server/files/radius/getusers.timer new file mode 100644 index 0000000..9ef4eb3 --- /dev/null +++ b/roles/space_server/files/radius/getusers.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Download radius users every 10 minutes + +[Timer] +Unit=getusers.service +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=10min + +[Install] +WantedBy=timers.target diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap new file mode 100644 index 0000000..87593b0 --- /dev/null +++ b/roles/space_server/files/radius/mods-available/eap @@ -0,0 +1,883 @@ +# -*- text -*- +## +##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +##	$Id: 2621e183c3d9eafacb03bbea57a4a1fb71bf0383 $ + +####################################################################### +# +#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server +#  is smart enough to figure this out on its own.  The most +#  common side effect of setting 'Auth-Type := EAP' is that the +#  users then cannot use ANY other authentication method. +# +eap { +	#  Invoke the default supported EAP type when +	#  EAP-Identity response is received. +	# +	#  The incoming EAP messages DO NOT specify which EAP +	#  type they will be using, so it MUST be set here. +	# +	#  For now, only one default EAP type may be used at a time. +	# +	#  If the EAP-Type attribute is set by another module, +	#  then that EAP type takes precedence over the +	#  default type configured here. +	# +	default_eap_type = ttls + +	#  A list is maintained to correlate EAP-Response +	#  packets with EAP-Request packets.  After a +	#  configurable length of time, entries in the list +	#  expire, and are deleted. +	# +	timer_expire     = 60 + +	#  There are many EAP types, but the server has support +	#  for only a limited subset.  If the server receives +	#  a request for an EAP type it does not support, then +	#  it normally rejects the request.  By setting this +	#  configuration to "yes", you can tell the server to +	#  instead keep processing the request.  Another module +	#  MUST then be configured to proxy the request to +	#  another RADIUS server which supports that EAP type. +	# +	#  If another module is NOT configured to handle the +	#  request, then the request will still end up being +	#  rejected. +	ignore_unknown_eap_types = no + +	# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given +	# a User-Name attribute in an Access-Accept, it copies one +	# more byte than it should. +	# +	# We can work around it by configurably adding an extra +	# zero byte. +	cisco_accounting_username_bug = no + +	# +	#  Help prevent DoS attacks by limiting the number of +	#  sessions that the server is tracking.  For simplicity, +	#  this is taken from the "max_requests" directive in +	#  radiusd.conf. +	max_sessions = ${max_requests} + +	# Supported EAP-types + +	# +	#  We do NOT recommend using EAP-MD5 authentication +	#  for wireless connections.  It is insecure, and does +	#  not provide for dynamic WEP keys. +	# +	md5 { +	} + +	# +	# EAP-pwd -- secure password-based authentication +	# +#	pwd { +#		group = 19 + +		# +#		server_id = theserver@example.com + +		#  This has the same meaning as for TLS. +#		fragment_size = 1020 + +		# The virtual server which determines the +		# "known good" password for the user. +		# Note that unlike TLS, only the "authorize" +		# section is processed.  EAP-PWD requests can be +		# distinguished by having a User-Name, but +		# no User-Password, CHAP-Password, EAP-Message, etc. +#		virtual_server = "inner-tunnel" +#	} + +	# Cisco LEAP +	# +	#  We do not recommend using LEAP in new deployments.  See: +	#  http://www.securiteam.com/tools/5TP012ACKE.html +	# +	#  Cisco LEAP uses the MS-CHAP algorithm (but not +	#  the MS-CHAP attributes) to perform it's authentication. +	# +	#  As a result, LEAP *requires* access to the plain-text +	#  User-Password, or the NT-Password attributes. +	#  'System' authentication is impossible with LEAP. +	# +	leap { +	} + +	#  Generic Token Card. +	# +	#  Currently, this is only permitted inside of EAP-TTLS, +	#  or EAP-PEAP.  The module "challenges" the user with +	#  text, and the response from the user is taken to be +	#  the User-Password. +	# +	#  Proxying the tunneled EAP-GTC session is a bad idea, +	#  the users password will go over the wire in plain-text, +	#  for anyone to see. +	# +	gtc { +		#  The default challenge, which many clients +		#  ignore.. +		#challenge = "Password: " + +		#  The plain-text response which comes back +		#  is put into a User-Password attribute, +		#  and passed to another module for +		#  authentication.  This allows the EAP-GTC +		#  response to be checked against plain-text, +		#  or crypt'd passwords. +		# +		#  If you say "Local" instead of "PAP", then +		#  the module will look for a User-Password +		#  configured for the request, and do the +		#  authentication itself. +		# +		auth_type = PAP +	} + +	## Common TLS configuration for TLS-based EAP types +	# +	#  See raddb/certs/README for additional comments +	#  on certificates. +	# +	#  If OpenSSL was not found at the time the server was +	#  built, the "tls", "ttls", and "peap" sections will +	#  be ignored. +	# +	#  If you do not currently have certificates signed by +	#  a trusted CA you may use the 'snakeoil' certificates. +	#  Included with the server in raddb/certs. +	# +	#  If these certificates have not been auto-generated: +	#    cd raddb/certs +	#    make +	# +	#  These test certificates SHOULD NOT be used in a normal +	#  deployment.  They are created only to make it easier +	#  to install the server, and to perform some simple +	#  tests with EAP-TLS, TTLS, or PEAP. +	# +	#  See also: +	# +	#  http://www.dslreports.com/forum/remark,9286052~mode=flat +	# +	#  Note that you should NOT use a globally known CA here! +	#  e.g. using a Verisign cert as a "known CA" means that +	#  ANYONE who has a certificate signed by them can +	#  authenticate via EAP-TLS!  This is likely not what you want. +	tls-config tls-common { +		private_key_password = whatever +		private_key_file = ${certdir}/server.pem + +		#  If Private key & Certificate are located in +		#  the same file, then private_key_file & +		#  certificate_file must contain the same file +		#  name. +		# +		#  If ca_file (below) is not used, then the +		#  certificate_file below MUST include not +		#  only the server certificate, but ALSO all +		#  of the CA certificates used to sign the +		#  server certificate. +		certificate_file = ${certdir}/server.pem + +		#  Trusted Root CA list +		# +		#  ALL of the CA's in this list will be trusted +		#  to issue client certificates for authentication. +		# +		#  In general, you should use self-signed +		#  certificates for 802.1x (EAP) authentication. +		#  In that case, this CA file should contain +		#  *one* CA certificate. +		# +		ca_file = ${cadir}/ca.pem + +	 	#  OpenSSL will automatically create certificate chains, +	 	#  unless we tell it to not do that.  