Skip to content
Snippets Groups Projects
Select Git revision
  • f5f627f5a3b1a19ac4b4c032747b0324d4fc65f8
  • master default protected
  • main
  • update_github_actions
  • 144_rocky8_support
  • 195-update-pdk-to-300
  • 144-rocky8
  • add_test_github_test_workflow
  • pdk_2.4.0
  • fix_unclosed_let_block_in_defines_client_spec
  • validation_fixes
  • freeradius_3_0_21_config_updates
  • data_types
  • PrepareBuster
  • travis
  • 4.0.1
  • 4.0.0
  • 3.9.2
  • 3.9.1
  • 3.9.0
  • 3.8.2
  • 3.8.1
  • 3.8.0
  • 3.7.0
  • 3.6.0
  • 3.5.0
  • 3.4.3
  • 3.4.2
  • 3.4.1
  • 3.4.0
  • 3.3.0
  • 3.2.0
  • 3.1.0
  • 3.0.0
  • 2.3.1
35 results

README.md

Blame
  • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    README.md 52.10 KiB

    freeradius

    Table of Contents

    1. Overview
    2. Module Description - What the module does and why it is useful
    3. Usage - Configuration options and additional functionality
    4. Limitations - OS compatibility, etc.
    5. Development - Guide for contributing to the module

    Overview

    This module installs and configures FreeRADIUS server on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind but should work on other distributions.

    This module requires Puppet 4.0.0 or greater. Puppet 3.x was discontinued at the end of 2016.

    jgazeley/freeradius FreeRADIUS
    3.x 3.x
    2.x 3.x
    1.x 2.x and 3.x
    0.x 2.x

    Module Description

    This module installs FreeRADIUS from a distro-provided package and installs a number of customised config files to enable flexibility. It then provides some helpers to allow you to easily configure virtual servers (sites), modules, clients and other config items. Most of these items accept a flat config file which you supply either as a static file or a template - similar to the source and content parameters in Puppet's file resource.

    This module is designed to make it more straightforward for RADIUS administrators to deploy RADIUS servers using Puppet. This module does not serve as a wizard and does not avoid having to have an understanding of FreeRADIUS.

    Usage

    This module provides several classes and defined types which take parameters.

    Classes

    freeradius

    The freeradius class installs the base server. In the early releases, this class does not have many parameters as most values are hard-coded. I am working on parameterising more of the global settings to increase flexibility. Patches are welcome.

    control_socket

    Use of the control_socket parameter in the freeradius class is deprecated. Use the freeradius::control_socket class instead.

    correct_escapes

    Use correct backslash escaping in unlang. Default: true

    max_requests

    The maximum number of requests which the server keeps track of. This should be 256 multiplied by the number of clients. Default: 4096

    max_servers

    Limit on the total number of servers running. Default: 4096

    mysql_support

    Install support for MySQL. Note this only installs the package. Use freeradius::sql to configure SQL support. Default: false

    perl_support

    Install support for Perl. Default: false

    preserve_mods

    Leave recommended stock modules enabled. Default: true

    utils_support

    Install FreeRADIUS utils. Default: false

    ldap_support

    Install support for LDAP. Default: false

    dhcp_support

    Install support for DHCP. Default: false

    krb5_support

    Install support for Kerberos. Default: false

    wpa_supplicant

    Install wpa_supplicant utility. Default: false

    winbind_support

    Add the radius user to the winbind privileged group. You must install winbind separately. Default: false.

    log_destination

    Configure destination of log messages. Valid values are files, syslog, stdout and stderr. Default: files.

    syslog

    Add a syslog rule (using the saz/rsyslog module). Default: false.

    log_auth

    Log authentication requests (yes/no). Default: no.

    package_ensure

    Choose whether the package is just installed and left (installed), or updated every Puppet run (latest). Default: installed

    class { 'freeradius':
      max_requests    => 4096,
      max_servers     => 4096,
      mysql_support   => true,
      perl_support    => true,
      utils_support   => true,
      wpa_supplicant  => true,
      winbind_support => true,
      syslog          => true,
      log_auth        => 'yes',
    }

    freeradius::status_server

    The freeradius::status_server class enabled the status server. To remove the status server, do not include this class and the server will be removed.

    secret

    The shared secret for the status server. Required.

    port

    The port to listen for status requests on. Default: 18121

    listen

    The address to listen on. Defaults to listen on all addresses but you could set this to $::ipaddress or 127.0.0.1. Default: *

      # Enable status server
      class { 'freeradius::status_server':
        port   => '18120',
        secret => 't0pSecret!',
      }

    freeradius::control_socket

    The freeradius::control_socket class enables the control socket which can be used with RADMIN. To remove the control socket, do not include this class and the socket will be removed.

    mode

    Whether the control socket should be read-only or read-write. Choose from ro, rw. Default: ro.

