README.md 27 KB
Newer Older
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1
# freeradius
Jonathan's avatar
Jonathan committed
2

3
4
5
6
#### Table of Contents

1. [Overview](#overview)
2. [Module Description - What the module does and why it is useful](#module-description)
7
3. [Usage - Configuration options and additional functionality](#usage)
8
9
    * [Classes](#classes)
       * [`freeradius`](#freeradius)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
10
       * [`freeradius::status_server`](#freeradiusstatus_server)
11
       * [`freeradius::control_socket`](#freeradiuscontrol_socket)
12
    * [Resources](#resources)
13
       * [`freeradius::attr`](#freeradiusattr)
14
       * [`freeradius::blank`](#freeradiusblank)
15
       * [`freeradius::cert`](#freeradiuscert)
16
17
18
       * [`freeradius::client`](#freeradiusclient)
       * [`freeradius::config`](#freeradiusconfig)
       * [`freeradius::dictionary`](#freeradiusdictionary)
19
20
       * [`freeradius::home_server`](#freeradiushomeserver)
       * [`freeradius::home_server_pool`](#freeradiushomeserverpool)
21
       * [`freeradius::instantiate`](#freeradiusinstantiate)
22
       * [`freeradius::ldap`](#freeradiusldap)
23
24
       * [`freeradius::module`](#freeradiusmodule)
       * [`freeradius::policy`](#freeradiuspolicy)
25
       * [`freeradius::realm`](#freeradiusrealm)
26
       * [`freeradius::site`](#freeradiussite)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
27
       * [`freeradius::sql`](#freeradiussql)
28
       * [`freeradius::statusclient`](#freeradiusstatusclient)
29
30
31
4. [Limitations - OS compatibility, etc.](#limitations)
5. [Development - Guide for contributing to the module](#development)
6. [Release Notes](#release-notes)
32
33
34

## Overview

35
36
37
38
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
on Linux. This module was written for use with FreeRADIUS 2.x and has not been
tested with FreeRADIUS 3.x. It was designed with CentOS in mind but should
work on other distributions.
39
40
41

## Module Description

42
43
44
45
46
47
This module installs FreeRADIUS from a distro-provided package and installs a
number of customised config files to enable flexibility. It then provides some
helpers to allow you to easily configure virtual servers (sites), modules, clients
and other config items. Most of these items accept a flat config file which you
supply either as a static file or a template - similar to the `source` and `content`
parameters in Puppet's `file` resource.
48

49
50
51
This module is designed to make it more straightforward for RADIUS administrators to
deploy RADIUS servers using Puppet. This module does not serve as a wizard and does
not avoid having to have an understanding of FreeRADIUS.
52
53


54
## Usage
55

56
This module provides several classes and defined types which take parameters.
57

58
### Classes
59

60
#### `freeradius`
61

62
63
The `freeradius` class installs the base server. In the early releases, this class does not
have many parameters as most values are hard-coded. I am working on parameterising more
64
65
of the global settings to increase flexibility. Patches are welcome.

66
##### `control_socket`
67
Use of the control_socket parameter in the freeradius class is deprecated. Use the `freeradius::control_socket` class instead.
68
69
70
71
72
73
74
75

##### `max_requests`
The maximum number of requests which the server keeps track of. This should be 256 multiplied by the number of clients. Default: `4096`

##### `max_servers`
Limit on the total number of servers running. Default: `4096`

##### `mysql_support`
76
Install support for MySQL. Note this only installs the package. Use `freeradius::sql` to configure SQL support. Default: `false`
77
78
79
80
81
82
83
84
85
86

##### `perl_support`
Install support for Perl. Default: `false`

##### `utils_support`
Install FreeRADIUS utils. Default: `false`

##### `ldap_support`
Install support for LDAP. Default: `false`

87
##### `wpa_supplicant`
88
89
Install wpa_supplicant utility. Default: `false`

90
##### `winbind_support`
91
Add the radius user to the winbind privileged group. You must install winbind separately. Default: `false`.
92

93
94
##### `syslog`
Add a syslog rule (using the `jgazeley/syslog` module). Default: `false`.
95