The problem is that +	 	#  it sometimes gets the chains right from a certificate +	 	#  signature view, but wrong from the clients view. +		# +		#  When setting "auto_chain = no", the server certificate +		#  file MUST include the full certificate chain. +	#	auto_chain = yes + +		# +		#  If OpenSSL supports TLS-PSK, then we can use +		#  a PSK identity and (hex) password.  When the +		#  following two configuration items are specified, +		#  then certificate-based configuration items are +		#  not allowed.  e.g.: +		# +		#	private_key_password +		#	private_key_file +		#	certificate_file +		#	ca_file +		#	ca_path +		# +		#  For now, the identity is fixed, and must be the +		#  same on the client.  The passphrase must be a hex +		#  value, and can be up to 256 hex digits. +		# +		#  Future versions of the server may be able to +		#  look up the shared key (hexphrase) based on the +		#  identity. +		# +	#	psk_identity = "test" +	#	psk_hexphrase = "036363823" + +		# +		#  For DH cipher suites to work, you have to +		#  run OpenSSL to create the DH file first: +		# +		#  	openssl dhparam -out certs/dh 2048 +		# +		dh_file = ${certdir}/dh + +		# +		#  If your system doesn't have /dev/urandom, +		#  you will need to create this file, and +		#  periodically change its contents. +		# +		#  For security reasons, FreeRADIUS doesn't +		#  write to files in its configuration +		#  directory. +		# +	#	random_file = /dev/urandom + +		# +		#  This can never exceed the size of a RADIUS +		#  packet (4096 bytes), and is preferably half +		#  that, to accommodate other attributes in +		#  RADIUS packet.  On most APs the MAX packet +		#  length is configured between 1500 - 1600 +		#  In these cases, fragment size should be +		#  1024 or less. +		# +	#	fragment_size = 1024 + +		#  include_length is a flag which is +		#  by default set to yes If set to +		#  yes, Total Length of the message is +		#  included in EVERY packet we send. +		#  If set to no, Total Length of the +		#  message is included ONLY in the +		#  First packet of a fragment series. +		# +	#	include_length = yes + + +		#  Check the Certificate Revocation List +		# +		#  1) Copy CA certificates and CRLs to same directory. +		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'. +		#    'c_rehash' is OpenSSL's command. +		#  3) uncomment the lines below. +		#  5) Restart radiusd +	#	check_crl = yes + +		# Check if intermediate CAs have been revoked. +	#	check_all_crl = yes + +		ca_path = ${cadir} + +		# +		#  If check_cert_issuer is set, the value will +		#  be checked against the DN of the issuer in +		#  the client certificate.  If the values do not +		#  match, the certificate verification will fail, +		#  rejecting the user. +		# +		#  In 2.1.10 and later, this check can be done +		#  more generally by checking the value of the +		#  TLS-Client-Cert-Issuer attribute.  This check +		#  can be done via any mechanism you choose. +		# +	#	check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + +		# +		#  If check_cert_cn is set, the value will +		#  be xlat'ed and checked against the CN +		#  in the client certificate.  If the values +		#  do not match, the certificate verification +		#  will fail rejecting the user. +		# +		#  This check is done only if the previous +		#  "check_cert_issuer" is not set, or if +		#  the check succeeds. +		# +		#  In 2.1.10 and later, this check can be done +		#  more generally by checking the value of the +		#  TLS-Client-Cert-CN attribute.  This check +		#  can be done via any mechanism you choose. +		# +	#	check_cert_cn = %{User-Name} +		# +		# Set this option to specify the allowed +		# TLS cipher suites.  The format is listed +		# in "man 1 ciphers". +		# +		# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" +		# +		cipher_list = "PROFILE=SYSTEM" + +		# If enabled, OpenSSL will use server cipher list +		# (possibly defined by cipher_list option above) +		# for choosing right cipher suite rather than +		# using client-specified list which is OpenSSl default +		# behavior. Having it set to yes is a current best practice +		# for TLS +		cipher_server_preference = no + +		# Work-arounds for OpenSSL nonsense +		# OpenSSL 1.0.1f and 1.0.1g do not calculate +		# the EAP keys correctly.  The fix is to upgrade +		# OpenSSL, or disable TLS 1.2 here.  +		# +		#  For EAP-FAST, this MUST be set to "yes". +		# +#		disable_tlsv1_2 = no + +		# + +		# +		#  Elliptical cryptography configuration +		# +		#  Only for OpenSSL >= 0.9.8.f +		# +		ecdh_curve = "prime256v1" + +		# +		#  Session resumption / fast reauthentication +		#  cache. +		# +		#  The cache contains the following information: +		# +		#  session Id - unique identifier, managed by SSL +		#  User-Name  - from the Access-Accept +		#  Stripped-User-Name - from the Access-Request +		#  Cached-Session-Policy - from the Access-Accept +		# +		#  The "Cached-Session-Policy" is the name of a +		#  policy which should be applied to the cached +		#  session.  This policy can be used to assign +		#  VLANs, IP addresses, etc.  It serves as a useful +		#  way to re-apply the policy from the original +		#  Access-Accept to the subsequent Access-Accept +		#  for the cached session. +		# +		#  On session resumption, these attributes are +		#  copied from the cache, and placed into the +		#  reply list. +		# +		#  You probably also want "use_tunneled_reply = yes" +		#  when using fast session resumption. +		# +		cache { +			# +			#  Enable it.  The default is "no". Deleting the entire "cache" +			#  subsection also disables caching. +			# +			#  As of version 3.0.14, the session cache requires the use +			#  of the "name" and "persist_dir" configuration items, below. +			# +			#  The internal OpenSSL session cache has been permanently +			#  disabled. +			# +			#  You can disallow resumption for a particular user by adding the +			#  following attribute to the control item list: +			# +			#    Allow-Session-Resumption = No +			# +			#  If "enable = no" below, you CANNOT enable resumption for just one +			#  user by setting the above attribute to "yes". +			# +			enable = no + +			# +			#  Lifetime of the cached entries, in hours. The sessions will be +			#  deleted/invalidated after this time. +			# +			lifetime = 24 # hours + +			# +			#  Internal "name" of the session cache. Used to +			#  distinguish which TLS context sessions belong to. +			# +			#  The server will generate a random value if unset. +			#  This will change across server restart so you MUST +			#  set the "name" if you want to persist sessions (see +			#  below). +			# +			#name = "EAP module" + +			# +			#  Simple directory-based storage of sessions. +			#  Two files per session will be written, the SSL +			#  state and the cached VPs. This will persist session +			#  across server restarts. +			# +			#  The default directory is ${logdir}, for historical +			#  reasons.  You should ${db_dir} instead.  