README.md 52 KB
Newer Older
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1
# freeradius
Jonathan's avatar
Jonathan committed
2

3
4
5
6
#### Table of Contents

1. [Overview](#overview)
2. [Module Description - What the module does and why it is useful](#module-description)
7
3. [Usage - Configuration options and additional functionality](#usage)
8
9
    * [Classes](#classes)
       * [`freeradius`](#freeradius)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
10
       * [`freeradius::status_server`](#freeradiusstatus_server)
11
       * [`freeradius::control_socket`](#freeradiuscontrol_socket)
12
    * [Resources](#resources)
13
       * [`freeradius::attr`](#freeradiusattr)
14
       * [`freeradius::blank`](#freeradiusblank)
15
       * [`freeradius::cert`](#freeradiuscert)
16
17
18
       * [`freeradius::client`](#freeradiusclient)
       * [`freeradius::config`](#freeradiusconfig)
       * [`freeradius::dictionary`](#freeradiusdictionary)
19
20
       * [`freeradius::home_server`](#freeradiushomeserver)
       * [`freeradius::home_server_pool`](#freeradiushomeserverpool)
21
       * [`freeradius::instantiate`](#freeradiusinstantiate)
22
       * [`freeradius::ldap`](#freeradiusldap)
23
       * [`freeradius::module::ldap`](#freeradiusmoduleldap)
24
       * [`freeradius::krb5`](#freeradiuskrb5)
25
       * [`freeradius::module`](#freeradiusmodule)
26
       * [`freeradius::module::ippool`](#freeradiusmoduleippool)
27
       * [`freeradius::module::linelog`](#freeradiusmodulelinelog)
28
       * [`freeradius::module::detail`](#freeradiusmoduledetail)
29
       * [`freeradius::module::files`](#freeradiusmodulefiles)
30
       * [`freeradius::module::eap`](#freeradiusmoduleeap)
31
32
       * [`freeradius::module::preprocess`](#freeradiusmodulepreprocess)
       * [`freeradius::module::huntgroup`](#freeradiusmodulehuntgroup)
33
       * [`freeradius::policy`](#freeradiuspolicy)
34
       * [`freeradius::realm`](#freeradiusrealm)
35
       * [`freeradius::site`](#freeradiussite)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
36
       * [`freeradius::sql`](#freeradiussql)
37
       * [`freeradius::statusclient`](#freeradiusstatusclient)
38
       * [`freeradius::template`](#freeradiustemplate)
39
       * [`freeradius::virtual_module`](#freeradiusvirtual_module)
40
41
4. [Limitations - OS compatibility, etc.](#limitations)
5. [Development - Guide for contributing to the module](#development)
42
43
44

## Overview

45
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
46
on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
47
but should work on other distributions. 
48

49
50
51
52
This module requires Puppet 4.0.0 or greater. Puppet 3.x was
[discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
the end of 2016.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
53
54
| `jgazeley/freeradius` | FreeRADIUS  |
| --------------------- | ----------- |
Jonathan Gazeley's avatar
Jonathan Gazeley committed
55
| 3.x                   | 3.x         |
Jonathan Gazeley's avatar
Jonathan Gazeley committed
56
57
58
59
| 2.x                   | 3.x         |
| 1.x                   | 2.x and 3.x |
| 0.x                   | 2.x         |

60
61
## Module Description

62
63
64
65
66
67
This module installs FreeRADIUS from a distro-provided package and installs a
number of customised config files to enable flexibility. It then provides some
helpers to allow you to easily configure virtual servers (sites), modules, clients
and other config items. Most of these items accept a flat config file which you
supply either as a static file or a template - similar to the `source` and `content`
parameters in Puppet's `file` resource.
68

69
70
71
This module is designed to make it more straightforward for RADIUS administrators to
deploy RADIUS servers using Puppet. This module does not serve as a wizard and does
not avoid having to have an understanding of FreeRADIUS.
72
73


74
## Usage
75

76
This module provides several classes and defined types which take parameters.
77

78
### Classes
79

80
#### `freeradius`
81

82
83
The `freeradius` class installs the base server. In the early releases, this class does not
have many parameters as most values are hard-coded. I am working on parameterising more
84
85
of the global settings to increase flexibility. Patches are welcome.

