[req-changes] Updated EAP template

Made file names consistent
openwisp · Jun 3, 2024 · 188147b · 188147b
1 parent 098b58d
commit 188147b
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -614,20 +614,25 @@ installs FreeRADIUS, and configures it for WPA Enterprise (EAP-TTLS-PAP):
           # for this FreeRADIUS site
           inner_tunnel_auth_port: 18230
           # If you want to use a custom certificate for FreeRADIUS
-          # EAP module, you can specify the path to the certificate and
-          # private key as follows.
-          # Ensure that the certificate and private key can be read by
-          # the "freerad" user.
+          # EAP module, you can specify the path to the CA, server
+          # certificate, and private key, and DH key as follows.
+          # Ensure that these files can be read by the "freerad" user.
           cert: /etc/freeradius/certs/cert.pem
           private_key: /etc/freeradius/certs/key.pem
+          ca: /etc/freeradius/certs/ca.crt
+          dh: /etc/freeradius/certs/dh
+          tls_config_extra: |
+            private_key_password = whatever
+            ecdh_curve = "prime256v1"
+
         # You can add as many organizations as you want
         - name: demo
           uuid: 00000000-0000-0000-0000-000000000001
           radius_secret: demo-radius-token
           auth_port: 1832
           acct_port: 1833
           inner_tunnel_auth_port: 18330
-          # If you omit the "cert" and "private_key" keys,
+          # If you omit the certificate fields,
           # the FreeRADIUS site will use the default certificates
           # located in /etc/freeradius/certs.
 ```
@@ -1417,13 +1422,16 @@ Below are listed all the variables you can customize (you may also want to take
     # Sets the source path of the template that contains freeradius site configuration.
     # Defaults to "templates/freeradius/openwisp_site.j2" shipped in the role.
     freeradius_openwisp_site_template_src: custom_freeradius_site.j2
+    # Whether to deploy the default openwisp_site for FreeRADIUS.
+    # Defaults to true.
+    freeradius_deploy_openwisp_site: false
     # FreeRADIUS listen address for the openwisp_site.
     # Defaults to "*", i.e. listen on all interfaces.
     freeradius_openwisp_site_listen_ipaddr: "10.8.0.1"
-    # A list of dict that includes organization's name, UUID, RADIUS token, and
-    # ports for authentication, accounting, and inner tunnel. This list of dict
-    # is used to generate FreeRADIUS sites that support WPA Enterprise
-    # (EAP-TTLS-PAP) authentication.
+    # A list of dict that includes organization's name, UUID, RADIUS token,
+    # TLS configuration, and ports for authentication, accounting, and inner tunnel.
+    # This list of dict is used to generate FreeRADIUS sites that support
+    # WPA Enterprise (EAP-TTLS-PAP) authentication.
     # Defaults to an empty list.
     freeradius_eap_orgs:
         # The name should not contain spaces or special characters
@@ -1438,6 +1446,19 @@ Below are listed all the variables you can customize (you may also want to take
         acct_port: 1833
         # Port used by the authentication service of inner tunnel for this FreeRADIUS site
         inner_tunnel_auth_port: 18330
+        # CA certificate for the FreeRADIUS site
+        ca: /etc/freeradius/certs/ca.crt
+        # TLS certificate for the FreeRADIUS site
+        cert: /etc/freeradius/certs/cert.pem
+        # TLS private key for the FreeRADIUS site
+        private_key: /etc/freeradius/certs/key.pem
+        # Diffie-Hellman key for the FreeRADIUS site
+        dh: /etc/freeradius/certs/dh
+        # Extra instructions for the "tls-config" section of the EAP module
+        # for the FreeRADIUS site
+        tls_config_extra: |
+          private_key_password = whatever
+          ecdh_curve = "prime256v1"