Jonathan Gazeley's avatar
Jonathan Gazeley committed
96
97
```puppet
class { 'freeradius':
98
99
100
101
102
103
104
  max_requests    => 4096,
  max_servers     => 4096,
  mysql_support   => true,
  perl_support    => true,
  utils_support   => true,
  wpa_supplicant  => true,
  winbind_support => true,
105
  syslog          => true,
Jonathan Gazeley's avatar
Jonathan Gazeley committed
106
107
108
}
```

109
110
#### `freeradius::status_server`

111
112
The `freeradius::status_server` class enabled the [status server](http://wiki.freeradius.org/config/Status).
To remove the status server, do not include this class and the server will be removed.
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

##### `secret`
The shared secret for the status server. Required.

##### `port`
The port to listen for status requests on. Default: `18121`

##### `listen`
The address to listen on. Defaults to listen on all addresses but you could set this to `$::ipaddress` or `127.0.0.1`.  Default: `*`

```puppet
  # Enable status server
  class { 'freeradius::status_server':
    port   => '18120',
    secret => 't0pSecret!',
  }
```

131
132
133
134
135
136
137
138
#### `freeradius::control_socket`

The `freeradius::control_socket` class enables the control socket which can be used with [RADMIN](http://freeradius.org/radiusd/man/radmin.html).
To remove the control socket, do not include this class and the socket will be removed.

##### `mode`
Whether the control socket should be read-only or read-write. Choose from `ro`, `rw`. Default: `ro`.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
139
140
141
142
143
144
145
```puppet
  # Enable control socket
  class { 'freeradius::control_socket':
    mode => 'ro',
  }
```

146
### Resources
147

148
#### `freeradius::attr`
149

150
151
152
153
154
Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory.

##### `key`

Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name.
Jonathan Gazeley's avatar
Jonathan Gazeley committed
155

156
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
157
freeradius::attr { 'eduroamlocal':
158
  key    => 'User-Name',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
159
160
161
  source => 'puppet:///modules/site_freeradius/eduroamlocal',
}
```
162

163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#### `freeradius::blank`

Selectively blank certain stock config files that aren't required. This is preferable to deleting them
because the package manager will replace certain files next time the package is upgraded, potentially
causing unexpected behaviour.

The resource title should be the relative path from the FreeRADIUS config directory to the file(s) you
want to blank. You can pass multiple files in an array.

```puppet
freeradius::blank { 'sites-enabled/default': }

freeradius::blank { [
  'sites-enabled/default',
  'eap.conf',
]: }
```

181
182
#### `freeradius::cert`

183
Install certificates as provided. These are installed in `/etc/raddb/certs`. Beware that any certificates *not* deployed by Puppet will be purged from this directory.
184
185
186
187
188
189
190
191

```puppet
freeradius::cert { 'mycert.pem':
  source => 'puppet:///modules/site_freeradius/mycert.pem',
  type   => 'key',
}
```

192
193
194
195
196
197
198
```puppet
freeradius::cert { 'mycert.pem':
  content => '<your key/cert content here>',
  type    => 'key',
}
```

199
200
201
202
##### `type`

Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.

203
204
205
206
#### `freeradius::client`

Define RADIUS clients as seen in `clients.conf`

207
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
208
209
freeradius::client { "wlan-controller01":
  ip        => '192.168.0.1',
210
  secret    => 'testing123',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
211
  shortname => 'wlc01',
212
  nastype   => 'other',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
213
214
215
  port      => '1645-1646',
  firewall  => true,
}
216
217
```

218
##### `ip`
219
The IP address of the client.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
220
221

##### `ip6`
222
The IPv6 address of the client. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
223
224

##### `shortname`
225
A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Required.
226
227

##### `secret`
228
The RADIUS shared secret used for communication between the client/NAS and the RADIUS server. Required.
229
230

##### `virtual_server`
231
The virtual server that traffic from this client should be sent to. Default: `undef`.
232
233

##### `nastype`
234
The `nastype` attribute is used to tell the `checkrad.pl` script which NAS-specific method it should use when checking simultaneous use. See [`man clients.conf`](http://freeradius.org/radiusd/man/clients.conf.txt) for a list of all options. Default: `undef`.
235
236

##### `netmask`
237
The netmask of the client, specified as an integer, e.g. `24`. Default: `undef`.
238
239

##### `port`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
240
The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server. Currently the port number is only used to create firewall exceptions and you only need to specify it if you set `firewall => true`. Use port range syntax as in [`puppetlabs-firewall`](https://forge.puppetlabs.com/puppetlabs/firewall). Default: `undef`.
241