86
##### `control_socket`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
87
Use of the `control_socket` parameter in the freeradius class is deprecated. Use the `freeradius::control_socket` class instead.
88

89
90
91
##### `correct_escapes`
Use correct backslash escaping in unlang. Default: `true`

92
93
94
95
96
97
98
##### `max_requests`
The maximum number of requests which the server keeps track of. This should be 256 multiplied by the number of clients. Default: `4096`

##### `max_servers`
Limit on the total number of servers running. Default: `4096`

##### `mysql_support`
99
Install support for MySQL. Note this only installs the package. Use `freeradius::sql` to configure SQL support. Default: `false`
100
101
102
103

##### `perl_support`
Install support for Perl. Default: `false`

104
105
106
##### `preserve_mods`
Leave recommended stock modules enabled. Default: `true`

107
108
109
110
111
112
##### `utils_support`
Install FreeRADIUS utils. Default: `false`

##### `ldap_support`
Install support for LDAP. Default: `false`

113
114
115
##### `dhcp_support`
Install support for DHCP. Default: `false`

116
117
118
##### `krb5_support`
Install support for Kerberos. Default: `false`

119
##### `wpa_supplicant`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
120
Install `wpa_supplicant` utility. Default: `false`
121

122
##### `winbind_support`
123
Add the radius user to the winbind privileged group. You must install winbind separately. Default: `false`.
124

125
126
127
##### `log_destination`
Configure destination of log messages. Valid values are `files`, `syslog`, `stdout` and `stderr`. Default: `files`.

128
##### `syslog`
129
Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
130

131
132
133
##### `log_auth`
Log authentication requests (yes/no). Default: `no`.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
134
135
136
##### `package_ensure`
Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
137
138
```puppet
class { 'freeradius':
139
140
141
142
143
144
145
  max_requests    => 4096,
  max_servers     => 4096,
  mysql_support   => true,
  perl_support    => true,
  utils_support   => true,
  wpa_supplicant  => true,
  winbind_support => true,
146
  syslog          => true,
147
  log_auth        => 'yes',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
148
149
150
}
```

151
152
#### `freeradius::status_server`

153
154
The `freeradius::status_server` class enabled the [status server](http://wiki.freeradius.org/config/Status).
To remove the status server, do not include this class and the server will be removed.
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

##### `secret`
The shared secret for the status server. Required.

##### `port`
The port to listen for status requests on. Default: `18121`

##### `listen`
The address to listen on. Defaults to listen on all addresses but you could set this to `$::ipaddress` or `127.0.0.1`.  Default: `*`

```puppet
  # Enable status server
  class { 'freeradius::status_server':
    port   => '18120',
    secret => 't0pSecret!',
  }
```

173
174
175
176
177
178
179
180
#### `freeradius::control_socket`

The `freeradius::control_socket` class enables the control socket which can be used with [RADMIN](http://freeradius.org/radiusd/man/radmin.html).
To remove the control socket, do not include this class and the socket will be removed.

##### `mode`
Whether the control socket should be read-only or read-write. Choose from `ro`, `rw`. Default: `ro`.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
181
182
183
184
185
186
187
```puppet
  # Enable control socket
  class { 'freeradius::control_socket':
    mode => 'ro',
  }
```

188
### Resources
189

190
#### `freeradius::attr`
191

192
Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory.
193
The contents of the `attr_filter` module are automatically updated to reference the filters.
194
195
196
197

##### `key`

Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name.
Jonathan Gazeley's avatar
Jonathan Gazeley committed
198

199
200
201
202
203
##### `prefix`

Specify the prefix for the attribute filter name before the dot, e.g. `filter.post_proxy`. This is usually set
to `filter` on FR2 and `attr_filter` on FR3. Default: `filter`.

