From 343179c6bffc17e826dc2d3ca56cae7fa9be1b93 Mon Sep 17 00:00:00 2001
From: "Angel L. Mateo" <amateo@um.es>
Date: Wed, 25 Jan 2017 11:23:50 +0100
Subject: [PATCH] Add exhaustive parameter list to freeradius::client
It defines all the parameters included at sample config
---
README.md | 28 ++++++++++++++++++++++++
manifests/client.pp | 46 ++++++++++++++++++++++++++++++---------
templates/client.conf.erb | 14 +++++++++++-
3 files changed, 77 insertions(+), 11 deletions(-)
diff --git a/README.md b/README.md
index b40f1cd..c949d0c 100644
--- a/README.md
+++ b/README.md
@@ -278,6 +278,34 @@ The virtual server that traffic from this client should be sent to. Default: `un
##### `nastype`
The `nastype` attribute is used to tell the `checkrad.pl` script which NAS-specific method it should use when checking simultaneous use. See [`man clients.conf`](http://freeradius.org/radiusd/man/clients.conf.txt) for a list of all options. Default: `undef`.
+##### `proto`
+Transport protocol used by the client. If unspecified, defaults to "udp", which is the traditional RADIUS transport. Valid values are `udp`, `tcp` or `*` for both of them. Default: `undef`.
+
+##### `require_message_authenticator`
+Old-style clients do not send a Message-Authenticator in an Access-Request. RFC 5080 suggests that all clients SHOULD include it in an Access-Request. Valid values are `yes` and `no`. Default: `no`.
+
+##### `login`
+Login used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.
+
+##### `password`
+Password used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.
+
+##### `coa_server`
+A pointer to the "home_server_pool" OR a "home_server" section that contains the CoA configuration for this client. Default: `undef`.
+
+##### `response_window`
+Response window for proxied packets. Default: `undef`.
+
+##### `max_connections`
+Limit the number of simultaneous TCP connections from a client. It is ignored for clients sending UDP traffic. Default: `undef`.
+
+##### `lifetime`
+The lifetime, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.
+
+##### `idle_timeout`
+The idle timeout, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.
+
+
##### `port`
The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server. Currently the port number is only used to create firewall exceptions and you only need to specify it if you set `firewall => true`. Use port range syntax as in [`puppetlabs-firewall`](https://forge.puppetlabs.com/puppetlabs/firewall). Default: `undef`.
diff --git a/manifests/client.pp b/manifests/client.pp
index 68d6b9e..93924ea 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -2,22 +2,48 @@
define freeradius::client (
$shortname,
$secret,
- $ip = undef,
- $ip6 = undef,
- $virtual_server = undef,
- $nastype = undef,
- $redirect = undef,
- $port = undef,
- $srcip = undef,
- $firewall = false,
- $ensure = present,
- $attributes = [],
+ $ip = undef,
+ $ip6 = undef,
+ $proto = undef,
+ $require_message_authenticator = 'no',
+ $virtual_server = undef,
+ $nastype = undef,
+ $login = undef,
+ $password = undef,
+ $coa_server = undef,
+ $response_window = undef,
+ $max_connections = undef,
+ $lifetime = undef,
+ $idle_timeout = undef,
+ $redirect = undef,
+ $port = undef,
+ $srcip = undef,
+ $firewall = false,
+ $ensure = present,
+ $attributes = [],
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_basepath = $::freeradius::params::fr_basepath
$fr_group = $::freeradius::params::fr_group
+ if $proto {
+ unless $proto in ['*', 'udp', 'tcp'] {
+ fail('$proto must be one of udp, tcp or *')
+ }
+ }
+
+ unless $require_message_authenticator in ['yes', 'no'] {
+ fail('$require_message_authenticator must be one of yes or no')
+ }
+
+ if $nastype {
+ unless $nastype in ['cisco', 'computone', 'livingston', 'juniper', 'max40xx',
+ 'multitech', 'netserver', 'pathras', 'patton', 'portslave', 'tc', 'usrhiper', 'other'] {
+ fail('$nastype must be one of cisco, computone, livingston, juniper, max40xx, multitech, netserver, pathras, patton, portslave, tc, usrhiper, other')
+ }
+ }
+
file { "${fr_basepath}/clients.d/${shortname}.conf":
ensure => $ensure,
mode => '0640',
diff --git a/templates/client.conf.erb b/templates/client.conf.erb
index d5f4104..e440171 100644
--- a/templates/client.conf.erb
+++ b/templates/client.conf.erb
@@ -1,11 +1,23 @@
client <%= @shortname %> {
<% if @ip %>ipaddr = <%= @ip %><% end %>
<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
+ <% if @proto %>proto = <%= @proto %><% end %>
shortname = <%= @shortname %>
secret = "<%= @secret %>"
<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>
<% if @nastype %>nas_type = <%= @nastype %><% end %>
- require_message_authenticator = no
+ require_message_authenticator = <%= @require_message_authenticator %>
+ <% if @login %>login = <%= @login %><% end %>
+ <% if @password %>password = <%= @password %><% end %>
+ <% if @coa_server %>coa_server = <%= @coa_server %><% end %>
+ <% if @response_window %>response_window = <%= @response_window %><% end %>
+ <%- if @lifetime or @idle_timeout or @max_connections -%>
+ limit {
+ <% if @max_connections %>max_connections = <%= @max_connections %><% end %>
+ <% if @lifetime %>lifetime = <%= @lifetime %><% end %>
+ <% if @idle_timeout %>idle_timeout = <%= @idle_timeout %><% end %>
+ }
+ <%- end -%>
<%- if !@attributes.empty? -%>
<%- if @attributes.respond_to?('join') -%>
<%= @attributes.join("\n ") %>
--
GitLab