And check +			#  the value of db_dir in the main radiusd.conf file. +			#  It should not point to ${raddb} +			# +			#  The server will need write perms, and the directory +			#  should be secured from anyone else. You might want +			#  a script to remove old files from here periodically: +			# +			#    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; +			# +			#  This feature REQUIRES "name" option be set above. +			# +			#persist_dir = "${logdir}/tlscache" +		} + +		# +		#  As of version 2.1.10, client certificates can be +		#  validated via an external command.  This allows +		#  dynamic CRLs or OCSP to be used. +		# +		#  This configuration is commented out in the +		#  default configuration.  Uncomment it, and configure +		#  the correct paths below to enable it. +		# +		#  If OCSP checking is enabled, and the OCSP checks fail, +		#  the verify section is not run. +		# +		#  If OCSP checking is disabled, the verify section is +		#  run on successful certificate validation. +		# +		verify { +			#  If the OCSP checks succeed, the verify section +			#  is run to allow additional checks. +			# +			#  If you want to skip verify on OCSP success, +			#  uncomment this configuration item, and set it +			#  to "yes". +	#		skip_if_ocsp_ok = no + +			#  A temporary directory where the client +			#  certificates are stored.  This directory +			#  MUST be owned by the UID of the server, +			#  and MUST not be accessible by any other +			#  users.  When the server starts, it will do +			#  "chmod go-rwx" on the directory, for +			#  security reasons.  The directory MUST +			#  exist when the server starts. +			# +			#  You should also delete all of the files +			#  in the directory when the server starts. +	#		tmpdir = /var/run/radiusd/tmp + +			#  The command used to verify the client cert. +			#  We recommend using the OpenSSL command-line +			#  tool. +			# +			#  The ${..ca_path} text is a reference to +			#  the ca_path variable defined above. +			# +			#  The %{TLS-Client-Cert-Filename} is the name +			#  of the temporary file containing the cert +			#  in PEM format.  This file is automatically +			#  deleted by the server when the command +			#  returns. +	#		client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" +		} + +		# +		#  OCSP Configuration +		#  Certificates can be verified against an OCSP +		#  Responder. This makes it possible to immediately +		#  revoke certificates without the distribution of +		#  new Certificate Revocation Lists (CRLs). +		# +		ocsp { +			# +			#  Enable it.  The default is "no". +			#  Deleting the entire "ocsp" subsection +			#  also disables ocsp checking +			# +			enable = no + +			# +			#  The OCSP Responder URL can be automatically +			#  extracted from the certificate in question. +			#  To override the OCSP Responder URL set +			#  "override_cert_url = yes". +			# +			override_cert_url = yes + +			# +			#  If the OCSP Responder address is not extracted from +			#  the certificate, the URL can be defined here. +			# +			url = "http://127.0.0.1/ocsp/" + +			# +			# If the OCSP Responder can not cope with nonce +			# in the request, then it can be disabled here. +			# +			# For security reasons, disabling this option +			# is not recommended as nonce protects against +			# replay attacks. +			# +			# Note that Microsoft AD Certificate Services OCSP +			# Responder does not enable nonce by default. It is +			# more secure to enable nonce on the responder than +			# to disable it in the query here. +			# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx +			# +			# use_nonce = yes + +			# +			# Number of seconds before giving up waiting +			# for OCSP response. 0 uses system default. +			# +			# timeout = 0 + +			# +			# Normally an error in querying the OCSP +			# responder (no response from server, server did +			# not understand the request, etc) will result in +			# a validation failure. +			# +			# To treat these errors as 'soft' failures and +			# still accept the certificate, enable this +			# option. +			# +			# Warning: this may enable clients with revoked +			# certificates to connect if the OCSP responder +			# is not available. Use with caution. +			# +			# softfail = no +		} +	} + +	## EAP-TLS +	# +	#  As of Version 3.0, the TLS configuration for TLS-based +	#  EAP types is above in the "tls-config" section. +	# +	tls { +		# Point to the common TLS configuration +		tls = tls-common + +		# +		# As part of checking a client certificate, the EAP-TLS +		# sets some attributes such as TLS-Client-Cert-CN. This +		# virtual server has access to these attributes, and can +		# be used to accept or reject the request. +		# +	#	virtual_server = check-eap-tls +	} + + +	## EAP-TTLS +	# +	#  The TTLS module implements the EAP-TTLS protocol, +	#  which can be described as EAP inside of Diameter, +	#  inside of TLS, inside of EAP, inside of RADIUS... +	# +	#  Surprisingly, it works quite well. +	# +	ttls { +		#  Which tls-config section the TLS negotiation parameters +		#  are in - see EAP-TLS above for an explanation. +		# +		#  In the case that an old configuration from FreeRADIUS +		#  v2.x is being used, all the options of the tls-config +		#  section may also appear instead in the 'tls' section +		#  above. If that is done, the tls= option here (and in +		#  tls above) MUST be commented out. +		# +		tls = tls-common + +		#  The tunneled EAP session needs a default EAP type +		#  which is separate from the one for the non-tunneled +		#  EAP module.  Inside of the TTLS tunnel, we recommend +		#  using EAP-MD5.  If the request does not contain an +		#  EAP conversation, then this configuration entry is +		#  ignored. +		# +		default_eap_type = md5 + +		#  The tunneled authentication request does not usually +		#  contain useful attributes like 'Calling-Station-Id', +		#  etc.  These attributes are outside of the tunnel, +		#  and normally unavailable to the tunneled +		#  authentication request. +		# +		#  By setting this configuration entry to 'yes', +		#  any attribute which is NOT in the tunneled +		#  authentication request, but which IS available +		#  outside of the tunnel, is copied to the tunneled +		#  request. +		# +		#  allowed values: {no, yes} +		# +		copy_request_to_tunnel = no + +		# +		#  As of version 3.0.5, this configuration item +		#  is deprecated.  Instead, you should use +		# +		# 	update outer.session-state { +		#		... +		# +		#	} +		# +		#  This will cache attributes for the final Access-Accept. +		# +		#  The reply attributes sent to the NAS are usually +		#  based on the name of the user 'outside' of the +		#  tunnel (usually 'anonymous').  