242
243
##### `firewall`
Create a firewall exception for this virtual server. If this is set to `true`, you must also supply `port` and either `ip` or `ip6`. Default: `false`.
244
245
246
247
248

#### `freeradius::config`

Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d`

249
```puppet
250
251
252
253
254
freeradius::config { 'realm-checks.conf':
  source => 'puppet:///modules/site_freeradius/realm-checks.conf',
}
```

255
256
257
258
259
260
```puppet
freeradius::config { 'realm-checks.conf':
  content => template('your_template),
}
```

261
262
263
264
265
266
267
268
269
#### `freeradius::dictionary`

Install custom dictionaries without breaking the default FreeRADIUS dictionary. Custom dictionaries are installed in `/etc/raddb/dictionary.d` and automatically included in the global dictionary.

```puppet
freeradius::dictionary { 'mydict':
  source => 'puppet:///modules/site_freeradius/dictionary.mydict',
}
```
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
#### `freeradius::home_server`

This section defines a "Home Server" which is another RADIUS server that gets sent proxied requests.

##### `secret`

The shared secret use to "encrypt" and "sign" packets between FreeRADIUS and the home server.

##### `type`

Home servers can be sent Access-Request packets or Accounting-Request packets. Allowed values are:
* `auth` Handles Access-Request packets
* `acct`  Handles Accounting-Request packets
* `auth+acct` Handles Access-Request packets at "port" and Accounting-Request packets at "port + 1"
* `coa` Handles CoA-Request and Disconnect-Request packets.

Default: `auth`

##### `ipaddr`

IPv4 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `ipv6addr`

IPv6 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `virtual_server`

If you specify a virtual_server here, then requests will be proxied internally to that virtual server.
These requests CANNOT be proxied again, however. The intent is to have the local server handle packets
when all home servers are dead. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `port`

The port to which packets are sent. Usually 1812 for type "auth", and  1813 for type "acct".
Older servers may use 1645 and 1646. Use 3799 for type "coa" Default: `1812`

##### `proto`
The transport protocol. If unspecified, defaults to "udp", which is the traditional
RADIUS transport. It may also be "tcp", in which case TCP will be used to talk to
this home server. Default: `udp`


#### `freeradius::home_server_pool`

##### `home_server`

An array of one or more home servers. The names of the home servers are NOT the hostnames, but the names
of the sections. (e.g. `home_server foo {...}` has name "foo".

Note that ALL home servers listed here have to be of the same type. i.e. they all have to be "auth", or they all have to
be "acct", or they all have to be "auth+acct".


##### `type`

The type of this pool controls how home servers are chosen.

* `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.

The default type is `fail-over`.

##### `virtual_server`

A `virtual_server` may be specified here.  If so, the "pre-proxy" and "post-proxy" sections are called when
the request is proxied, and when a response is received.

##### `fallback`

If ALL home servers are dead, then this "fallback" home server is used. If set, it takes precedence over any realm-based
fallback, such as the DEFAULT realm.

For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!

348

349
350
#### `freeradius::instantiate`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
351
352
Instantiate a module that is not automatically instantiated.

