feat: add radius role

playbooks/services.yml

@@ -75,3 +75,31 @@
       tags: bootstrap
     - role: sr2c.core.node_exporter
       tags: prometheus
+
+- name: Deploy and update Radius server
+  hosts:
+    - radius
+  roles:
+    - role: sr2c.core.baseline
+      vars:
+        baseline_epel_packages_allowed:
+          - certbot
+          - python3-certbot
+          - python3-pyrfc3339
+          - python3-parsedatetime
+          - python3-josepy
+          - python3-importlib-metadata
+          - python3-configargparse
+          - python3-acme
+          - python3-zipp
+          - python3-pyOpenSSL
+          - node-exporter
+      tags: bootstrap
+    - role: freeipa.ansible_freeipa.ipaclient
+      become: true
+      state: present
+      tags: bootstrap
+    - role: sr2c.core.node_exporter
+      tags: prometheus
+    - role: sr2c.core.radius
+      tags: radius

roles/radius/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+#radius_domain_name:
+radius_wap_ipaddr: 0.0.0.0/0
+#radius_wap_secret:
+radius_local_vlan: 1
+radius_guest_vlan: 3

roles/radius/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart radiusd
+  ansible.builtin.systemd_service:
+    name: radiusd
+    state: restarted
+  become: true

roles/radius/tasks/certs.yml

@@ -0,0 +1,82 @@
+---
+- name: "Radius Certificates | PATCH | Install latest certbot"
+  ansible.builtin.dnf:
+    name: certbot
+    state: latest
+    update_cache: true
+  become: true
+
+- name: "Radius Certificates | AUDIT | Check for existing certificate expiry"
+  community.crypto.x509_certificate_info:
+    path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
+  register: radius_certs_existing_cert
+  ignore_errors: true
+  become: true
+
+- name: "Radius Certificates | AUDIT | Calculate days until expiry"
+  ansible.builtin.set_fact:
+    radius_certs_days_until_expiry: "{{ ((radius_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
+  when: radius_certs_existing_cert.not_after is defined
+  become: true
+
+- name: "Radius Certificates | AUDIT | Print days until expiry"
+  ansible.builtin.debug:
+    msg: "{{ radius_certs_days_until_expiry }}"
+  when: radius_certs_existing_cert.not_after is defined
+  become: true
+
+- name: "Radius Certificates | PATCH | Request a new or renewed certificate"
+  when: (radius_certs_existing_cert.failed) or (radius_certs_days_until_expiry | int < 30)
+  become: true
+  block:
+    - name: "Radius Certificates | AUDIT | Check httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+      register: radius_certs_httpd_status
+
+    - name: "Radius Certificates | PATCH | Stop httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+        state: stopped
+      when: radius_certs_httpd_status.status.ActiveState == "active"
+
+    - name: "Radius Certificates | PATCH | Add http service to firewall"
+      ansible.posix.firewalld:
+        service: http
+        state: enabled
+
+    - name: "Radius Certificates | PATCH | Request new certificate"
+      ansible.builtin.command:
+        cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email
+      when: radius_certs_existing_cert.failed
+
+    - name: "Radius Certificates | PATCH | Renew existing certificate"
+      ansible.builtin.command:
+        cmd: certbot renew
+      when: not radius_certs_existing_cert.failed
+
+    - name: "Radius Certificates | PATCH | Remove http service from firewall"
+      ansible.posix.firewalld:
+        service: http
+        state: disabled
+
+    - name: "Radius Certificates | PATCH | Start httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+        state: started
+      when: radius_certs_httpd_status.status.ActiveState == "active"
+
+- name: Radius | PATCH | Allow radiusd access to certificates
+  ansible.builtin.copy:
+    src: /etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }}.pem
+    dest: /etc/raddb/{{ item }}.pem
+    remote_src: true
+    owner: radiusd
+    group: radiusd
+    mode: "0640"
+  become: true
+  notify: Restart radiusd
+  with_items:
+    - privkey
+    - cert
+    - chain

roles/radius/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Radius | PATCH | Obtain or freshen certificates
+  ansible.builtin.include_tasks:
+    file: certs.yml
+
+- name: Radius | PATCH | Install required packages
+  ansible.builtin.dnf:
+    name: freeradius
+    state: present
+  become: true
+
+- name: Radius | PATCH | Install FreeRADIUS configuration files
+  ansible.builtin.template:
+    src: etc/raddb/{{ item }}
+    dest: /etc/raddb/{{ item }}
+    owner: root
+    group: radiusd
+    mode: 0640
+  become: true
+  with_items:
+    - mods-available/eap
+    - mods-available/linelog
+    - sites-available/default
+    - mods-available/inner-eap
+    - sites-available/inner-tunnel
+    - clients.conf
+    - proxy.conf
+  notify:
+    - Restart radiusd
+
+- name: Radius | PATCH | Install rsyslog configuration
+  ansible.builtin.template:
+    src: etc/rsyslog.d/radiusd.conf
+    dest: /etc/rsyslog.d/radiusd.conf
+    owner: root
+    group: root
+    mode: 0644
+  become: true
+  notify:
+    - Reload rsyslog