If you want to send +		#  the reply attributes based on the user name inside +		#  of the tunnel, then set this configuration entry to +		#  'yes', and the reply to the NAS will be taken from +		#  the reply to the tunneled request. +		# +		#  allowed values: {no, yes} +		# +		use_tunneled_reply = no + +		# +		#  The inner tunneled request can be sent +		#  through a virtual server constructed +		#  specifically for this purpose. +		# +		#  If this entry is commented out, the inner +		#  tunneled request will be sent through +		#  the virtual server that processed the +		#  outer requests. +		# +		virtual_server = "inner-tunnel" + +		#  This has the same meaning, and overwrites, the +		#  same field in the "tls" configuration, above. +		#  The default value here is "yes". +		# +	#	include_length = yes + +		# +		# Unlike EAP-TLS, EAP-TTLS does not require a client +		# certificate. However, you can require one by setting the +		# following option. You can also override this option by +		# setting +		# +		#	EAP-TLS-Require-Client-Cert = Yes +		# +		# in the control items for a request. +		# +	#	require_client_cert = yes +	} + + +	## EAP-PEAP +	# + +	################################################## +	# +	#  !!!!! WARNINGS for Windows compatibility  !!!!! +	# +	################################################## +	# +	#  If you see the server send an Access-Challenge, +	#  and the client never sends another Access-Request, +	#  then +	# +	#		STOP! +	# +	#  The server certificate has to have special OID's +	#  in it, or else the Microsoft clients will silently +	#  fail.  See the "scripts/xpextensions" file for +	#  details, and the following page: +	# +	#	http://support.microsoft.com/kb/814394/en-us +	# +	#  For additional Windows XP SP2 issues, see: +	# +	#	http://support.microsoft.com/kb/885453/en-us +	# +	# +	#  If is still doesn't work, and you're using Samba, +	#  you may be encountering a Samba bug.  See: +	# +	#	https://bugzilla.samba.org/show_bug.cgi?id=6563 +	# +	#  Note that we do not necessarily agree with their +	#  explanation... but the fix does appear to work. +	# +	################################################## + +	# +	#  The tunneled EAP session needs a default EAP type +	#  which is separate from the one for the non-tunneled +	#  EAP module.  Inside of the TLS/PEAP tunnel, we +	#  recommend using EAP-MS-CHAPv2. +	# +	peap { +		#  Which tls-config section the TLS negotiation parameters +		#  are in - see EAP-TLS above for an explanation. +		# +		#  In the case that an old configuration from FreeRADIUS +		#  v2.x is being used, all the options of the tls-config +		#  section may also appear instead in the 'tls' section +		#  above. If that is done, the tls= option here (and in +		#  tls above) MUST be commented out. +		# +		tls = tls-common + +		#  The tunneled EAP session needs a default +		#  EAP type which is separate from the one for +		#  the non-tunneled EAP module.  Inside of the +		#  PEAP tunnel, we recommend using MS-CHAPv2, +		#  as that is the default type supported by +		#  Windows clients. +		# +		default_eap_type = mschapv2 + +		#  The PEAP module also has these configuration +		#  items, which are the same as for TTLS. +		# +		copy_request_to_tunnel = no + +		# +		#  As of version 3.0.5, this configuration item +		#  is deprecated.  Instead, you should use +		# +		# 	update outer.session-state { +		#		... +		# +		#	} +		# +		#  This will cache attributes for the final Access-Accept. +		# +		use_tunneled_reply = no + +		#  When the tunneled session is proxied, the +		#  home server may not understand EAP-MSCHAP-V2. +		#  Set this entry to "no" to proxy the tunneled +		#  EAP-MSCHAP-V2 as normal MSCHAPv2. +		# +	#	proxy_tunneled_request_as_eap = yes + +		# +		#  The inner tunneled request can be sent +		#  through a virtual server constructed +		#  specifically for this purpose. +		# +		#  If this entry is commented out, the inner +		#  tunneled request will be sent through +		#  the virtual server that processed the +		#  outer requests. +		# +		virtual_server = "inner-tunnel" + +		# This option enables support for MS-SoH +		# see doc/SoH.txt for more info. +		# It is disabled by default. +		# +	#	soh = yes + +		# +		# The SoH reply will be turned into a request which +		# can be sent to a specific virtual server: +		# +	#	soh_virtual_server = "soh-server" + +		# +		# Unlike EAP-TLS, PEAP does not require a client certificate. +		# However, you can require one by setting the following +		# option. You can also override this option by setting +		# +		#	EAP-TLS-Require-Client-Cert = Yes +		# +		# in the control items for a request. +		# +	#	require_client_cert = yes +	} + +	# +	#  This takes no configuration. +	# +	#  Note that it is the EAP MS-CHAPv2 sub-module, not +	#  the main 'mschap' module. +	# +	#  Note also that in order for this sub-module to work, +	#  the main 'mschap' module MUST ALSO be configured. +	# +	#  This module is the *Microsoft* implementation of MS-CHAPv2 +	#  in EAP.  There is another (incompatible) implementation +	#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not +	#  currently support. +	# +	mschapv2 { +		#  Prior to version 2.1.11, the module never +		#  sent the MS-CHAP-Error message to the +		#  client.  This worked, but it had issues +		#  when the cached password was wrong.  The +		#  server *should* send "E=691 R=0" to the +		#  client, which tells it to prompt the user +		#  for a new password. +		# +		#  The default is to behave as in 2.1.10 and +		#  earlier, which is known to work.  If you +		#  set "send_error = yes", then the error +		#  message will be sent back to the client. +		#  This *may* help some clients work better, +		#  but *may* also cause other clients to stop +		#  working. +		# +#		send_error = no + +		#  Server identifier to send back in the challenge. +		#  This should generally be the host name of the +		#  RADIUS server.  Or, some information to uniquely +		#  identify it. +#		identity = "FreeRADIUS" +	} + +	## EAP-FAST +	# +	#  The FAST module implements the EAP-FAST protocol +	# +#	fast { +		# Point to the common TLS configuration +		# +		# cipher_list though must include "ADH" for anonymous provisioning. +		# This is not as straight forward as appending "ADH" alongside +		# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is +		# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used +		# +#		tls = tls-common + +		# PAC lifetime in seconds (default: seven days) +		# +#		pac_lifetime = 604800 + +		# Authority ID of the server +		# +		# if you are running a cluster of RADIUS servers, you should make +		# the value chosen here (and for "pac_opaque_key") the same on all +		# your RADIUS servers.  This value should be unique to your +		# installation.  We suggest using a domain name. +		# +#		authority_identity = "1234" + +		# PAC Opaque encryption key (must be exactly 32 bytes in size) +		# +		# This value MUST be secret, and MUST be generated using +		# a secure method, such as via 'openssl rand -hex 32' +		# +#		pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + +		# Same as for TTLS, PEAP, etc. +		# +#		virtual_server = inner-tunnel +#	} +} diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf new file mode 100644 index 0000000..78990e5 --- /dev/null +++ b/roles/space_server/files/radius/radiusd.conf @@ -0,0 +1,779 @@ +# -*- text -*- +## +## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.15 +## +##	http://www.freeradius.org/ +##	$Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $ +## + +###################################################################### +# +#	Read "man radiusd" before editing this file.  