353
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
354
355
freeradius::instantiate { 'mymodule': }
```
356

357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
#### `freeradius::ldap`

Configure LDAP support for FreeRADIUS

##### `identity`
LDAP account for searching the directory. Required.

##### `password`
Password for the `identity` account. Required.

##### `basedn`
Unless overridden in another section, the dn from which all searches will start from. Required.

##### `server`
Hostname of IP address of the LDAP server. Note that this needs to match the name(s) in the LDAP server
certificate, if you're using ldaps. Default: `localhost`

##### `port`
Port to connect to the LDAP server on. Default: `389`

##### `uses`
How many times the connection can be used before being re-established. This is useful for things
like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0`

##### `idle`
Sets the idle time before keepalive probes are sent. Default `60`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `probes`
Sets the maximum number of keepalive probes TCP should send before dropping the connection. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `interval`
Setss the interval in seconds between individual keepalive probes. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `timeout`
Number of seconds to wait for LDAP query to finish. Default: `10`

##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].start_servers}`

##### `min`
Minimum number of connections to keep open. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].min_spare_servers}`

##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`

##### `spare`
Spare connections to be left idle. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].max_spare_servers}`

##### `starttls`
Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation.
The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections

Default: `no`

##### `cafile`
Path to CA cert file for TLS

##### `certfile`
Path to cert file for TLS

##### `keyfile`
Path to key file for TLS

##### `requirecert`
Certificate Verification requirements. Choose from:
'never' (do not even bother trying)
'allow' (try, but don't fail if the certificate cannot be verified)
'demand' (fail if the certificate does not verify)
'hard'  (similar to 'demand' but fails if TLS cannot negotiate)

Default: `allow`


444
#### `freeradius::module`
445

446
Install a module from a flat file.
447

448
```puppet
449
450
451
452
453
freeradius::module { 'buffered-sql':
  source => 'puppet:///modules/site_freeradius/buffered-sql',
}
```

454
455
456
457
458
459
```puppet
freeradius::module { 'buffered-sql':
  content => template('some_template.erb)',
}
```

460
461
462
463
#### `freeradius::policy`

Install a policy from a flat file.

464
```puppet
465
466
467
468
469
freeradius::policy { 'my-policies':
  source => 'puppet:///modules/site_freeradius/my-policies',
}
```

470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
#### `freeradius::realm`

Define a realm in `proxy.conf`. Realms point to pools of home servers.

##### `virtual_server`

Set this to "proxy" requests internally to a virtual server. The pre-proxy and post-proxy sections are run just as with any
other kind of home server.  The virtual server then receives the request, and replies, just as with any other packet.
Once proxied internally like this, the request CANNOT be proxied internally or externally.

##### `auth_pool`

For authentication, the `auth_pool` configuration item should point to a `home_server_pool` that was previously
defined.  All of the home servers in the `auth_pool` must be of type `auth`.

##### `acct_pool`

For accounting, the `acct_pool` configuration item should point to a `home_server_pool` that was previously
defined.  All of the home servers in the `acct_pool` must be of type `acct`.

##### `pool`

If you have a `home_server_pool` where all of the home servers are of type `auth+acct`, you can just use the `pool`
configuration item, instead of specifying both `auth_pool` and `acct_pool`.

##### `nostrip`

Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped"
user name is used to perform matches.If you do not want this to happen, set this to `true`. Default: `false`.


501
502
503
504
505
#### `freeradius::script`

Install a helper script, e.g. which might be called upon by a virtual server. These are
placed in `/etc/raddb/scripts` and are not automatically included by the server.

506
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
507
freeradius::script{ 'myperlscript.pl':
Jonathan Gazeley's avatar
Jonathan Gazeley committed
508
509
510
511
  source => 'puppet:///modules/site_freeradius/myperlscript.pl',
}
```

512
513
#### `freeradius::site`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
514
Install a virtual server (a.k.a. site) from a flat file. Sites are installed directly
515
516
into `/etc/raddb/sites-enabled`. Any files in this directory that are *not* managed by
Puppet will be removed.
517

518
```puppet
519
520
521
522
523
freeradius::site { 'inner-tunnel':
  source => 'puppet:///modules/site_freeradius/inner-tunnel',
}
```

524
525
526
527
528
529
#### `freeradius::sql`

Configure SQL connections. You can define multiple database connections by
invoking this resource multiple times. If you are using MySQL, don't forget to
also set `mysql_support => true` in the base `freeradius` class.

530
531
532
533
534
535
536
537
538
539
```puppet
freeradius::sql { 'mydatabase':
  database  => 'mysql',
  server    => '192.168.0.1',
  login     => 'radius',
  password  => 'topsecret',
  radius_db => 'radius',
}
```

540
541
542
543
544
545
546
547
##### `database`

Default: `undef`. Required. Specify which FreeRADIUS database driver to use. Choose one of `mysql`, `mssql`, `oracle`, `postgresql`

##### `server`

Default: `localhost`. Specify hostname of IP address of the database server.

548
549
550
551
##### `port`

TCP port to connect to the database. Default: `3306`.

552
553
554
555
556
557
558
559
560
561
562
563
564
##### `login`

Default: `radius`. Username to connect to the databae.

##### `password`

Default: `undef`. Required. Password to connect to the database.

##### `radius_db`

Default: `radius`. Name of the database. Normally you should leave this alone. If you are using Oracle then use this instead:
`(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))`.