204
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
205
freeradius::attr { 'eduroamlocal':
206
  key    => 'User-Name',
207
  prefix => 'attr_filter',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
208
209
210
  source => 'puppet:///modules/site_freeradius/eduroamlocal',
}
```
211

212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
#### `freeradius::blank`

Selectively blank certain stock config files that aren't required. This is preferable to deleting them
because the package manager will replace certain files next time the package is upgraded, potentially
causing unexpected behaviour.

The resource title should be the relative path from the FreeRADIUS config directory to the file(s) you
want to blank. You can pass multiple files in an array.

```puppet
freeradius::blank { 'sites-enabled/default': }

freeradius::blank { [
  'sites-enabled/default',
  'eap.conf',
]: }
```

230
231
#### `freeradius::cert`

232
Install certificates as provided. These are installed in `certs`. Beware that any certificates *not* deployed by Puppet will be purged from this directory.
233
234
235
236
237
238
239
240

```puppet
freeradius::cert { 'mycert.pem':
  source => 'puppet:///modules/site_freeradius/mycert.pem',
  type   => 'key',
}
```

241
242
243
244
245
246
247
```puppet
freeradius::cert { 'mycert.pem':
  content => '<your key/cert content here>',
  type    => 'key',
}
```

248
249
250
251
##### `type`

Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.

252
253
254
255
#### `freeradius::client`

Define RADIUS clients as seen in `clients.conf`

256
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
257
# Single host example
Jonathan Gazeley's avatar
Jonathan Gazeley committed
258
259
freeradius::client { "wlan-controller01":
  ip        => '192.168.0.1',
260
  secret    => 'testing123',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
261
  shortname => 'wlc01',
262
  nastype   => 'other',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
263
264
265
  port      => '1645-1646',
  firewall  => true,
}
266
267
```

Jonathan Gazeley's avatar
Jonathan Gazeley committed
268
```puppet
269
# Range example
Jonathan Gazeley's avatar
Jonathan Gazeley committed
270
271
272
273
274
275
276
277
278
279
freeradius::client { "wlan-controllers":
  ip        => '192.168.0.0/24',
  secret    => 'testing123',
  shortname => 'wlc01',
  nastype   => 'other',
  port      => '1645-1646',
  firewall  => true,
}
```

280
281
282
283
284
285
286
287
288
289
290
291
```puppet
# Huntgroup Example
freeradius::client { "asa01":
  ip         => '192.168.0.1',
  secret     => 'testing123',
  huntgroups => [
    { name       => 'firewall',
      conditions => [ 'NAS-IP-Address == 192.168.0.1' ] },
  ]
}
```

292
##### `ip`
293
The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
294
Default: `undef`.
295
296

##### `ip6`
297
The IPv6 address of the client or range in CIDR format. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
Jonathan Gazeley's avatar
Jonathan Gazeley committed
298

299
##### `shortname`
300
A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Defaults to resource name.
301
302

##### `secret`
303
The RADIUS shared secret used for communication between the client/NAS and the RADIUS server. Required.
304
305

##### `virtual_server`
306
The virtual server that traffic from this client should be sent to. Default: `undef`.
307
308

##### `nastype`
309
The `nastype` attribute is used to tell the `checkrad.pl` script which NAS-specific method it should use when checking simultaneous use. See [`man clients.conf`](http://freeradius.org/radiusd/man/clients.conf.txt) for a list of all options. Default: `undef`.
310

311
312
313
314
315
316
317
318
319
320
321
322
323
##### `proto`
Transport protocol used by the client. If unspecified, defaults to "udp", which is the traditional RADIUS transport. Valid values are `udp`, `tcp` or `*` for both of them. Default: `undef`.

