From ec6283101c5af6648ae16c4aae10b3822ab1b1a2 Mon Sep 17 00:00:00 2001 From: irl Date: Tue, 12 May 2026 22:48:59 +0100 Subject: [PATCH] feat: add radius role --- playbooks/services.yml | 28 +++++ roles/radius/defaults/main.yml | 6 + roles/radius/handlers/main.yml | 6 + roles/radius/tasks/certs.yml | 82 +++++++++++++ roles/radius/tasks/main.yml | 40 +++++++ roles/radius/templates/etc/raddb/clients.conf | 22 ++++ .../templates/etc/raddb/mods-available/eap | 52 ++++++++ .../etc/raddb/mods-available/inner-eap | 9 ++ .../etc/raddb/mods-available/linelog | 39 ++++++ roles/radius/templates/etc/raddb/proxy.conf | 38 ++++++ .../etc/raddb/sites-available/default | 112 ++++++++++++++++++ .../etc/raddb/sites-available/inner-tunnel | 73 ++++++++++++ .../templates/etc/rsyslog.d/radiusd.conf | 1 + 13 files changed, 508 insertions(+) create mode 100644 roles/radius/defaults/main.yml create mode 100644 roles/radius/handlers/main.yml create mode 100644 roles/radius/tasks/certs.yml create mode 100644 roles/radius/tasks/main.yml create mode 100644 roles/radius/templates/etc/raddb/clients.conf create mode 100644 roles/radius/templates/etc/raddb/mods-available/eap create mode 100644 roles/radius/templates/etc/raddb/mods-available/inner-eap create mode 100644 roles/radius/templates/etc/raddb/mods-available/linelog create mode 100644 roles/radius/templates/etc/raddb/proxy.conf create mode 100644 roles/radius/templates/etc/raddb/sites-available/default create mode 100644 roles/radius/templates/etc/raddb/sites-available/inner-tunnel create mode 100644 roles/radius/templates/etc/rsyslog.d/radiusd.conf diff --git a/playbooks/services.yml b/playbooks/services.yml index cd17499..22dabd7 100644 --- a/playbooks/services.yml +++ b/playbooks/services.yml @@ -75,3 +75,31 @@ tags: bootstrap - role: sr2c.core.node_exporter tags: prometheus + +- name: Deploy and update Radius server + hosts: + - radius + roles: + - role: sr2c.core.baseline + vars: + baseline_epel_packages_allowed: + - certbot + - python3-certbot + - python3-pyrfc3339 + - python3-parsedatetime + - python3-josepy + - python3-importlib-metadata + - python3-configargparse + - python3-acme + - python3-zipp + - python3-pyOpenSSL + - node-exporter + tags: bootstrap + - role: freeipa.ansible_freeipa.ipaclient + become: true + state: present + tags: bootstrap + - role: sr2c.core.node_exporter + tags: prometheus + - role: sr2c.core.radius + tags: radius diff --git a/roles/radius/defaults/main.yml b/roles/radius/defaults/main.yml new file mode 100644 index 0000000..a9a6870 --- /dev/null +++ b/roles/radius/defaults/main.yml @@ -0,0 +1,6 @@ +--- +#radius_domain_name: +radius_wap_ipaddr: 0.0.0.0/0 +#radius_wap_secret: +radius_local_vlan: 1 +radius_guest_vlan: 3 diff --git a/roles/radius/handlers/main.yml b/roles/radius/handlers/main.yml new file mode 100644 index 0000000..515c4e1 --- /dev/null +++ b/roles/radius/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart radiusd + ansible.builtin.systemd_service: + name: radiusd + state: restarted + become: true diff --git a/roles/radius/tasks/certs.yml b/roles/radius/tasks/certs.yml new file mode 100644 index 0000000..bc8d26f --- /dev/null +++ b/roles/radius/tasks/certs.yml @@ -0,0 +1,82 @@ +--- +- name: "Radius Certificates | PATCH | Install latest certbot" + ansible.builtin.dnf: + name: certbot + state: latest + update_cache: true + become: true + +- name: "Radius Certificates | AUDIT | Check for existing certificate expiry" + community.crypto.x509_certificate_info: + path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem" + register: radius_certs_existing_cert + ignore_errors: true + become: true + +- name: "Radius Certificates | AUDIT | Calculate days until expiry" + ansible.builtin.set_fact: + radius_certs_days_until_expiry: "{{ ((radius_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}" + when: radius_certs_existing_cert.not_after is defined + become: true + +- name: "Radius Certificates | AUDIT | Print days until expiry" + ansible.builtin.debug: + msg: "{{ radius_certs_days_until_expiry }}" + when: radius_certs_existing_cert.not_after is defined + become: true + +- name: "Radius Certificates | PATCH | Request a new or renewed certificate" + when: (radius_certs_existing_cert.failed) or (radius_certs_days_until_expiry | int < 30) + become: true + block: + - name: "Radius Certificates | AUDIT | Check