565
566
567
568
569
570
571
572
##### `num_sql_socks`

Default: same as `max_servers`. Number of sql connections to make to the database server. 
Setting this to LESS than the number of threads means that some threads may starve, and
you will see errors like "No connections available and at max connection limit". Setting
this to MORE than the number of threads means that there are more connections than necessary.
Leave blank to set it to the same value as the number of threads.

573
574
575
576
577
578
579
580
581
582
##### `lifetime`

Default: `0`. Lifetime of an SQL socket. If you are having network issues such as TCP sessions expiring, you may need to set the socket
lifetime. If set to non-zero, any open connections will be closed `$lifetime` seconds after they were first opened.

##### `max_queries`

Default: `0`. Maximum number of queries used by an SQL socket. If you are having issues with SQL sockets lasting "too long", you can
limit the number of queries performed over one socket. After `$max_qeuries`, the socket will be closed. Use 0 for "no limit".

583
584
##### `query_file`

585
586
**`query_file` has been deprecated - use `custom_query_file` instead**

587
588
589
590
591
592
593
594
Default: `sql/${database}/dialup.conf`. Relative path to the file which contains your SQL queries. By
default, points to the `dialup.conf` specific to your database engine, so leave this blank if you are
using stock queries.

If you need to use custom queries, it is recommended that you deploy your query file using
`freeradius::script` to install the file into `/etc/raddb/scripts/custom_dialup.conf` and then
set `query_file` to `scripts/custom_dialup.conf`.

595
596
597
598
599
600
601
##### `custom_query_file`

Default: `null`. Puppet fileserver path to a file which contains your SQL queries, i.e. `dialup.conf`. This
option is intended to be a replacment for `query_file`, which requires separate deployment of the file. This
option allows you to specify a Puppet-managed custom `dialup.conf` which is installed and loaded automatically.
`query_file` must be left blank if you use `custom_query_file`.

602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
##### `acct_table1`

If you want both stop and start records logged to the same SQL table, leave this as is.  If you want them in
different tables, put the start table in `$acct_table1` and stop table in `$acct_table2`. Default : `radacct`

##### `acct_table2`

If you want both stop and start records logged to the same SQL table, leave this as is.  If you want them in
different tables, put the start table in `$acct_table1` and stop table in `$acct_table2`. Default : `radacct`

##### `postauth_table`

Table for storing data after authentication

##### `authcheck_table`

Default: `radcheck`

##### `authreply_table`

Default: `radreply`

##### `groupcheck_table`

Default: `radgroupcheck`

##### `groupreply_table`

Default: `radgroupreply`

##### `usergroup_table`

Table to keep group info. Default: `radusergroup`

##### `read_groups`

If set to `yes` (default) we read the group tables. If set to `no` the user MUST have `Fall-Through = Yes`
in the radreply table. Default: `yes`.

##### `deletestalesessions`

Remove stale session if checkrad does not see a double login. Default: `yes`.

##### `sqltrace`

Print all SQL statements when in debug mode (-x). Default: `no`.

##### `sqltracefile`

Location for SQL statements to be stored if `$sqltrace = yes`. Default:
`${logdir}/sqltrace.sql`

##### `connect_failure_retry_delay`

Number of seconds to dely retrying on a failed database connection (per socket). Default: `60`.

##### `nas_table`

Table to keep radius client info. Default: `nas`.

#### `readclients`

Set to `yes` to read radius clients from the database (`$nas_table`) Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT be done "live" while the server is running. Default: `no`.
666

667
668
669
670
671
#### `freeradius::statusclient`

Define RADIUS clients, specifically to connect to the status server for monitoring.
Very similar usage to `freeradius::client` but with fewer options.

672
673
674
675
676
677
678
679
680
681
682
683
684
685
##### `ip`
Default: `undef`. The IP address of the client.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.

##### `ip6`
Default: `undef`. The IPv6 address of the client. `ip` and `ip6` are mutually exclusive but one must be supplied.

##### `secret`
required. The RADIUS shared secret used for communication between the client/NAS and the RADIUS server.

##### `port`
Default: `undef`. The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server.

##### `shortname`
required. A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section.
686
687
688
689


## Limitations

690
This module is targeted at FreeRADIUS 2.x running on CentOS 6. It has not been tested
691
692
on other distributions, but might work. Likely sticking points with other distros are
the names of packages, services and file paths.
693

694
695
696
697
698
699
This module has not been tested on FreeRADIUS 3.x and almost certainly won't work
without modification. FreeRADIUS 3.x support in this module will come onto the roadmap
at the same time that my employer decides to start looking FreeRADIUS 3.x.

