feat: add radius role

roles/radius/templates/etc/raddb/clients.conf

@@ -0,0 +1,22 @@
+client eduroam_roaming0 {
+    ipaddr = roaming0.ja.net
+    secret = {{ radius_roaming0_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client eduroam_roaming1 {
+    ipaddr = roaming1.ja.net
+    secret = {{ radius_roaming1_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client eduroam_roaming2 {
+    ipaddr = roaming2.ja.net
+    secret = {{ radius_roaming2_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client wireless_access_points_mgmt {
+	ipaddr = {{ radius_wap_ipaddr }}
+	secret = {{ radius_wap_secret }}
+}

roles/radius/templates/etc/raddb/mods-available/eap

@@ -0,0 +1,52 @@
+eap {
+	# The initial EAP type requested.  Change this to peap if you're
+	# using peap, or tls if you're using EAP-TLS.
+	default_eap_type = ttls
+
+	# The maximum time an EAP-Session can continue for
+	timer_expire = 60
+
+	# The maximum number of ongoing EAP sessions
+	max_sessions = ${max_requests}
+
+	tls-config tls-common {
+		# The public certificate that your server will present
+		certificate_file = /etc/raddb/cert.pem
+
+		# The private key for the public certificate
+		private_key_file = /etc/raddb/privkey.pem
+
+		# The password to decrypt 'private_key_file'
+		#private_key_password = ""
+
+		# The certificate of the authority that issued 'certificate_file'
+		ca_file = /etc/raddb/chain.pem
+
+		# If your AP drops packets towards the client, try reducing this.
+		fragment_size = 1024
+
+		# When issuing client certificates embed the OCSP URL in the
+		# certificate if you want to be able to revoke them later.
+		ocsp {
+			enable = yes
+			override_cert_url = no
+			use_nonce = yes
+		}
+	}
+
+	tls {
+		tls = tls-common
+	}
+
+	ttls {
+		tls = tls-common
+		default_eap_type = mschapv2
+		virtual_server = "eduroam-inner"
+	}
+
+	peap {
+		tls = tls-common
+		default_eap_type = mschapv2
+		virtual_server = "eduroam-inner"
+	}
+}

roles/radius/templates/etc/raddb/mods-available/inner-eap

@@ -0,0 +1,9 @@
+eap inner-eap {
+	default_eap_type = mschapv2
+	timer_expire = 60
+	max_sessions = ${max_requests}
+
+	mschapv2 {
+		send_error = yes
+	}
+}

roles/radius/templates/etc/raddb/mods-available/linelog

@@ -0,0 +1,39 @@
+linelog linelog_recv_request {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Recv-Request, %{pairs:request:}"
+}
+
+linelog linelog_send_accept {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Accept, %{pairs:request:}"
+}
+
+linelog linelog_send_reject {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Reject, %{pairs:request:}"
+}
+
+linelog linelog_send_proxy_request {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
+}
+
+linelog linelog_recv_proxy_response {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	reference = "messages.%{proxy-reply:Response-Packet-Type}"
+	messages {
+		Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+		Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+		Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+	}
+}

roles/radius/templates/etc/raddb/proxy.conf

@@ -0,0 +1,38 @@
+home_server eduroam_roaming0 {
+    ipaddr = roaming0.ja.net
+    secret = {{ radius_roaming0_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server eduroam_roaming1 {
+    ipaddr = roaming1.ja.net
+    secret = {{ radius_roaming1_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server eduroam_roaming2 {
+    ipaddr = roaming2.ja.net
+    secret = {{ radius_roaming2_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server_pool eduroam_flr_pool {
+    type = keyed-balance
+    home_server = eduroam_roaming0
+    home_server = eduroam_roaming1
+    home_server = eduroam_roaming2
+}
+
+realm eduroam_flr {
+    auth_pool = eduroam_flr_pool
+    nostrip
+}