     # Sets the source path of the template that contains freeradius site configuration
     # for WPA Enterprise (EAP-TTLS-PAP) authentication.
     # Defaults to "templates/freeradius/eap/openwisp_site.j2" shipped in the role.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -176,6 +176,7 @@ freeradius_mods_config_dir: "{{ freeradius_dir }}/mods-config"
 freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available"
 freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled"
 freeradius_openwisp_site_template_src: freeradius/openwisp_site.j2
+freeradius_deploy_openwisp_site: true
 freeradius_db_map:
     django.contrib.gis.db.backends.spatialite:
         driver: rlm_sql_sqlite

diff --git a/tasks/freeradius.yml b/tasks/freeradius.yml
@@ -190,6 +190,7 @@
     mode: 0640
     owner: freerad
     group: freerad
+  when: freeradius_deploy_openwisp_site
   notify: Restart freeradius
 
 - name: Inner tunnel
@@ -199,6 +200,7 @@
     mode: 0640
     owner: freerad
     group: freerad
+  when: freeradius_deploy_openwisp_site
   notify: Restart freeradius
 
 - name: Copy configuration for WPA Enterprise TTLS

diff --git a/tasks/freeradius_eap.yml b/tasks/freeradius_eap.yml
@@ -39,7 +39,7 @@
 - name: Copy {{ org.name }} custom EAP configuration in mods-available
   template:
     src: "{{ freeradius_eap_template_src }}"
-    dest: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}"
+    dest: "{{ freeradius_dir }}/mods-available/{{ org.name }}_eap"
     owner: freerad
     group: freerad
     mode: '0644'
@@ -48,8 +48,8 @@
 
 - name: Create a symlink in mods-enabled
   ansible.builtin.file:
-    src: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}"
-    dest: "{{ freeradius_dir }}/mods-enabled/eap-org_{{ org.name }}"
+    src: "{{ freeradius_dir }}/mods-available/{{ org.name }}_eap"
+    dest: "{{ freeradius_dir }}/mods-enabled/{{ org.name }}_eap"
     state: link
   notify: Restart freeradius
   tags: [freeradius_eap]
diff --git a/templates/freeradius/eap/eap.j2 b/templates/freeradius/eap/eap.j2
@@ -1,4 +1,4 @@
-eap eap-org_{{ org.name }} {
+eap {{ org.name }}_eap {
     default_eap_type = ttls
     timer_expire = 60
     ignore_unknown_eap_types = no
@@ -7,15 +7,23 @@ eap eap-org_{{ org.name }} {
 
     tls-config tls-common {
         # make sure to have a valid SSL certificate for production usage
-        private_key_password = whatever
         private_key_file = {{ org.private_key | default('${certdir}/server.pem') }}
         certificate_file = {{ org.cert | default('${certdir}/server.pem') }}
-        ca_file = ${cadir}/ca.pem
-        dh_file = ${certdir}/dh
+        ca_file = {{ org.ca | default('${cadir}/ca.pem') }}
+        dh_file = {{ org.dh | default('${certdir}/dh') }}
         ca_path = ${cadir}
         cipher_list = "DEFAULT"
         cipher_server_preference = no
-        ecdh_curve = "prime256v1"
+        tls_min_version = "1.2"
+        tls_max_version = "1.2"
+        check_crl = no
+        check_cert_issuer = no
+        fragment_size = 2048
+        auto_chain = yes
+
+        {% if 'tls_config_extra' in org %}
+        {{ org.tls_config_extra }}
+        {% endif %}
 
         cache {
             enable = no
@@ -33,6 +41,6 @@ eap eap-org_{{ org.name }} {
         default_eap_type = pap
         copy_request_to_tunnel = yes
         use_tunneled_reply = yes
-        virtual_server = "inner_tunnel-org_{{ org.name }}"
+        virtual_server = "{{ org.name }}_eap_inner_tunnel"
     }
 }
diff --git a/templates/freeradius/eap/inner_tunnel.j2 b/templates/freeradius/eap/inner_tunnel.j2
@@ -1,4 +1,4 @@
-server inner_tunnel-org_{{ org.name }} {
+server {{ org.name }}_eap_inner_tunnel {
     listen {
         ipaddr = 127.0.0.1
         port = {{ org.inner_tunnel_auth_port }}
@@ -10,7 +10,7 @@ server inner_tunnel-org_{{ org.name }} {
         filter_username
         update control { &REST-HTTP-Header += "${...api_token_header}" }
         rest
-        eap-org_{{ org.name }} {
+        {{ org.name }}_eap {
             ok = return
         }
 
@@ -78,7 +78,7 @@ server inner_tunnel-org_{{ org.name }} {
 
     pre-proxy {}
     post-proxy {
-        eap-org_{{ org.name }}
+        {{ org.name }}_eap
         eap
     }
 }
diff --git a/templates/freeradius/eap/openwisp_site.j2 b/templates/freeradius/eap/openwisp_site.j2
@@ -1,4 +1,4 @@
-server openwisp_site-org_{{ org.name }} {
+server {{ org.name }}_eap_openwisp_site {
     listen {
         type = auth
         ipaddr = {{ org.listen_ipaddr | default(freeradius_openwisp_site_listen_ipaddr) }}
@@ -19,7 +19,7 @@ server openwisp_site-org_{{ org.name }} {
 
     api_token_header = "Authorization: Bearer {{ org.uuid }} {{ org.radius_token }}"
     authorize {
-        eap-org_{{ org.name }} {
+        {{ org.name }}_eap {
           ok = return
         }
         update control { &REST-HTTP-Header += "${...api_token_header}" }
@@ -30,8 +30,8 @@ server openwisp_site-org_{{ org.name }} {
     }
 
     authenticate {
-        Auth-Type eap-org_{{ org.name }} {
-            eap-org_{{ org.name }}
+        Auth-Type {{ org.name }}_eap {
+            {{ org.name }}_eap
         }
         Auth-Type PAP {
             pap