From 188147b9c50c2d6053fc9d4ea40ccee04013c719 Mon Sep 17 00:00:00 2001 From: Gagan Deep Date: Mon, 3 Jun 2024 20:09:30 +0530 Subject: [PATCH] [req-changes] Updated EAP template Made file names consistent --- README.md | 39 +++++++++++++++++------ defaults/main.yml | 1 + tasks/freeradius.yml | 2 ++ tasks/freeradius_eap.yml | 6 ++-- templates/freeradius/eap/eap.j2 | 20 ++++++++---- templates/freeradius/eap/inner_tunnel.j2 | 6 ++-- templates/freeradius/eap/openwisp_site.j2 | 8 ++--- 7 files changed, 57 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 8de4a7de..383d7da9 100644 --- a/README.md +++ b/README.md @@ -614,12 +614,17 @@ installs FreeRADIUS, and configures it for WPA Enterprise (EAP-TTLS-PAP): # for this FreeRADIUS site inner_tunnel_auth_port: 18230 # If you want to use a custom certificate for FreeRADIUS - # EAP module, you can specify the path to the certificate and - # private key as follows. - # Ensure that the certificate and private key can be read by - # the "freerad" user. + # EAP module, you can specify the path to the CA, server + # certificate, and private key, and DH key as follows. + # Ensure that these files can be read by the "freerad" user. cert: /etc/freeradius/certs/cert.pem private_key: /etc/freeradius/certs/key.pem + ca: /etc/freeradius/certs/ca.crt + dh: /etc/freeradius/certs/dh + tls_config_extra: | + private_key_password = whatever + ecdh_curve = "prime256v1" + # You can add as many organizations as you want - name: demo uuid: 00000000-0000-0000-0000-000000000001 @@ -627,7 +632,7 @@ installs FreeRADIUS, and configures it for WPA Enterprise (EAP-TTLS-PAP): auth_port: 1832 acct_port: 1833 inner_tunnel_auth_port: 18330 - # If you omit the "cert" and "private_key" keys, + # If you omit the certificate fields, # the FreeRADIUS site will use the default certificates # located in /etc/freeradius/certs. ``` @@ -1417,13 +1422,16 @@ Below are listed all the variables you can customize (you may also want to take # Sets the source path of the template that contains freeradius site configuration. # Defaults to "templates/freeradius/openwisp_site.j2" shipped in the role. freeradius_openwisp_site_template_src: custom_freeradius_site.j2 + # Whether to deploy the default openwisp_site for FreeRADIUS. + # Defaults to true. + freeradius_deploy_openwisp_site: false # FreeRADIUS listen address for the openwisp_site. # Defaults to "*", i.e. listen on all interfaces. freeradius_openwisp_site_listen_ipaddr: "10.8.0.1" - # A list of dict that includes organization's name, UUID, RADIUS token, and - # ports for authentication, accounting, and inner tunnel. This list of dict - # is used to generate FreeRADIUS sites that support WPA Enterprise - # (EAP-TTLS-PAP) authentication. + # A list of dict that includes organization's name, UUID, RADIUS token, + # TLS configuration, and ports for authentication, accounting, and inner tunnel. + # This list of dict is used to generate FreeRADIUS sites that support + # WPA Enterprise (EAP-TTLS-PAP) authentication. # Defaults to an empty list. freeradius_eap_orgs: # The name should not contain spaces or special characters @@ -1438,6 +1446,19 @@ Below are listed all the variables you can customize (you may also want to take acct_port: 1833 # Port used by the authentication service of inner tunnel for this FreeRADIUS site inner_tunnel_auth_port: 18330 + # CA certificate for the FreeRADIUS site + ca: /etc/freeradius/certs/ca.crt + # TLS certificate for the FreeRADIUS site + cert: /etc/freeradius/certs/cert.pem + # TLS private key for the FreeRADIUS site + private_key: /etc/freeradius/certs/key.pem + # Diffie-Hellman key for the FreeRADIUS site + dh: /etc/freeradius/certs/dh + # Extra instructions for the "tls-config" section of the EAP module + # for the FreeRADIUS site + tls_config_extra: | + private_key_password = whatever + ecdh_curve = "prime256v1" # Sets the source path of the template that contains freeradius site configuration # for WPA Enterprise (EAP-TTLS-PAP) authentication. # Defaults to "templates/freeradius/eap/openwisp_site.j2" shipped in the role. diff --git a/defaults/main.yml b/defaults/main.yml index 07aa0293..cb1060f7 100755 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -176,6 +176,7 @@ freeradius_mods_config_dir: "{{ freeradius_dir }}/mods-config" freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available" freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled" freeradius_openwisp_site_template_src: freeradius/openwisp_site.j2 +freeradius_deploy_openwisp_site: true freeradius_db_map: django.contrib.gis.db.backends.spatialite: driver: rlm_sql_sqlite diff --git a/tasks/freeradius.yml b/tasks/freeradius.yml index 345e0f7f..a66c4cb8 100644 --- a/tasks/freeradius.yml +++ b/tasks/freeradius.yml @@ -190,6 +190,7 @@ mode: 0640 owner: freerad group: freerad + when: freeradius_deploy_openwisp_site notify: Restart freeradius - name: Inner tunnel @@ -199,6 +200,7 @@ mode: 0640 owner: freerad group: freerad + when: freeradius_deploy_openwisp_site notify: Restart freeradius - name: Copy configuration for WPA Enterprise TTLS diff --git a/tasks/freeradius_eap.yml b/tasks/freeradius_eap.yml index c35219c3..408a4ddd 100644 --- a/tasks/freeradius_eap.yml +++ b/tasks/freeradius_eap.yml @@ -39,7 +39,7 @@ - name: Copy {{ org.name }} custom EAP configuration in mods-available template: src: "{{ freeradius_eap_template_src }}" - dest: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}" + dest: "{{ freeradius_dir }}/mods-available/{{ org.name }}_eap" owner: freerad group: freerad mode: '0644' @@ -48,8 +48,8 @@ - name: Create a symlink in mods-enabled ansible.builtin.file: - src: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}" - dest: "{{ freeradius_dir }}/mods-enabled/eap-org_{{ org.name }}" + src: "{{ freeradius_dir }}/mods-available/{{ org.name }}_eap" + dest: "{{ freeradius_dir }}/mods-enabled/{{ org.name }}_eap" state: link notify: Restart freeradius tags: [freeradius_eap] diff --git a/templates/freeradius/eap/eap.j2 b/templates/freeradius/eap/eap.j2 index 38c6c83d..d8a8b237 100644 --- a/templates/freeradius/eap/eap.j2 +++ b/templates/freeradius/eap/eap.j2 @@ -1,4 +1,4 @@ -eap eap-org_{{ org.name }} { +eap {{ org.name }}_eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no @@ -7,15 +7,23 @@ eap eap-org_{{ org.name }} { tls-config tls-common { # make sure to have a valid SSL certificate for production usage - private_key_password = whatever private_key_file = {{ org.private_key | default('${certdir}/server.pem') }} certificate_file = {{ org.cert | default('${certdir}/server.pem') }} - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh + ca_file = {{ org.ca | default('${cadir}/ca.pem') }} + dh_file = {{ org.dh | default('${certdir}/dh') }} ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no - ecdh_curve = "prime256v1" + tls_min_version = "1.2" + tls_max_version = "1.2" + check_crl = no + check_cert_issuer = no + fragment_size = 2048 + auto_chain = yes + + {% if 'tls_config_extra' in org %} + {{ org.tls_config_extra }} + {% endif %} cache { enable = no @@ -33,6 +41,6 @@ eap eap-org_{{ org.name }} { default_eap_type = pap copy_request_to_tunnel = yes use_tunneled_reply = yes - virtual_server = "inner_tunnel-org_{{ org.name }}" + virtual_server = "{{ org.name }}_eap_inner_tunnel" } } diff --git a/templates/freeradius/eap/inner_tunnel.j2 b/templates/freeradius/eap/inner_tunnel.j2 index ddc3fe23..89500f2f 100644 --- a/templates/freeradius/eap/inner_tunnel.j2 +++ b/templates/freeradius/eap/inner_tunnel.j2 @@ -1,4 +1,4 @@ -server inner_tunnel-org_{{ org.name }} { +server {{ org.name }}_eap_inner_tunnel { listen { ipaddr = 127.0.0.1 port = {{ org.inner_tunnel_auth_port }} @@ -10,7 +10,7 @@ server inner_tunnel-org_{{ org.name }} { filter_username update control { &REST-HTTP-Header += "${...api_token_header}" } rest - eap-org_{{ org.name }} { + {{ org.name }}_eap { ok = return } @@ -78,7 +78,7 @@ server inner_tunnel-org_{{ org.name }} { pre-proxy {} post-proxy { - eap-org_{{ org.name }} + {{ org.name }}_eap eap } } diff --git a/templates/freeradius/eap/openwisp_site.j2 b/templates/freeradius/eap/openwisp_site.j2 index dbb43bdf..1af20abb 100644 --- a/templates/freeradius/eap/openwisp_site.j2 +++ b/templates/freeradius/eap/openwisp_site.j2 @@ -1,4 +1,4 @@ -server openwisp_site-org_{{ org.name }} { +server {{ org.name }}_eap_openwisp_site { listen { type = auth ipaddr = {{ org.listen_ipaddr | default(freeradius_openwisp_site_listen_ipaddr) }} @@ -19,7 +19,7 @@ server openwisp_site-org_{{ org.name }} { api_token_header = "Authorization: Bearer {{ org.uuid }} {{ org.radius_token }}" authorize { - eap-org_{{ org.name }} { + {{ org.name }}_eap { ok = return } update control { &REST-HTTP-Header += "${...api_token_header}" } @@ -30,8 +30,8 @@ server openwisp_site-org_{{ org.name }} { } authenticate { - Auth-Type eap-org_{{ org.name }} { - eap-org_{{ org.name }} + Auth-Type {{ org.name }}_eap { + {{ org.name }}_eap } Auth-Type PAP { pap