roles/radius/templates/etc/raddb/sites-available/default

@@ -0,0 +1,112 @@
+# The domain users will add to their username to have their credentials
+# routed to your institution.  You will also need to register this
+# and your RADIUS server addresses with your NRO.
+operator_name = "{{ radius_domain }}"
+
+# The VLAN to assign eduroam visitors
+eduroam_default_guest_vlan = "{{ radius_guest_vlan }}"
+
+# The VLAN to assign your students/staff
+eduroam_default_local_vlan = "{{ radius_local_vlan }}"
+
+server eduroam {
+	listen {
+		type = auth
+		ipv4addr = *
+		ipv6addr = *
+		port = 1812
+	}
+
+	authorize {
+		# Log requests before we change them
+		linelog_recv_request
+
+		# split_username_nai is a policy in the default distribution to
+		# split a username into username and domain.  We reject user-name
+		# strings without domains, as they're not routable.
+		split_username_nai
+		if (noop || !&Stripped-User-Domain) {
+			reject
+		}
+
+		# Send the request to the NRO for your region.
+		# The details of the FLRs (Federation Level RADIUS servers)
+		# are in proxy.conf.
+		# You can make this condition as complex as you like, to
+		# include additional subdomains just concatenate the conditions
+		# with &&.
+		if (&Stripped-User-Domain != "${operator_name}") {
+			update {
+				control:Load-Balance-Key := &Calling-Station-ID
+				control:Proxy-To-Realm := 'eduroam_flr'
+
+				# Operator name (RFC 5580) identifies the network the
+				# request originated from. It's not absolutely necessary
+				# but it helps with debugging.
+				request:Operator-Name := "1${operator_name}"
+			}
+			return
+		}
+
+		# If the EAP module returns 'ok' or 'updated', it means it has handled
+		# the request and we don't need to call any other modules in this
+		# section.
+		eap {
+			ok = return
+			updated = return
+		}
+	}
+
+	pre-proxy {
+		attr_filter.pre-proxy
+		linelog_send_proxy_request
+	}
+
+	post-proxy {
+		attr_filter.post-proxy
+		linelog_recv_proxy_response
+	}
+
+	authenticate {
+		eap
+	}
+
+	post-auth {
+		# To implement eduroam you must:
+		# - Use wireless access points or a controller which supports
+                #   dynamic VLAN assignments.
+		# - Have that feature enabled.
+		# - Have the guest_vlan/local_vlan available to the controller,
+                #   or to all your access points.
+		# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
+		update reply {
+			Tunnel-Type := VLAN
+			Tunnel-Medium-Type := IEEE-802
+		}
+		if (&control:Proxy-To-Realm) {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan}
+			}
+		}
+		else {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_local_vlan}
+			}
+		}
+
+		# We're sending a response to one of OUR network devices for one of
+		# OUR users so provide it with the real user-identity.
+		if (&session-state:Stripped-User-Name) {
+			update reply {
+				User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
+			}
+		}
+
+		linelog_send_accept
+
+		Post-Auth-Type REJECT {
+			attr_filter.access_reject
+			linelog_send_reject
+		}
+	}
+}

roles/radius/templates/etc/raddb/sites-available/inner-tunnel

@@ -0,0 +1,73 @@
+server eduroam-inner {
+	listen {
+		type = auth
+		ipaddr = *
+		ipv6addr = *
+		port = 18120 # Used for testing only.  Requests proxied internally.
+	}
+
+	authorize {
+		# The outer username is considered garabage for autz purposes, but
+		# the domain portion of the outer and inner identities must match.
+		split_username_nai
+		if (noop || (&Stripped-User-Domain && \
+		    (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
+			reject
+		}
+
+		# Make the user's real identity available to anything that needs
+		# it in the outer server.
+		if (&outer.session-state:)
+			update {
+				&outer.session-state:Stripped-User-Name := &Stripped-User-Name
+			}
+		}
+
+		# EAP for PEAPv0 (EAP-MSCHAPv2)
+		inner-eap {
+			ok = return
+		}
+
+		# THIS IS SITE SPECIFIC
+		#
+		# The files module is *ONLY* used for testing.  It lets you define
+		# credentials in a flat file, IT WILL NOT SCALE.
+		#
+		# - If you use OpenLDAP with salted password hashes you should
+ 		#   call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use OpenLDAP with cleartext passwords you should
+		#   call the 'ldap' module here and use EAP-TTLS or PEAPv0.
+		# - If you use an SQL DB with salted password hashes you should call
+		#   the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use an SQL DB with cleartext passwords you should call
+		#   the 'sql' module here and use EAP-TTLS or PEAPv0.
+		# - If you use Novell you should call the 'ldap' module here and
+		#   set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
+		#   PEAPv0.
+		# - If you use Active Directory, you don't need anything here (remove
+		#   the call to files) but you'll need to follow this
+		#   [guide](freeradius-active-directory-integration-howto) and use
+		#   EAP-TTLS-PAP or PEAPv0.
+		# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
+		#
+		# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
+		# supplicant is configured. PEAPv0 has a slight edge in that you need to
+		# crack MSCHAPv2 to get the user's password (but this is not hard).
+		files
+
+		pap
+		mschap
+	}
+
+	authenticate {
+		inner-eap
+		mschap
+		pap
+
+		# Comment pap above and uncomment the stanza below if you're using
+		# Active Directory; this will allow it to work with EAP-TTLS/PAP.
+		#Auth-Type pap {
+		#	ntlm_auth
+		#}
+	}
+}