##### `require_message_authenticator`
Old-style clients do not send a Message-Authenticator in an Access-Request.  RFC 5080 suggests that all clients SHOULD include it in an Access-Request. Valid values are `yes` and `no`. Default: `no`.

##### `login`
Login used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.

##### `password`
Password used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.

##### `coa_server`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
324
A pointer to the `home_server_pool` OR a `home_server` section that contains the CoA configuration for this client. Default: `undef`.
325
326
327
328
329
330
331
332
333
334
335
336
337

##### `response_window`
Response window for proxied packets. Default: `undef`.

##### `max_connections`
Limit the number of simultaneous TCP connections from a client. It is ignored for clients sending UDP traffic. Default: `undef`.

##### `lifetime`
The lifetime, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.

##### `idle_timeout`
The idle timeout, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.

338
##### `port`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
339
The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server. Currently the port number is only used to create firewall exceptions and you only need to specify it if you set `firewall => true`. Use port range syntax as in [`puppetlabs-firewall`](https://forge.puppetlabs.com/puppetlabs/firewall). Default: `undef`.
340

341
342
##### `firewall`
Create a firewall exception for this virtual server. If this is set to `true`, you must also supply `port` and either `ip` or `ip6`. Default: `false`.
343

344
345
346
##### `attributes`
Array of attributes to assign to this client. Default: empty.

347
348
349
350

##### `huntgroups`
Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup.

351
352
#### `freeradius::config`

353
Install arbitrary config snippets from a flat file. These are installed in `mods-config`
354

355
```puppet
356
357
358
359
360
freeradius::config { 'realm-checks.conf':
  source => 'puppet:///modules/site_freeradius/realm-checks.conf',
}
```

361
362
363
364
365
366
```puppet
freeradius::config { 'realm-checks.conf':
  content => template('your_template),
}
```

367
368
#### `freeradius::dictionary`

369
Install custom dictionaries without breaking the default FreeRADIUS dictionary. Custom dictionaries are installed in `dictionary.d` and automatically included in the global dictionary.
370
371
372
373
374
375

```puppet
freeradius::dictionary { 'mydict':
  source => 'puppet:///modules/site_freeradius/dictionary.mydict',
}
```
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
#### `freeradius::home_server`

This section defines a "Home Server" which is another RADIUS server that gets sent proxied requests.

##### `secret`

The shared secret use to "encrypt" and "sign" packets between FreeRADIUS and the home server.

##### `type`

Home servers can be sent Access-Request packets or Accounting-Request packets. Allowed values are:
* `auth` Handles Access-Request packets
* `acct`  Handles Accounting-Request packets
* `auth+acct` Handles Access-Request packets at "port" and Accounting-Request packets at "port + 1"
* `coa` Handles CoA-Request and Disconnect-Request packets.

Default: `auth`

##### `ipaddr`

IPv4 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `ipv6addr`

IPv6 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `virtual_server`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
404
If you specify a `virtual_server` here, then requests will be proxied internally to that virtual server.
405
406
407
408
409
410
411
412
413
414
415
416
417
These requests CANNOT be proxied again, however. The intent is to have the local server handle packets
when all home servers are dead. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `port`

The port to which packets are sent. Usually 1812 for type "auth", and  1813 for type "acct".
Older servers may use 1645 and 1646. Use 3799 for type "coa" Default: `1812`

##### `proto`
The transport protocol. If unspecified, defaults to "udp", which is the traditional
RADIUS transport. It may also be "tcp", in which case TCP will be used to talk to
this home server. Default: `udp`

418
##### `status_check`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
419
Type of check to see if the `home_server` is dead or alive. Valid values are `none`, `status-server`
420
421
and `request`. Default: `undef`.

422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457

#### `freeradius::home_server_pool`

##### `home_server`

An array of one or more home servers. The names of the home servers are NOT the hostnames, but the names
of the sections. (e.g. `home_server foo {...}` has name "foo".