See the section +#	titled DEBUGGING.  It outlines a method where you can quickly +#	obtain the configuration you want, without running into +#	trouble. +# +#	Run the server in debugging mode, and READ the output. +# +#		$ radiusd -X +# +#	We cannot emphasize this point strongly enough.  The vast +#	majority of problems can be solved by carefully reading the +#	debugging output, which includes warnings about common issues, +#	and suggestions for how they may be fixed. +# +#	There may be a lot of output, but look carefully for words like: +#	"warning", "error", "reject", or "failure".  The messages there +#	will usually be enough to guide you to a solution. +# +#	If you are going to ask a question on the mailing list, then +#	explain what you are trying to do, and include the output from +#	debugging mode (radiusd -X).  Failure to do so means that all +#	of the responses to your question will be people telling you +#	to "post the output of radiusd -X". + +###################################################################### +# +#  	The location of other config files and logfiles are declared +#  	in this file. +# +#  	Also general configuration for modules can be done in this +#  	file, it is exported through the API to modules that ask for +#  	it. +# +#	See "man radiusd.conf" for documentation on the format of this +#	file.  Note that the individual configuration items are NOT +#	documented in that "man" page.  They are only documented here, +#	in the comments. +# +#	The "unlang" policy language can be used to create complex +#	if / else policies.  See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +#  name of the running server.  See also the "-n" command-line option. +name = radiusd + +#  Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir   = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd + +# +# libdir: Where to find the rlm_* modules. +# +#   This should be automatically set at configuration time. +# +#   If the server builds and installs, but fails at execution time +#   with an 'undefined symbol' error, then you can use the libdir +#   directive to work around the problem. +# +#   The cause is usually that a library has been installed on your +#   system in a place where the dynamic linker CANNOT find it.  When +#   executing as root (or another user), your personal environment MAY +#   be set up to allow the dynamic linker to find the library.  When +#   executing as a daemon, FreeRADIUS MAY NOT have the same +#   personalized configuration. +# +#   To work around the problem, find out which library contains that symbol, +#   and add the directory containing that library to the end of 'libdir', +#   with a colon separating the directory names.  NO spaces are allowed. +# +#   e.g. libdir = /usr/local/lib:/opt/package/lib +# +#   You can also try setting the LD_LIBRARY_PATH environment variable +#   in a script which starts the server. +# +#   If that does not work, then you can re-configure and re-build the +#   server to NOT use shared libraries, via: +# +#	./configure --disable-shared +#	make +#	make install +# +libdir = /usr/lib64/freeradius + +#  pidfile: Where to place the PID of the RADIUS server. +# +#  The server may be signalled while it's running by using this +#  file. +# +#  This file is written when ONLY running in daemon mode. +# +#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# +#  correct_escapes: use correct backslash escaping +# +#  Prior to version 3.0.5, the handling of backslashes was a little +#  awkward, i.e. "wrong".  In some cases, to get one backslash into +#  a regex, you had to put 4 in the config files. +# +#  Version 3.0.5 fixes that.  However, for backwards compatibility, +#  the new method of escaping is DISABLED BY DEFAULT.  This means +#  that upgrading to 3.0.5 won't break your configuration. +# +#  If you don't have double backslashes (i.e. \\) in your configuration, +#  this won't matter to you.  If you do have them, fix that to use only +#  one backslash, and then set "correct_escapes = true". +# +#  You can check for this by doing: +# +#	$ grep '\\\\' $(find raddb -type f -print) +# +correct_escapes = true + +#  panic_action: Command to execute if the server dies unexpectedly. +# +#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +#  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +#  PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +#  The panic action is a command which will be executed if the server +#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +#  SIGABRT or SIGFPE. +# +#  This can be used to start an interactive debugging session so +#  that information regarding the current state of the server can +#  be acquired. +# +#  The following string substitutions are available: +#  - %e   The currently executing program e.g. /sbin/radiusd +#  - %p   The PID of the currently executing program e.g. 12345 +# +#  Standard ${} substitutions are also allowed. +# +#  An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +#  Again, don't use that on a production system. +# +#  An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +#  That command can be used on a production system. +# + +#  max_request_time: The maximum time (in seconds) to handle a request. +# +#  Requests which take more time than this to process may be killed, and +#  a REJECT message is returned. +# +#  WARNING: If you notice that requests take a long time to be handled, +#  then this MAY INDICATE a bug in the server, in one of the modules +#  used to handle a request, OR in your local configuration. +# +#  This problem is most often seen when using an SQL database.  If it takes +#  more than a second or two to receive an answer from the SQL database, +#  then it probably means that you haven't indexed the database.  See your +#  SQL server documentation for more information. +# +#  Useful range of values: 5 to 120 +# +max_request_time = 30 + +#  cleanup_delay: The time to wait (in seconds) before cleaning up +#  a reply which was sent to the NAS. +# +#  The RADIUS request is normally cached internally for a short period +#  of time, after the reply is sent to the NAS.  The reply packet may be +#  lost in the network, and the NAS will not see it.  The NAS will then +#  re-send the request, and the server will respond quickly with the +#  cached reply. +# +#  If this value is set too low, then duplicate requests from the NAS +#  MAY NOT be detected, and will instead be handled as separate requests. +# +#  If this value is set too high, then the server will cache too many +#  requests, and some new requests may get blocked.  (See 'max_requests'.) +# +#  Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +#  max_requests: The maximum number of requests which the server keeps +#  track of.  This should be 256 multiplied by the number of clients. +#  e.g. With 4 clients, this number should be 1024. +# +#  If this number is too low, then when the server becomes busy, +#  it will not respond to any new requests, until the 'cleanup_delay' +#  time has passed, and it has removed the old requests. +# +#  If this number is set too high, then the server will use a bit more +#  memory for no real benefit. +# +#  If you aren't sure what it should be set to, it's better to set it +#  too high than too low.  Setting it to 1000 per client is probably +#  the highest it should be. +# +#  Useful range of values: 256 to infinity +# +max_requests = 16384 + +#  hostname_lookups: Log the names of clients or just their IP addresses +#  e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +#  The default is 'off' because it would be overall better for the net +#  if people had to knowingly turn this feature on, since enabling it +#  means that each client request will result in AT LEAST one lookup +#  request to the nameserver.   Enabling hostname_lookups will also +#  mean that your server may stop randomly for 30 seconds from time +#  to time, if the DNS requests take too long. +# +#  Turning hostname lookups off also means that the server won't block +#  for 30 seconds, if it sees an IP address which has no name associated +#  with it. +# +#  allowed values: {no, yes} +# +hostname_lookups = no + +# +#  Logging section.  The various "log_*" configuration items +#  will eventually be moved here. +# +log { +	# +	#  Destination for log messages.  This can be one of: +	# +	#	files - log to "file", as defined below. +	#	syslog - to syslog (see also the "syslog_facility", below. +	#	stdout - standard output +	#	stderr - standard error. +	# +	#  The command-line option "-X" over-rides this option, and forces +	#  logging to go to stdout. +	# +	destination = syslog + +	# +	#  Highlight important messages sent to stderr and stdout. +	# +	#  Option will be ignored (disabled) if output if TERM is not +	#  an xterm or output is not to a TTY. +	# +	colourise = yes + +	# +	#  The logging messages for the server are appended to the +	#  tail of this file if destination == "files" +	# +	#  If the server is running in debugging mode, this file is +	#  NOT used. +	# +	file = ${logdir}/radius.log + +	# +	#  Which syslog facility to use, if ${destination} == "syslog" +	# +	#  The exact values permitted here are OS-dependent.  You probably +	#  don't want to change this. +	# +	syslog_facility = daemon + +	#  Log the full User-Name attribute, as it was found in the request. +	# +	# allowed values: {no, yes} +	# +	stripped_names = no + +	#  Log authentication requests to the log file. +	# +	#  allowed values: {no, yes} +	# +	auth = yes + +	#  Log passwords with the authentication requests. +	#  auth_badpass  - logs password if it's rejected +	#  auth_goodpass - logs password if it's correct +	# +	#  allowed values: {no, yes} +	# +	auth_badpass = no +	auth_goodpass = no + +	#  Log additional text at the end of the "Login OK" messages. +	#  for these to work, the "auth" and "auth_goodpass" or "auth_badpass" +	#  configurations above have to be set to "yes". +	# +	#  The strings below are dynamically expanded, which means that +	#  you can put anything you want in them.  However, note that +	#  this expansion can be slow, and can negatively impact server +	#  performance. +	# +#	msg_goodpass = "" +#	msg_badpass = "" + +	#  The message when the user exceeds the Simultaneous-Use limit. +	# +	msg_denied = "You are already logged in - access denied" +} + +#  The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +#  There may be multiple methods of attacking on the server.  This +#  section holds the configuration items which minimize the impact +#  of those attacks +# +security { +	#  chroot: directory where the server does "chroot". +	# +	#  The chroot is done very early in the process of starting +	#  the server.  After the chroot has been performed it +	#  switches to the "user" listed below (which MUST be +	#  specified).  If "group" is specified, it switches to that +	#  group, too.  Any other groups listed for the specified +	#  "user" in "/etc/group" are also added as part of this +	#  process. +	# +	#  The current working directory (chdir / cd) is left +	#  *outside* of the chroot until all of the modules have been +	#  initialized.  This allows the "raddb" directory to be left +	#  outside of the chroot.  Once the modules have been +	#  initialized, it does a "chdir" to ${logdir}.  This means +	#  that it should be impossible to break out of the chroot. +	# +	#  If you are worried about security issues related to this +	#  use of chdir, then simply ensure that the "raddb" directory +	#  is inside of the chroot, end be sure to do "cd raddb" +	#  BEFORE starting the server. +	# +	#  If the server is statically linked, then the only files +	#  that have to exist in the chroot are ${run_dir} and +	#  ${logdir}.  If you do the "cd raddb" as discussed above, +	#  then the "raddb" directory has to be inside of the chroot +	#  directory, too. +	# +#	chroot = /path/to/chroot/directory + +	# user/group: The name (or #number) of the user/group to run radiusd as. +	# +	#   If these are commented out, the server will run as the +	#   user/group that started it.  In order to change to a +	#   different user/group, you MUST be root ( or have root +	#   privileges ) to start the server. +	# +	#   We STRONGLY recommend that you run the server with as few +	#   permissions as possible.  That is, if you're not using +	#   shadow passwords, the user and group items below should be +	#   set to radius'. +	# +	#  NOTE that some kernels refuse to setgid(group) when the +	#  value of (unsigned)group is above 60000; don't use group +	#  "nobody" on these systems! +	# +	#  On systems with shadow passwords, you might have to set +	#  'group = shadow' for the server to be able to read the +	#  shadow password file.  If you can authenticate users while +	#  in debug mode, but not in daemon mode, it may be that the +	#  debugging mode server is running as a user that can read +	#  the shadow info, and the user listed below can not. +	# +	#  The server will also try to use "initgroups" to read +	#  /etc/groups.  It will join all groups where "user" is a +	#  member.  This can allow for some finer-grained access +	#  controls. +	# +	user = radiusd +	group = radiusd + +	#  Core dumps are a bad thing.  This should only be set to +	#  'yes' if you're debugging a problem with the server. +	# +	#  allowed values: {no, yes} +	# +	allow_core_dumps = no + +	# +	#  max_attributes: The maximum number of attributes +	#  permitted in a RADIUS packet.  