roles/radius/templates/etc/raddb/clients.conf

@@ -0,0 +1,22 @@
+client eduroam_roaming0 {
+    ipaddr = roaming0.ja.net
+    secret = {{ radius_roaming0_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client eduroam_roaming1 {
+    ipaddr = roaming1.ja.net
+    secret = {{ radius_roaming1_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client eduroam_roaming2 {
+    ipaddr = roaming2.ja.net
+    secret = {{ radius_roaming2_secret }}
+    nastype = 'eduroam_flr'
+}
+
+client wireless_access_points_mgmt {
+	ipaddr = {{ radius_wap_ipaddr }}
+	secret = {{ radius_wap_secret }}
+}

roles/radius/templates/etc/raddb/mods-available/eap

@@ -0,0 +1,52 @@
+eap {
+	# The initial EAP type requested.  Change this to peap if you're
+	# using peap, or tls if you're using EAP-TLS.
+	default_eap_type = ttls
+
+	# The maximum time an EAP-Session can continue for
+	timer_expire = 60
+
+	# The maximum number of ongoing EAP sessions
+	max_sessions = ${max_requests}
+
+	tls-config tls-common {
+		# The public certificate that your server will present
+		certificate_file = /etc/raddb/cert.pem
+
+		# The private key for the public certificate
+		private_key_file = /etc/raddb/privkey.pem
+
+		# The password to decrypt 'private_key_file'
+		#private_key_password = ""
+
+		# The certificate of the authority that issued 'certificate_file'
+		ca_file = /etc/raddb/chain.pem
+
+		# If your AP drops packets towards the client, try reducing this.
+		fragment_size = 1024
+
+		# When issuing client certificates embed the OCSP URL in the
+		# certificate if you want to be able to revoke them later.
+		ocsp {
+			enable = yes
+			override_cert_url = no
+			use_nonce = yes
+		}
+	}
+
+	tls {
+		tls = tls-common
+	}
+
+	ttls {
+		tls = tls-common
+		default_eap_type = mschapv2
+		virtual_server = "eduroam-inner"
+	}
+
+	peap {
+		tls = tls-common
+		default_eap_type = mschapv2
+		virtual_server = "eduroam-inner"
+	}
+}

roles/radius/templates/etc/raddb/mods-available/inner-eap

@@ -0,0 +1,9 @@
+eap inner-eap {
+	default_eap_type = mschapv2
+	timer_expire = 60
+	max_sessions = ${max_requests}
+
+	mschapv2 {
+		send_error = yes
+	}
+}

roles/radius/templates/etc/raddb/mods-available/linelog

@@ -0,0 +1,39 @@
+linelog linelog_recv_request {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Recv-Request, %{pairs:request:}"
+}
+
+linelog linelog_send_accept {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Accept, %{pairs:request:}"
+}
+
+linelog linelog_send_reject {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Reject, %{pairs:request:}"
+}
+
+linelog linelog_send_proxy_request {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
+}
+
+linelog linelog_recv_proxy_response {
+	filename = syslog
+	syslog_facility = local0
+	syslog_severity = debug
+	reference = "messages.%{proxy-reply:Response-Packet-Type}"
+	messages {
+		Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+		Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+		Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+	}
+}

roles/radius/templates/etc/raddb/proxy.conf

@@ -0,0 +1,38 @@
+home_server eduroam_roaming0 {
+    ipaddr = roaming0.ja.net
+    secret = {{ radius_roaming0_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server eduroam_roaming1 {
+    ipaddr = roaming1.ja.net
+    secret = {{ radius_roaming1_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server eduroam_roaming2 {
+    ipaddr = roaming2.ja.net
+    secret = {{ radius_roaming2_secret }}
+    status_check = status-server
+    response_window = 5
+    check_interval = 10
+    check_timeout = 5
+}
+
+home_server_pool eduroam_flr_pool {
+    type = keyed-balance
+    home_server = eduroam_roaming0
+    home_server = eduroam_roaming1
+    home_server = eduroam_roaming2
+}
+
+realm eduroam_flr {
+    auth_pool = eduroam_flr_pool
+    nostrip
+}