Note that ALL home servers listed here have to be of the same type. i.e. they all have to be "auth", or they all have to
be "acct", or they all have to be "auth+acct".


##### `type`

The type of this pool controls how home servers are chosen.

* `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.

The default type is `fail-over`.

##### `virtual_server`

A `virtual_server` may be specified here.  If so, the "pre-proxy" and "post-proxy" sections are called when
the request is proxied, and when a response is received.

##### `fallback`

If ALL home servers are dead, then this "fallback" home server is used. If set, it takes precedence over any realm-based
fallback, such as the DEFAULT realm.

For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!

458

459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
#### `freeradius::huntgroup`

Define a huntgroup given a name and the conditions under which a huntgroup matches a client.

```puppet
freeradius::huntgroup { 'switchaccess':
  huntgroup  => 'switchaccess',
  conditions => [
    'NAS-IP-Address == 192.168.0.1'
  ]
}

##### `huntgroup`
Name of the huntgroup to assign, if conditions are all met. Default to the resource title.

##### `conditons`
Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'.

##### `type`


##### `home_server`


483
484
#### `freeradius::instantiate`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
485
486
Instantiate a module that is not automatically instantiated.

487
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
488
489
freeradius::instantiate { 'mymodule': }
```
490

491
#### `freeradius::ldap`
492
493
494
Deprecated. Use `freeradius::module::ldap` instead.

#### `freeradius::module::ldap`
495
496
497

Configure LDAP support for FreeRADIUS

498
499
500
501
##### `ensure`

Whether the site should be present or not.

502
503
504
505
506
507
##### `identity`
LDAP account for searching the directory. Required.

##### `password`
Password for the `identity` account. Required.

508
509
510
511
512
513
514
515
516
##### `sasl`
SASL parameters to use for admin binds to the ldap server. This is a hash with 3 possible keys:

* `mech`: The SASL mechanism used.
* `proxy`: SASL authorizatino identity to proxy.
* `realm`: SASL realm (used for kerberos)

Default: `{}`

517
518
519
520
##### `basedn`
Unless overridden in another section, the dn from which all searches will start from. Required.

##### `server`
521
522
Array of hostnames or IP addresses of the LDAP server(s). Note that this needs to match the name(s) in the LDAP
server certificate, if you're using ldaps. Default: [`localhost`]
523
524
525
526

##### `port`
Port to connect to the LDAP server on. Default: `389`

527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
##### `valuepair_attribute`
Generic valuepair attribute. If set, this attribute will be retrieved in addition to any mapped attributes. Default: `undef`.

##### `update`
Array with mapping of LDAP directory attributes to RADIUS dictionary attributes. Default: `[]`

##### `edir`
Se to `yes` if you have eDirectory and want to use the universal password mechanisms. Possible values are `yes` and `no`. Default: `undef`.

##### `edir_autz`
Set to `yes`if you want to bind as the user after retrieving the Cleartest-Password. Possible values are `yes` and `no`. Default: `undef`.

##### `user_base_dn`
Where to start searching for users in the LDAP tree. Default: `${..base_dn}`.

##### `user_filter`
Filter for user objects. Default: `uid=%{%{Stripped-User-Name}-%{User-Name}})`

##### `user_sasl`
SASL parameters to use for user binds to the ldap server. This is a hash with 3 possible keys:

* `mech`: The SASL mechanism used.
* `proxy`: SASL authorizatino identity to proxy.
* `realm`: SASL realm (used for kerberos)

Default: `{}`

##### `user_scope`
Search scope for users. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `user_sort_by`
Server side result sorting. A list of space delimited attributes to order the result set by. Default: `undef`.

##### `user_access_attribute`
If this undefined, anyone is authorized. If it is defined, the contents of this attribute determine whether or not the user is authorised. Default: `undef`.