      # Enable control socket
      class { 'freeradius::control_socket':
        mode => 'ro',
      }

    Resources

    freeradius::attr

    Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory. The contents of the attr_filter module are automatically updated to reference the filters.

    key

    Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name.

    prefix

    Specify the prefix for the attribute filter name before the dot, e.g. filter.post_proxy. This is usually set to filter on FR2 and attr_filter on FR3. Default: filter.

    freeradius::attr { 'eduroamlocal':
      key    => 'User-Name',
      prefix => 'attr_filter',
      source => 'puppet:///modules/site_freeradius/eduroamlocal',
    }

    freeradius::blank

    Selectively blank certain stock config files that aren't required. This is preferable to deleting them because the package manager will replace certain files next time the package is upgraded, potentially causing unexpected behaviour.

    The resource title should be the relative path from the FreeRADIUS config directory to the file(s) you want to blank. You can pass multiple files in an array.

    freeradius::blank { 'sites-enabled/default': }
    
    freeradius::blank { [
      'sites-enabled/default',
      'eap.conf',
    ]: }

    freeradius::cert

    Install certificates as provided. These are installed in certs. Beware that any certificates not deployed by Puppet will be purged from this directory.

    freeradius::cert { 'mycert.pem':
      source => 'puppet:///modules/site_freeradius/mycert.pem',
      type   => 'key',
    }
    freeradius::cert { 'mycert.pem':
      content => '<your key/cert content here>',
      type    => 'key',
    }
    type

    Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: cert, key. Default: key.

    freeradius::client

    Define RADIUS clients as seen in clients.conf

    # Single host example
    freeradius::client { "wlan-controller01":
      ip        => '192.168.0.1',
      secret    => 'testing123',
      shortname => 'wlc01',
      nastype   => 'other',
      port      => '1645-1646',
      firewall  => true,
    }
    # Range example
    freeradius::client { "wlan-controllers":
      ip        => '192.168.0.0/24',
      secret    => 'testing123',
      shortname => 'wlc01',
      nastype   => 'other',
      port      => '1645-1646',
      firewall  => true,
    }
    # Huntgroup Example
    freeradius::client { "asa01":
      ip         => '192.168.0.1',
      secret     => 'testing123',
      huntgroups => [
        { name       => 'firewall',
          conditions => [ 'NAS-IP-Address == 192.168.0.1' ] },
      ]
    }
    ip

    The IP address of the client or range in CIDR format. For IPv6, use ipv6addr. ip and ip6 are mutually exclusive but one must be supplied. Default: undef.

    ip6

    The IPv6 address of the client or range in CIDR format. ip and ip6 are mutually exclusive but one must be supplied. Default: undef.

    shortname

    A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Defaults to resource name.

    secret

    The RADIUS shared secret used for communication between the client/NAS and the RADIUS server. Required.

    virtual_server

    The virtual server that traffic from this client should be sent to. Default: undef.

    nastype

    The nastype attribute is used to tell the checkrad.pl script which NAS-specific method it should use when checking simultaneous use. See man clients.conf for a list of all options. Default: undef.

    proto

    Transport protocol used by the client. If unspecified, defaults to "udp", which is the traditional RADIUS transport. Valid values are udp, tcp or * for both of them. Default: undef.

    require_message_authenticator

    Old-style clients do not send a Message-Authenticator in an Access-Request. RFC 5080 suggests that all clients SHOULD include it in an Access-Request. Valid values are yes and no. Default: no.

    login

    Login used by checkrad.pl when querying the NAS for simultaneous use. Default: undef.

    password

    Password used by checkrad.pl when querying the NAS for simultaneous use. Default: undef.

    coa_server

    A pointer to the home_server_pool OR a home_server section that contains the CoA configuration for this client. Default: undef.

    response_window