roles/radius/templates/etc/raddb/sites-available/default

@@ -0,0 +1,112 @@
+# The domain users will add to their username to have their credentials
+# routed to your institution.  You will also need to register this
+# and your RADIUS server addresses with your NRO.
+operator_name = "{{ radius_domain }}"
+
+# The VLAN to assign eduroam visitors
+eduroam_default_guest_vlan = "{{ radius_guest_vlan }}"
+
+# The VLAN to assign your students/staff
+eduroam_default_local_vlan = "{{ radius_local_vlan }}"
+
+server eduroam {
+	listen {
+		type = auth
+		ipv4addr = *
+		ipv6addr = *
+		port = 1812
+	}
+
+	authorize {
+		# Log requests before we change them
+		linelog_recv_request
+
+		# split_username_nai is a policy in the default distribution to
+		# split a username into username and domain.  We reject user-name
+		# strings without domains, as they're not routable.
+		split_username_nai
+		if (noop || !&Stripped-User-Domain) {
+			reject
+		}
+
+		# Send the request to the NRO for your region.
+		# The details of the FLRs (Federation Level RADIUS servers)
+		# are in proxy.conf.
+		# You can make this condition as complex as you like, to
+		# include additional subdomains just concatenate the conditions
+		# with &&.
+		if (&Stripped-User-Domain != "${operator_name}") {
+			update {
+				control:Load-Balance-Key := &Calling-Station-ID
+				control:Proxy-To-Realm := 'eduroam_flr'
+
+				# Operator name (RFC 5580) identifies the network the
+				# request originated from. It's not absolutely necessary
+				# but it helps with debugging.
+				request:Operator-Name := "1${operator_name}"
+			}
+			return
+		}
+
+		# If the EAP module returns 'ok' or 'updated', it means it has handled
+		# the request and we don't need to call any other modules in this
+		# section.
+		eap {
+			ok = return
+			updated = return
+		}
+	}
+
+	pre-proxy {
+		attr_filter.pre-proxy
+		linelog_send_proxy_request
+	}
+
+	post-proxy {
+		attr_filter.post-proxy
+		linelog_recv_proxy_response
+	}
+
+	authenticate {
+		eap
+	}
+
+	post-auth {
+		# To implement eduroam you must:
+		# - Use wireless access points or a controller which supports
+                #   dynamic VLAN assignments.
+		# - Have that feature enabled.
+		# - Have the guest_vlan/local_vlan available to the controller,
+                #   or to all your access points.
+		# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
+		update reply {
+			Tunnel-Type := VLAN
+			Tunnel-Medium-Type := IEEE-802
+		}
+		if (&control:Proxy-To-Realm) {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan}
+			}
+		}
+		else {
+			update reply {
+				Tunnel-Private-Group-ID = ${eduroam_default_local_vlan}
+			}
+		}
+
+		# We're sending a response to one of OUR network devices for one of
+		# OUR users so provide it with the real user-identity.
+		if (&session-state:Stripped-User-Name) {
+			update reply {
+				User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
+			}
+		}
+
+		linelog_send_accept
+
+		Post-Auth-Type REJECT {
+			attr_filter.access_reject
+			linelog_send_reject
+		}
+	}
+}

roles/radius/templates/etc/raddb/sites-available/inner-tunnel

@@ -0,0 +1,73 @@
+server eduroam-inner {
+	listen {
+		type = auth
+		ipaddr = *
+		ipv6addr = *
+		port = 18120 # Used for testing only.  Requests proxied internally.
+	}
+
+	authorize {
+		# The outer username is considered garabage for autz purposes, but
+		# the domain portion of the outer and inner identities must match.
+		split_username_nai
+		if (noop || (&Stripped-User-Domain && \
+		    (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
+			reject
+		}
+
+		# Make the user's real identity available to anything that needs
+		# it in the outer server.
+		if (&outer.session-state:)
+			update {
+				&outer.session-state:Stripped-User-Name := &Stripped-User-Name
+			}
+		}
+
+		# EAP for PEAPv0 (EAP-MSCHAPv2)
+		inner-eap {
+			ok = return
+		}
+
+		# THIS IS SITE SPECIFIC
+		#
+		# The files module is *ONLY* used for testing.  It lets you define
+		# credentials in a flat file, IT WILL NOT SCALE.
+		#
+		# - If you use OpenLDAP with salted password hashes you should
+ 		#   call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use OpenLDAP with cleartext passwords you should
+		#   call the 'ldap' module here and use EAP-TTLS or PEAPv0.
+		# - If you use an SQL DB with salted password hashes you should call
+		#   the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
+		# - If you use an SQL DB with cleartext passwords you should call
+		#   the 'sql' module here and use EAP-TTLS or PEAPv0.
+		# - If you use Novell you should call the 'ldap' module here and
+		#   set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
+		#   PEAPv0.
+		# - If you use Active Directory, you don't need anything here (remove
+		#   the call to files) but you'll need to follow this
+		#   [guide](freeradius-active-directory-integration-howto) and use
+		#   EAP-TTLS-PAP or PEAPv0.
+		# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
+		#
+		# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
+		# supplicant is configured. PEAPv0 has a slight edge in that you need to
+		# crack MSCHAPv2 to get the user's password (but this is not hard).
+		files
+
+		pap
+		mschap
+	}
+
+	authenticate {
+		inner-eap
+		mschap
+		pap
+
+		# Comment pap above and uncomment the stanza below if you're using
+		# Active Directory; this will allow it to work with EAP-TTLS/PAP.
+		#Auth-Type pap {
+		#	ntlm_auth
+		#}
+	}
+}

roles/radius/templates/etc/rsyslog.d/radiusd.conf

@@ -0,0 +1 @@
+local0.debug					/var/log/radius_auth.log