feat: add radius role

roles/radius/templates/etc/raddb/sites-available/default

@@ -0,0 +1,112 @@
+# The domain users will add to their username to have their credentials
+# routed to your institution.  You will also need to register this
+# and your RADIUS server addresses with your NRO.
+operator_name = "{{ radius_domain }}"
+
+# The VLAN to assign eduroam visitors
+eduroam_default_guest_vlan = "{{ radius_guest_vlan }}"
+
+# The VLAN to assign your students/staff
+eduroam_default_local_vlan = "{{ radius_local_vlan }}"
+
+server eduroam {
+	listen {
+		type = auth
+		ipv4addr = *
+		ipv6addr = *
+		port = 1812
+	}
+
+	authorize {
+		# Log requests before we change them
+		linelog_recv_request
+
+		# split_username_nai is a policy in the default distribution to
+		# split a username into username and domain.  We reject user-name
+		# strings without domains, as they're not routable.
+		split_username_nai
+		if (noop || !&Stripped-User-Domain) {
+			reject
+		}
+
+		# Send the request to the NRO for your region.
+		# The details of the FLRs (Federation Level RADIUS servers)
+		# are in proxy.conf.
+		# You can make this condition as complex as you like, to
+		# include additional subdomains just concatenate the conditions
+		# with &&.
+		if (&Stripped-User-Domain != "${operator_name}") {
+			update {
+				control:Load-Balance-Key := &Calling-Station-ID
+				control:Proxy-To-Realm := 'eduroam_flr'
+
+				# Operator name (RFC 5580) identifies the network the
+				# request originated from. It's not absolutely necessary
+				# but it helps with debugging.
+				request:Operator-Name := "1${operator_name}"
+			}
+			return
+		}
+
+		# If the EAP module returns 'ok' or 'updated', it means it has handled
+		# the request and we don't need to call any other modules in this
+		# section.
+		eap {
+			ok = return
+			updated = return
+		}
+	}
+
+	pre-proxy {
+		attr_filter.pre-proxy
+		linelog_send_proxy_request
+	}
+
+	post-proxy {
+		attr_filter.post-proxy
+		linelog_recv_proxy_response
+	}
+
+	authenticate {
+		eap
+	}
+
+	post-auth {
+		# To implement eduroam you must:
+		# - Use wireless access points or a controller which supports
+                #   dynamic VLAN assignments.
+		# - Have that feature enabled.
+		# - Have the guest_vlan/local_vlan available to the controller,
+                #   or to all your access points.
+		# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
+		update reply {
+			Tunnel-Type := VLAN
+			Tunnel-Medium-Type := IEEE-802
+		}
+		if (&control:Proxy-To-Realm) {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan}
+			}
+		}
+		else {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_local_vlan}
+			}
+		}
+
+		# We're sending a response to one of OUR network devices for one of
+		# OUR users so provide it with the real user-identity.
+		if (&session-state:Stripped-User-Name) {
+			update reply {
+				User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
+			}
+		}
+
+		linelog_send_accept
+
+		Post-Auth-Type REJECT {
+			attr_filter.access_reject
+			linelog_send_reject
+		}
+	}
+}

roles/radius/templates/etc/raddb/sites-available/inner-tunnel

@@ -0,0 +1,73 @@
+server eduroam-inner {
+	listen {
+		type = auth
+		ipaddr = *
+		ipv6addr = *
+		port = 18120 # Used for testing only.  Requests proxied internally.
+	}
+
+	authorize {
+		# The outer username is considered garabage for autz purposes, but
+		# the domain portion of the outer and inner identities must match.
+		split_username_nai
+		if (noop || (&Stripped-User-Domain && \
+		    (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
+			reject
+		}
+
+		# Make the user's real identity available to anything that needs
+		# it in the outer server.
+		if (&outer.session-state:)
+			update {
+				&outer.session-state:Stripped-User-Name := &Stripped-User-Name
+			}
+		}
+
+		# EAP for PEAPv0 (EAP-MSCHAPv2)
+		inner-eap {
+			ok = return
+		}
+
+		# THIS IS SITE SPECIFIC
+		#
+		# The files module is *ONLY* used for testing.  It lets you define
+		# credentials in a flat file, IT WILL NOT SCALE.
+		#
+		# - If you use OpenLDAP with salted password hashes you should
+ 		#   call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use OpenLDAP with cleartext passwords you should
+		#   call the 'ldap' module here and use EAP-TTLS or PEAPv0.
+		# - If you use an SQL DB with salted password hashes you should call
+		#   the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use an SQL DB with cleartext passwords you should call
+		#   the 'sql' module here and use EAP-TTLS or PEAPv0.
+		# - If you use Novell you should call the 'ldap' module here and
+		#   set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
+		#   PEAPv0.
+		# - If you use Active Directory, you don't need anything here (remove
+		#   the call to files) but you'll need to follow this
+		#   [guide](freeradius-active-directory-integration-howto) and use
+		#   EAP-TTLS-PAP or PEAPv0.
+		# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
+		#
+		# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
+		# supplicant is configured. PEAPv0 has a slight edge in that you need to
+		# crack MSCHAPv2 to get the user's password (but this is not hard).
+		files
+
+		pap
+		mschap
+	}
+
+	authenticate {
+		inner-eap
+		mschap
+		pap
+
+		# Comment pap above and uncomment the stanza below if you're using
+		# Active Directory; this will allow it to work with EAP-TTLS/PAP.
+		#Auth-Type pap {
+		#	ntlm_auth
+		#}
+	}
+}