##### `user_access_positive`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
564
Control whether the presence of `access_attribute` allows access or denys access. Default: `undef`.
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629

##### `group_base_dn`
Where to start searching for groups in the LDAP tree. Default: `${..base_dn}`.

##### `group_filter`
Filter for group objects. Default: `'(objectClass=posixGroup)'`.

##### `group_scope`
Search scope for groups. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `group_name_attribute`
Attribute that uniquely identifies a group. Default: `undef` (`'cn'` is applied).

##### `group_membership_filter`
Filter to find group objects a user is member of. That is, group objects with attributes that identify members (the inverse of `group_membership_attribute`). Default: `undef`.

##### `group_membership_attribute`
The attribute in user objects which contain the namos or DNs of groups a user is a member of. Default: `'memberOf'`.

##### `group_cacheable_name`
If `group_cacheable_name` or `group_cacheable_dn` are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropiaate for the instance of rlm_ldap. Default: `undef`.

##### `group_cacheable_dn`
If `group_cacheable_name` or `group_cacheable_dn` are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropiaate for the instance of rlm_ldap. Default: `undef`.

##### `group_cache_attribute`
Override the normal cache attribute (`<inst>-LDAP-Group` or `LDAP-Group` if using the default instance) and create a custom attribute. Default: `undef`.

##### `group_attribute`
Override the normal group comparison attribute name (`<inst>-LDAP-Group` or `LDAP-Group` if using the default instance). Default: `undef`.

##### `profile_filter`
Filter for RADIUS profile objects. Default: `undef`.

##### `profile_default`
The default profile. This may be a DN or an attribute reference. Default: `undef`.

##### `profile_attribute`
The LDAP attribute containing profile DNs to apply in addition to the default profile above. Default: `undef`.

##### `client_base_dn`
Where to start searching for clients in the LDAP tree. Default: `'${..base_dn}'`.

##### `client_filter`
Filter to match client objects. Default: `'(objectClass=radiusClient)'`.

##### `client_scope`
Search scope for clients. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `read_clients`
Load clients on startup. Default: `undef` (`'no'` is applied).

##### `dereference`
Control under which situations LDAP aliases are followed. May be one of `never`, `searching`, `finding` or `always`. Default: `undef` (`always` is applied).

##### `chase_referrals`
With `rebind` control whether the server follows references returned by LDAP directory. Mostly used for AD compatibility. Default: `yes`.

##### `rebind`
With `chase_referrals` control whether the server follows references returned by LDAP directory. Mostly used for AD compatibility. Default: `yes`.

##### `use_referral_credentials`
On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.

##### `session_tracking`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
630
If `yes`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.
631

632
633
634
635
##### `uses`
How many times the connection can be used before being re-established. This is useful for things
like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0`

636
637
638
639
640
641
642
643
644
645
646
647
##### `retry_delay`
The number of seconds to wait after the server tries to open a connection, and fails. Default: `30'.

##### `lifetime`
The lifetime (in seconds) of the connection. Default: `0` (forever).

##### `idle_timeout`
Idle timeout (in seconds). A connection which is unused for this length of time will be closed. Default: `60`.

##### `connect_timeout`
Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.

648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
##### `idle`
Sets the idle time before keepalive probes are sent. Default `60`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `probes`
Sets the maximum number of keepalive probes TCP should send before dropping the connection. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `interval`
Setss the interval in seconds between individual keepalive probes. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `timeout`
Number of seconds to wait for LDAP query to finish. Default: `10`

669
670
671
672
673
674
##### `timelimit`
Seconds LDAP server has to process the query (server-side time limit). Default: `20`.

##### `ldap_debug`
Debug flag for LDAP SDK. Default: `0x0028`.

675
676
677
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
678
directory being available. Default: `${thread[pool].start_servers}`
679
680

##### `min`
681
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`
682
683
684
685
686

##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`

##### `spare`
687
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703

##### `starttls`
Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation.
The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections

Default: `no`

##### `cafile`
Path to CA cert file for TLS

##### `certfile`
Path to cert file for TLS

##### `keyfile`
Path to key file for TLS

704
705
706
##### `random_file`
Random file used for TLS operations. Default: `undef` (`'/dev/urandom'` is used).