httpd" + ansible.builtin.systemd_service: + name: httpd + register: radius_certs_httpd_status + + - name: "Radius Certificates | PATCH | Stop httpd" + ansible.builtin.systemd_service: + name: httpd + state: stopped + when: radius_certs_httpd_status.status.ActiveState == "active" + + - name: "Radius Certificates | PATCH | Add http service to firewall" + ansible.posix.firewalld: + service: http + state: enabled + + - name: "Radius Certificates | PATCH | Request new certificate" + ansible.builtin.command: + cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email + when: radius_certs_existing_cert.failed + + - name: "Radius Certificates | PATCH | Renew existing certificate" + ansible.builtin.command: + cmd: certbot renew + when: not radius_certs_existing_cert.failed + + - name: "Radius Certificates | PATCH | Remove http service from firewall" + ansible.posix.firewalld: + service: http + state: disabled + + - name: "Radius Certificates | PATCH | Start httpd" + ansible.builtin.systemd_service: + name: httpd + state: started + when: radius_certs_httpd_status.status.ActiveState == "active" + +- name: Radius | PATCH | Allow radiusd access to certificates + ansible.builtin.copy: + src: /etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }}.pem + dest: /etc/raddb/{{ item }}.pem + remote_src: true + owner: radiusd + group: radiusd + mode: "0640" + become: true + notify: Restart radiusd + with_items: + - privkey + - cert + - chain diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml new file mode 100644 index 0000000..2a7753d --- /dev/null +++ b/roles/radius/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Radius | PATCH | Obtain or freshen certificates + ansible.builtin.include_tasks: + file: certs.yml + +- name: Radius | PATCH | Install required packages + ansible.builtin.dnf: + name: freeradius + state: present + become: true + +- name: Radius | PATCH | Install FreeRADIUS configuration files + ansible.builtin.template: + src: etc/raddb/{{ item }} + dest: /etc/raddb/{{ item }} + owner: root + group: radiusd + mode: 0640 + become: true + with_items: + - mods-available/eap + - mods-available/linelog + - sites-available/default + - mods-available/inner-eap + - sites-available/inner-tunnel + - clients.conf + - proxy.conf + notify: + - Restart radiusd + +- name: Radius | PATCH | Install rsyslog configuration + ansible.builtin.template: + src: etc/rsyslog.d/radiusd.conf + dest: /etc/rsyslog.d/radiusd.conf + owner: root + group: root + mode: 0644 + become: true + notify: + - Reload rsyslog diff --git a/roles/radius/templates/etc/raddb/clients.conf b/roles/radius/templates/etc/raddb/clients.conf new file mode 100644 index 0000000..8d8b175 --- /dev/null +++ b/roles/radius/templates/etc/raddb/clients.conf @@ -0,0 +1,22 @@ +client eduroam_roaming0 { + ipaddr = roaming0.ja.net + secret = {{ radius_roaming0_secret }} + nastype = 'eduroam_flr' +} + +client eduroam_roaming1 { + ipaddr = roaming1.ja.net + secret = {{ radius_roaming1_secret }} + nastype = 'eduroam_flr' +} + +client eduroam_roaming2 { + ipaddr = roaming2.ja.net + secret = {{ radius_roaming2_secret }} + nastype = 'eduroam_flr' +} + +client wireless_access_points_mgmt { + ipaddr = {{ radius_wap_ipaddr }} + secret = {{ radius_wap_secret }} +} diff --git a/roles/radius/templates/etc/raddb/mods-available/eap b/roles/radius/templates/etc/raddb/mods-available/eap new file mode 100644 index 0000000..e473f70 --- /dev/null +++ b/roles/radius/templates/etc/raddb/mods-available/eap @@ -0,0 +1,52 @@ +eap { + # The initial EAP type requested. Change this to peap if you're + # using peap, or tls if you're using EAP-TLS. + default_eap_type = ttls + + # The maximum time an EAP-Session can continue for + timer_expire = 60 + + # The maximum number of ongoing EAP sessions + max_sessions = ${max_requests} + + tls-config tls-common { + # The public certificate that your server will present + certificate_file = /etc/raddb/cert.pem + + # The private key for the public certificate + private_key_file = /etc/raddb/privkey.pem + + # The password to decrypt 'private_key_file' + #private_key_password = "" + + # The certificate of the authority that issued 'certificate_file' + ca_file = /etc/raddb/chain.pem + + # If your AP drops packets towards the client, try reducing this. + fragment_size = 1024 + + # When issuing client certificates embed the OCSP URL in the + # certificate