Packets which have MORE +	#  than this number of attributes in them will be dropped. +	# +	#  If this number is set too low, then no RADIUS packets +	#  will be accepted. +	# +	#  If this number is set too high, then an attacker may be +	#  able to send a small number of packets which will cause +	#  the server to use all available memory on the machine. +	# +	#  Setting this number to 0 means "allow any number of attributes" +	max_attributes = 200 + +	# +	#  reject_delay: When sending an Access-Reject, it can be +	#  delayed for a few seconds.  This may help slow down a DoS +	#  attack.  It also helps to slow down people trying to brute-force +	#  crack a users password. +	# +	#  Setting this number to 0 means "send rejects immediately" +	# +	#  If this number is set higher than 'cleanup_delay', then the +	#  rejects will be sent at 'cleanup_delay' time, when the request +	#  is deleted from the internal cache of requests. +	# +	#  As of Version 3.0.5, "reject_delay" has sub-second resolution. +	#  e.g. "reject_delay =  1.4" seconds is possible. +	# +	#  Useful ranges: 1 to 5 +	reject_delay = 1 + +	# +	#  status_server: Whether or not the server will respond +	#  to Status-Server requests. +	# +	#  When sent a Status-Server message, the server responds with +	#  an Access-Accept or Accounting-Response packet. +	# +	#  This is mainly useful for administrators who want to "ping" +	#  the server, without adding test users, or creating fake +	#  accounting packets. +	# +	#  It's also useful when a NAS marks a RADIUS server "dead". +	#  The NAS can periodically "ping" the server with a Status-Server +	#  packet.  If the server responds, it must be alive, and the +	#  NAS can start using it for real requests. +	# +	#  See also raddb/sites-available/status +	# +	status_server = yes + + +} + +# PROXY CONFIGURATION +# +#  proxy_requests: Turns proxying of RADIUS requests on or off. +# +#  The server has proxying turned on by default.  If your system is NOT +#  set up to proxy requests to another server, then you can turn proxying +#  off here.  This will save a small amount of resources on the server. +# +#  If you have proxying turned off, and your configuration files say +#  to proxy a request, then an error message will be logged. +# +#  To disable proxying, change the "yes" to "no", and comment the +#  $INCLUDE line. +# +#  allowed values: {no, yes} +# +proxy_requests  = no +#$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +#  Client configuration is defined in "clients.conf". +# + +#  The 'clients.conf' file contains all of the information from the old +#  'clients' and 'naslist' configuration files.  We recommend that you +#  do NOT use 'client's or 'naslist', although they are still +#  supported. +# +#  Anything listed in 'clients.conf' will take precedence over the +#  information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +#  The thread pool is a long-lived group of threads which +#  take turns (round-robin) handling any incoming requests. +# +#  You probably want to have a few spare threads around, +#  so that high-load situations can be handled immediately.  If you +#  don't have any spare threads, then the request handling will +#  be delayed while a new thread is created, and added to the pool. +# +#  You probably don't want too many spare threads around, +#  otherwise they'll be sitting there taking up resources, and +#  not doing anything productive. +# +#  The numbers given below should be adequate for most situations. +# +thread pool { +	#  Number of servers to start initially --- should be a reasonable +	#  ballpark figure. +	start_servers = 5 + +	#  Limit on the total number of servers running. +	# +	#  If this limit is ever reached, clients will be LOCKED OUT, so it +	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to +	#  keep a runaway server from taking the system with it as it spirals +	#  down... +	# +	#  You may find that the server is regularly reaching the +	#  'max_servers' number of threads, and that increasing +	#  'max_servers' doesn't seem to make much difference. +	# +	#  If this is the case, then the problem is MOST LIKELY that +	#  your back-end databases are taking too long to respond, and +	#  are preventing the server from responding in a timely manner. +	# +	#  The solution is NOT do keep increasing the 'max_servers' +	#  value, but instead to fix the underlying cause of the +	#  problem: slow database, or 'hostname_lookups=yes'. +	# +	#  For more information, see 'max_request_time', above. +	# +	max_servers = 32 + +	#  Server-pool size regulation.  Rather than making you guess +	#  how many servers you need, FreeRADIUS dynamically adapts to +	#  the load it sees, that is, it tries to maintain enough +	#  servers to handle the current load, plus a few spare +	#  servers to handle transient load spikes. +	# +	#  It does this by periodically checking how many servers are +	#  waiting for a request.  If there are fewer than +	#  min_spare_servers, it creates a new spare.  If there are +	#  more than max_spare_servers, some of the spares die off. +	#  The default values are probably OK for most sites. +	# +	min_spare_servers = 3 +	max_spare_servers = 10 + +	#  When the server receives a packet, it places it onto an +	#  internal queue, where the worker threads (configured above) +	#  pick it up for processing.  The maximum size of that queue +	#  is given here. +	# +	#  When the queue is full, any new packets will be silently +	#  discarded. +	# +	#  The most common cause of the queue being full is that the +	#  server is dependent on a slow database, and it has received +	#  a large "spike" of traffic.  When that happens, there is +	#  very little you can do other than make sure the server +	#  receives less traffic, or make sure that the database can +	#  handle the load. +	# +#	max_queue_size = 65536 + +	#  There may be memory leaks or resource allocation problems with +	#  the server.  If so, set this value to 300 or so, so that the +	#  resources will be cleaned up periodically. +	# +	#  This should only be necessary if there are serious bugs in the +	#  server which have not yet been fixed. +	# +	#  '0' is a special value meaning 'infinity', or 'the servers never +	#  exit' +	max_requests_per_server = 0 + +	#  Automatically limit the number of accounting requests. +	#  This configuration item tracks how many requests per second +	#  the server can handle.  It does this by tracking the +	#  packets/s received by the server for processing, and +	#  comparing that to the packets/s handled by the child +	#  threads. +	# + +	#  If the received PPS is larger than the processed PPS, *and* +	#  the queue is more than half full, then new accounting +	#  requests are probabilistically discarded.  This lowers the +	#  number of packets that the server needs to process.  Over +	#  time, the server will "catch up" with the traffic. +	# +	#  Throwing away accounting packets is usually safe and low +	#  impact.  The NAS will retransmit them in a few seconds, or +	#  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1 +	#  to see how accounting packets should be retransmitted.  