707
708
709
710
711
712
713
714
715
##### `requirecert`
Certificate Verification requirements. Choose from:
'never' (do not even bother trying)
'allow' (try, but don't fail if the certificate cannot be verified)
'demand' (fail if the certificate does not verify)
'hard'  (similar to 'demand' but fails if TLS cannot negotiate)

Default: `allow`

716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
#### `freeradius::krb5`
Configure Kerberos support for FreeRADIUS

##### `keytab`
Full path to the Kerberos keytab file

##### `principal`
Name of the service principal

##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. Default: `${thread[pool].start_servers}`

##### `min`
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`

##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`

##### `spare`
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
738

739
#### `freeradius::module`
740

741
742
743
744
Install a module from a flat file, or enable a stock module that came with your distribution of
FreeRADIUS. Modules are installed into `mods-available` and automatically symlinked into
`mods-enabled`, to ensure compatibility with package managers. Any files in this directory that
are *not* managed by Puppet will be removed.
745

746
```puppet
747
748
749
750
751
752
753
754
# Enable a stock module
freeradius::module { 'pap':
  preserve => true,
}
```

```puppet
# Install a custom module from a flat file
755
756
757
758
759
freeradius::module { 'buffered-sql':
  source => 'puppet:///modules/site_freeradius/buffered-sql',
}
```

760
```puppet
761
# Install a custom module from a template
762
763
764
765
766
freeradius::module { 'buffered-sql':
  content => template('some_template.erb)',
}
```

767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
#### `freeradius::module::ippool`

Install a `ippool` module

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `range_start`
The first IP address of the pool.

##### `range_stop`
The last IP address of the pool.

##### `netmask`
The network mask used for the pool

##### `cache_size`
The gdbm cache size for the db files. Default: number of IP address in the range.

##### `filename`
The main db file used to allocate address. Default: `${db_dir}/db.${name}`

##### `ip_index`
Helper db index file. Default: `${db_dir}/db.${name}.index`

##### `override`
If set, the Framed-IP-Address already in the reply (if any) will be discarded. Default: `no`.

##### `maximum_timeout`
Maximum time in seconds that an entry may be active. Default: `0` (no timeout).

##### `key`
The key to use for the session database. Default: `undef`.

801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
#### `freeradius::module::linelog`
Install and configure linelog module to log text to files.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `filename`
The file where the logs will go. Default: `${logdir}/linelog`.

##### `escape_filenames`
If UTF-8 characters should be escaped from filename. Default: `no`.

##### `permissions`
Unix-style permissions for the log file. Default: `0600`.

##### `group`
The Unix group which owns the log file. Default: `undef`.

##### `syslog_facility`
Syslog facility (if logging via syslog). Default: `undef` (`daemon`).

##### `syslog_severity`
Syslog severity (if logging via syslog). Default: `undef` (`info`).

##### `format`
The default format string. Default: `This is a log message for %{User-Name}`.

##### `reference`
If it is defined, the line string logged is dynamically expanded and the result is used to find another configuration entry here, with the given name. That name is then used as the format string. Default: `messages.%{%reply:Packet-Type}:-default}`.

##### `messages`
Array of messages. The messages defined here are taken from the `reference` expansion. Default: `[]`.

##### `accounting_request`
Array of messages. Similar to `messages` but for accounting logs.

837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
#### `freeradius::module::detail`

Install a detail module to write detailed log of accounting records.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `filename`
The file where the detailed logs will go. Default: `${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d`.