if you want to be able to revoke them later. + ocsp { + enable = yes + override_cert_url = no + use_nonce = yes + } + } + + tls { + tls = tls-common + } + + ttls { + tls = tls-common + default_eap_type = mschapv2 + virtual_server = "eduroam-inner" + } + + peap { + tls = tls-common + default_eap_type = mschapv2 + virtual_server = "eduroam-inner" + } +} diff --git a/roles/radius/templates/etc/raddb/mods-available/inner-eap b/roles/radius/templates/etc/raddb/mods-available/inner-eap new file mode 100644 index 0000000..51b72f7 --- /dev/null +++ b/roles/radius/templates/etc/raddb/mods-available/inner-eap @@ -0,0 +1,9 @@ +eap inner-eap { + default_eap_type = mschapv2 + timer_expire = 60 + max_sessions = ${max_requests} + + mschapv2 { + send_error = yes + } +} diff --git a/roles/radius/templates/etc/raddb/mods-available/linelog b/roles/radius/templates/etc/raddb/mods-available/linelog new file mode 100644 index 0000000..52f862f --- /dev/null +++ b/roles/radius/templates/etc/raddb/mods-available/linelog @@ -0,0 +1,39 @@ +linelog linelog_recv_request { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Recv-Request, %{pairs:request:}" +} + +linelog linelog_send_accept { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Accept, %{pairs:request:}" +} + +linelog linelog_send_reject { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Reject, %{pairs:request:}" +} + +linelog linelog_send_proxy_request { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Proxy-Request, %{pairs:proxy-request:}" +} + +linelog linelog_recv_proxy_response { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + reference = "messages.%{proxy-reply:Response-Packet-Type}" + messages { + Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + } +} \ No newline at end of file diff --git a/roles/radius/templates/etc/raddb/proxy.conf b/roles/radius/templates/etc/raddb/proxy.conf new file mode 100644 index 0000000..7a799f7 --- /dev/null +++ b/roles/radius/templates/etc/raddb/proxy.conf @@ -0,0 +1,38 @@ +home_server eduroam_roaming0 { + ipaddr = roaming0.ja.net + secret = {{ radius_roaming0_secret }} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 +} + +home_server eduroam_roaming1 { + ipaddr = roaming1.ja.net + secret = {{ radius_roaming1_secret }} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 +} + +home_server eduroam_roaming2 { + ipaddr = roaming2.ja.net + secret = {{ radius_roaming2_secret }} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 +} + +home_server_pool eduroam_flr_pool { + type = keyed-balance + home_server = eduroam_roaming0 + home_server = eduroam_roaming1 + home_server = eduroam_roaming2 +} + +realm eduroam_flr { + auth_pool = eduroam_flr_pool + nostrip +} diff --git a/roles/radius/templates/etc/raddb/sites-available/default b/roles/radius/templates/etc/raddb/sites-available/default new file mode 100644 index 0000000..b82568c --- /dev/null +++ b/roles/radius/templates/etc/raddb/sites-available/default @@ -0,0 +1,112 @@ +# The domain users will add to their username to have their credentials +# routed to your institution. You will also need to register this +# and your RADIUS server addresses with your NRO. +operator_name = "{{ radius_domain }}" + +# The VLAN to assign eduroam visitors +eduroam_default_guest_vlan = "{{ radius_guest_vlan }}" + +# The VLAN to assign your students/staff +eduroam_default_local_vlan = "{{ radius_local_vlan }}" + +server eduroam { + listen { + type = auth + ipv4addr = * + ipv6addr = * + port = 1812 + } + + authorize { + # Log requests before we change them + linelog_recv_request + + # split_username_nai is a policy in the default distribution to + # split a username into username and domain. We reject user-name + # strings without domains, as they're not routable. + split_username_nai + if (noop || !