Using +	#  any other method is likely to cause network meltdowns. +	# +	auto_limit_acct = no +} + +###################################################################### +# +#  SNMP notifications.  Uncomment the following line to enable +#  snmptraps.  Note that you MUST also configure the full path +#  to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +#  The names and configuration of each module is located in this section. +# +#  After the modules are defined here, they may be referred to by name, +#  in other sections of this configuration file. +# +modules { +	# +	#  Each module has a configuration as follows: +	# +	#	name [ instance ] { +	#		config_item = value +	#		... +	#	} +	# +	#  The 'name' is used to load the 'rlm_name' library +	#  which implements the functionality of the module. +	# +	#  The 'instance' is optional.  To have two different instances +	#  of a module, it first must be referred to by 'name'. +	#  The different copies of the module are then created by +	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2' +	# +	#  The instance names can then be used in later configuration +	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration +	#  for an example. +	# + +	# +	#  As of 3.0, modules are in mods-enabled/.  Files matching +	#  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are +	#  initialized ONLY if they are referenced in a processing +	#  section, such as authorize, authenticate, accounting, +	#  pre/post-proxy, etc. +	# +	$INCLUDE mods-enabled/ +} + +# Instantiation +# +#  This section orders the loading of the modules.  Modules +#  listed here will get loaded BEFORE the later sections like +#  authorize, authenticate, etc. get examined. +# +#  This section is not strictly needed.  When a section like +#  authorize refers to a module, it's automatically loaded and +#  initialized.  However, some modules may not be listed in any +#  of the following sections, so they can be listed here. +# +#  Also, listing modules here ensures that you have control over +#  the order in which they are initialized.  If one module needs +#  something defined by another module, you can list them in order +#  here, and ensure that the configuration will be OK. +# +#  After the modules listed here have been loaded, all of the modules +#  in the "mods-enabled" directory will be loaded.  Loading the +#  "mods-enabled" directory means that unlike Version 2, you usually +#  don't need to list modules here. +# +instantiate { +	# +	# We list the counter module here so that it registers +	# the check_name attribute before any module which sets +	# it +#	daily + +	# subsections here can be thought of as "virtual" modules. +	# +	# e.g. If you have two redundant SQL servers, and you want to +	# use them in the authorize and accounting sections, you could +	# place a "redundant" block in each section, containing the +	# exact same text.  Or, you could uncomment the following +	# lines, and list "redundant_sql" in the authorize and +	# accounting sections. +	# +	#  The "virtual" module defined here can also be used with +	#  dynamic expansions, under a few conditions: +	# +	#  * The section is "redundant", or "load-balance", or +	#    "redundant-load-balance" +	#  * The section contains modules ONLY, and no sub-sections +	#  * all modules in the section are using the same rlm_ +	#    driver, e.g. They are all sql, or all ldap, etc. +	# +	#  When those conditions are satisfied, the server will +	#  automatically register a dynamic expansion, using the +	#  name of the "virtual" module.  In the example below, +	#  it will be "redundant_sql".  You can then use this expansion +	#  just like any other: +	# +	#	update reply { +	#		Filter-Id := "%{redundant_sql: ... }" +	#	} +	# +	#  In this example, the expansion is done via module "sql1", +	#  and if that expansion fails, using module "sql2". +	# +	#  For best results, configure the "pool" subsection of the +	#  module so that "retry_delay" is non-zero.  That will allow +	#  the redundant block to quickly ignore all "down" SQL +	#  databases.  If instead we have "retry_delay = 0", then +	#  every time the redundant block is used, the server will try +	#  to open a connection to every "down" database, causing +	#  problems. +	# +	#redundant redundant_sql { +	#	sql1 +	#	sql2 +	#} +} + +###################################################################### +# +#  Policies are virtual modules, similar to those defined in the +#  "instantiate" section above. +# +#  Defining a policy in one of the policy.d files means that it can be +#  referenced in multiple places as a *name*, rather than as a series of +#  conditions to match, and actions to take. +# +#  Policies are something like subroutines in a normal language, but +#  they cannot be called recursively. They MUST be defined in order. +#  If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { +	$INCLUDE policy.d/ +} + +###################################################################### +# +#	Load virtual servers. +# +#	This next $INCLUDE line loads files in the directory that +#	match the regular expression: /[a-zA-Z0-9_.]+/ +# +#	It allows you to define new virtual servers simply by placing +#	a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +#	All of the other configuration sections like "authorize {}", +#	"authenticate {}", "accounting {}", have been moved to the +#	the file: +# +#		raddb/sites-available/default +# +#	This is the "default" virtual server that has the same +#	configuration as in version 1.0.x and 1.1.x.  The default +#	installation enables this virtual server.  You should +#	edit it to create policies for your local site. +# +#	For more documentation on virtual servers, see: +# +#		raddb/sites-available/README +# +###################################################################### diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat new file mode 100644 index 0000000..cb1bb45 --- /dev/null +++ b/roles/space_server/files/radius/sites-available/labitat @@ -0,0 +1,84 @@ +server labitat { + +	listen { +		type = auth +		ipaddr = 10.42.0.1 +		port = 0 + +		limit { +			max_connections = 16 +				lifetime = 0 +				idle_timeout = 30 +		} +	} + +	authorize { +		filter_username +		preprocess +		auth_log + +		eap { +			ok = return +		} + +		files + +		expiration +		logintime +		pap +	} + +	authenticate { +		Auth-Type PAP { +			pap +		} + +		Auth-Type CHAP { +			chap +		} + +		Auth-Type MS-CHAP { +			mschap +		} + +		digest +		eap +	} + +	preacct { +		preprocess +		acct_unique +		suffix +		files +	} + +	accounting { +		unix +		-sql +		exec +		attr_filter.accounting_response +	} + +	session { +	} + +	post-auth { +		-sql +		exec +		remove_reply_message_if_eap + +		Post-Auth-Type REJECT { +			-sql +			attr_filter.access_reject +			eap +			remove_reply_message_if_eap +		} +	} + +	pre-proxy { +	} + +	post-proxy { +		eap +	} +} | 