##### `escape_filenames`
If UTF-8 characters should be escaped from filename. Default: `no`.

##### `permissions`
Unix-style permissions for the log file. Default: `0600`.

##### `group`
The Unix group which owns the log file. Default: `undef`.

##### `header`
Header to use in every entry in the detail file. Default: `undef` (`%t`).

##### `locking`
Enable if a detail file reader will be reading this file. Default: `undef`.

##### `log_packet_header`
Log the package src/dst IP/port. Default: `undef`.

##### `suppress`
Array of (sensitive) attributes that should be removed from the log. Default: `[]`.

868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
#### `freeradius::module::files`
Install a `file` module with users in freeradius.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `moddir`
Directory where the users file is located. Default: `${modconfdir}/${.:instance}`.

##### `key`
The default key attribute to use for matches. Default: `undef`.

##### `filename`
The (old) users style filename. Default: `${moddir}/authorize`.

##### `usersfile`
Accepted for backups compatibility. Default: `undef`.

##### `acctusersfile`
Accepted for backups compatibility. Default: `undef`.

##### `preproxy_usersfile`
Accepted for backups compatibility. Default: `undef`.

##### `users`
Array of hashes with users entries (see "man users"). If entry in the hash is an array which valid keys are:

* `login`: The login of the user.
* `check_items`: An array with check components for the user entry.
* `reply_items`: An array with reply components for the user entry.

For example:
```puppet
freeradius::module::files {'myuserfile':
  users => [
    {
      login => 'DEFAULT',
      check_items => [
        'Realm == NULL'
      ],
      reply_items => [
        'Fall-Through = No
      ],
    },
  ],
}
```

will produce a user file like:
```
DEFAULT Realm == NULL
  Fall-Through = No
```

You should use just one of `users`, `source` or `content` parameters.

##### `source`
Provide source to a file with the users file. Default: `undef`.

You should use just one of `users`, `source` or `content` parameters.

##### `content`
Provide the content for the users file. Default: `undef`.

You should use just one of `users`, `source` or `content` parameters.

934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#### `freeradius::module::eap`
Install a module for EAP configuration

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `default_eap_type`
Default EAP type. Default: `md5`.

##### `timer_expire`
How much time an entry is maintained in the list to correlate EAP-Response packets with EAP-Request packets. Default: `60`.

##### `ignore_unknown_eap_types`
By setting this options to `yes`, you can tell the server to keep processing requests with an EAP type it does not support. Default: `no`.

##### `cisco_accounting_username_bug`
Enables a work around to handle Cisco AP1230B firmware bug. Default: `no`.

##### `max_sessions`
Maximum number of EAP sessions the server tracked. Default: `${max_requests}`.

##### Parameters to configure EAP-pwd authentication.

###### `eap_pwd`
If set to `true` configures EAP-pwd authentication. Default: `false`.

###### `pwd_group`
`group` used in pwd configuration. Default: `undef`.

###### `pwd_server_id`
`server_id` option in pwd configuration. Default: `undef`.

###### `pwd_fragment_size`
`fragment_size` option in pwd configuration. Default: `undef`.

###### `pwd_virtual_server`
The virtual server which determines the "known good" password for the user in pwd authentication. Default: `undef`.

##### Parameters to configure Generic Tocken Card

###### `gtc_challenge`
The default challenge. Default: `undef`

###### `gtc_auth_type`
`auth_type` use in GTC. Default: `PAP`.

##### Parameters for TLS configuration

###### `tls_config_name`
Name for the `tls-config`. It normally should not be used. Default: `tls-common`.

###### `tls_private_key_password`
Private key password. Default: `undef`.

###### `tls_private_key_file`
File with the private key of the server. Default: `${certdir}/server.pem`.

###### `tls_certificate_file`
File with the certificate of the server. Default: `${certdir}/server.pem`.

###### `tls_ca_file`
File with the trusted root CA list. Default: `${certdir}/ca.pem`.

###### `tls_auth_chain`
When setting to `no`, the server certificate file MUST include the full certificate chain. Default: `undef`.

###### `tls_psk_identity`
For faster browsing, not all history is shown. View entire blame