&Stripped-User-Domain) { + reject + } + + # Send the request to the NRO for your region. + # The details of the FLRs (Federation Level RADIUS servers) + # are in proxy.conf. + # You can make this condition as complex as you like, to + # include additional subdomains just concatenate the conditions + # with &&. + if (&Stripped-User-Domain != "${operator_name}") { + update { + control:Load-Balance-Key := &Calling-Station-ID + control:Proxy-To-Realm := 'eduroam_flr' + + # Operator name (RFC 5580) identifies the network the + # request originated from. It's not absolutely necessary + # but it helps with debugging. + request:Operator-Name := "1${operator_name}" + } + return + } + + # If the EAP module returns 'ok' or 'updated', it means it has handled + # the request and we don't need to call any other modules in this + # section. + eap { + ok = return + updated = return + } + } + + pre-proxy { + attr_filter.pre-proxy + linelog_send_proxy_request + } + + post-proxy { + attr_filter.post-proxy + linelog_recv_proxy_response + } + + authenticate { + eap + } + + post-auth { + # To implement eduroam you must: + # - Use wireless access points or a controller which supports + # dynamic VLAN assignments. + # - Have that feature enabled. + # - Have the guest_vlan/local_vlan available to the controller, + # or to all your access points. + # eduroam user traffic *MUST* be segregated, this is *NOT* optional. + update reply { + Tunnel-Type := VLAN + Tunnel-Medium-Type := IEEE-802 + } + if (&control:Proxy-To-Realm) { + update reply { + Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan} + } + } + else { + update reply { + Tunnel-Private-Group-ID = ${eduroam_default_local_vlan} + } + } + + # We're sending a response to one of OUR network devices for one of + # OUR users so provide it with the real user-identity. + if (&session-state:Stripped-User-Name) { + update reply { + User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}" + } + } + + linelog_send_accept + + Post-Auth-Type REJECT { + attr_filter.access_reject + linelog_send_reject + } + } +} diff --git a/roles/radius/templates/etc/raddb/sites-available/inner-tunnel b/roles/radius/templates/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 0000000..686bf97 --- /dev/null +++ b/roles/radius/templates/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,73 @@ +server eduroam-inner { + listen { + type = auth + ipaddr = * + ipv6addr = * + port = 18120 # Used for testing only. Requests proxied internally. + } + + authorize { + # The outer username is considered garabage for autz purposes, but + # the domain portion of the outer and inner identities must match. + split_username_nai + if (noop || (&Stripped-User-Domain && \ + (&outer.Stripped-User-Domain != &Stripped-User-Domain))) { + reject + } + + # Make the user's real identity available to anything that needs + # it in the outer server. + if (&outer.session-state:) + update { + &outer.session-state:Stripped-User-Name := &Stripped-User-Name + } + } + + # EAP for PEAPv0 (EAP-MSCHAPv2) + inner-eap { + ok = return + } + + # THIS IS SITE SPECIFIC + # + # The files module is *ONLY* used for testing. It lets you define + # credentials in a flat file, IT WILL NOT SCALE. + # + # - If you use OpenLDAP with salted password hashes you should + # call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method. + # - If you use OpenLDAP with cleartext passwords you should + # call the 'ldap' module here and use EAP-TTLS or PEAPv0. + # - If you use an SQL DB with salted password hashes you should call + # the 'sql' module here and use EAP-TTLS-PAP as your EAP method. + # - If you use an SQL DB with cleartext passwords you should call + # the 'sql' module here and use EAP-TTLS or PEAPv0. + # - If you use Novell you should call the 'ldap' module here and + # set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or + # PEAPv0. + # - If you use Active Directory, you don't need anything here (remove + # the call to files) but you'll need to follow this + # [guide](freeradius-active-directory-integration-howto) and use + # EAP-TTLS-PAP or PEAPv0. + # - If you're using EAP-TLS (i'm impressed!) remove the call to files. + # + # EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the + # supplicant is configured. PEAPv0 has a slight edge in that you need to + # crack MSCHAPv2 to get the user's password (but this is not hard). + files + + pap + mschap + } + + authenticate { + inner-eap + mschap + pap + + # Comment pap above and uncomment the stanza below if you're using + # Active Directory; this will allow it to work with EAP-TTLS/PAP. + #Auth-Type pap { + # ntlm_auth + #} + } +} diff --git a/roles/radius/templates/etc/rsyslog.d/radiusd.conf b/roles/radius/templates/etc/rsyslog.d/radiusd.conf new file mode 100644 index 0000000..60e790c --- /dev/null +++ b/roles/radius/templates/etc/rsyslog.d/radiusd.conf @@ -0,0 +1 @@ +local0.debug /var/log/radius_auth.log \ No newline at end of file