This module was written for use with Puppet 3.6 and 3.7, but should be quite agnostic
to new versions of Puppet.
700
701
702

## Development

703
704
705
706
This module was written primarily for internal use - features we haven't needed to
use probably haven't been written. Please send pull requests with new features and
bug fixes. You are also welcome to file issues but I make no guarantees of
development effort if the features aren't useful to my employer.
707

708
## Release Notes
709

Jonathan Gazeley's avatar
Jonathan Gazeley committed
710
711
712
713
### 0.4.5

 * Tweak wildcard matching on logrotate config

Jonathan Gazeley's avatar
Jonathan Gazeley committed
714
715
716
717
### 0.4.4

 * Fix bug displaying deprecation notice and update documentation to reflect this

Jonathan Gazeley's avatar
Jonathan Gazeley committed
718
719
720
721
### 0.4.3

 * Manage log rotation with [rodjek/logrotate](https://forge.puppetlabs.com/rodjek/logrotate) instead of deploying flat files

Jonathan Gazeley's avatar
Jonathan Gazeley committed
722
723
724
725
### 0.4.2

 * Provide new SQL option custom_query_file

726
727
728
729
730
### 0.4.1

 * Cease management of custom logging modules `logtofile` and `logtosyslog` since it does not make sense to manage these globally 
 * Purge instantiation of unused modules

Jonathan Gazeley's avatar
Jonathan Gazeley committed
731
732
733
734
### 0.4.0

 * Move control_socket into its own class and add parameters
 * Improve the way the status_server is added or removed
Jonathan Gazeley's avatar
Jonathan Gazeley committed
735
 * Delete all unmanaged sites from sites-available
Jonathan Gazeley's avatar
Jonathan Gazeley committed
736

Jonathan Gazeley's avatar
Jonathan Gazeley committed
737
738
739
740
### 0.3.8

 * Purge all non-managed sites

Jonathan Gazeley's avatar
Jonathan Gazeley committed
741
742
743
744
745
### 0.3.7

 * Minor linting of code to improve score
 * Minor linting of metadata to improve score

Jonathan Gazeley's avatar
Jonathan Gazeley committed
746
747
748
749
### 0.3.6

 * Bugfixes and feature improvements in `freeradius::sql`

750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
### 0.3.5

 * Add ability to customise SQL socket lifetimes
 * Purge all non-managed clients
 * Add defined type to blank out unneeded config files without deleting them

### 0.3.4

 * Correctly pass template content to control-socket

### 0.3.3

 * The default behaviour is now to purge anything in ${confdir}/certs that is not managed by Puppet

### 0.3.2

 * Various improvements to support Debian family
 * Optional content parameters in various resources

### 0.3.1

 * Fix a bug which prevents the module from working properly on Debian/Ubuntu (thanks @diranged)

Jonathan Gazeley's avatar
Jonathan Gazeley committed
773
774
775
776
### 0.3.0

 * Add `ensure` parameter to all defined types

Jonathan Gazeley's avatar
Jonathan Gazeley committed
777
778
779
780
### 0.2.0

 * Add support for customising `sql.conf` natively by adding `freeradius::sql`

781
782
783
784
### 0.1.4

 * Fix ambiguity about net/netmask in freeradius::client

Jonathan Gazeley's avatar
Jonathan Gazeley committed
785
786
787
788
789
790
791
### 0.1.3

 * Add support for managing firewall rules automatically
 * Add support for installation certificates & keys
 * Make syslog support an optional component
 * Various bugfixes

Jonathan Gazeley's avatar
Jonathan Gazeley committed
792
793
794
795
796
797
798
### 0.1.2

 * Improved modular installs with optional components
 * Improved support for Debian
 * Clarify dependencies on other modules
 * Lots of bugfixes

Jonathan Gazeley's avatar
Jonathan Gazeley committed
799
800
801
802
803
### 0.1.0

 * Initial release with support for installing FreeRADIUS and configuring servers, modules, clients and other objects using flat files.
 * Probably works only with FreeRADIUS 2.x
 * Only tested with CentOS 6
Jonathan Gazeley's avatar
Jonathan Gazeley committed
804