Loading README.md +40 −0 Original line number Diff line number Diff line Loading @@ -277,6 +277,18 @@ freeradius::client { "wlan-controllers": } ``` ```puppet # Huntgroup Example freeradius::client { "asa01": ip => '192.168.0.1', secret => 'testing123', huntgroups => [ { name => 'firewall', conditions => [ 'NAS-IP-Address == 192.168.0.1' ] }, ] } ``` ##### `ip` The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`. Loading Loading @@ -332,6 +344,10 @@ Create a firewall exception for this virtual server. If this is set to `true`, y ##### `attributes` Array of attributes to assign to this client. Default: empty. ##### `huntgroups` Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup. #### `freeradius::config` Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d` Loading Loading @@ -440,6 +456,30 @@ fallback, such as the DEFAULT realm. For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead! #### `freeradius::huntgroup` Define a huntgroup given a name and the conditions under which a huntgroup matches a client. ```puppet freeradius::huntgroup { 'switchaccess': huntgroup => 'switchaccess', conditions => [ 'NAS-IP-Address == 192.168.0.1' ] } ##### `huntgroup` Name of the huntgroup to assign, if conditions are all met. Default to the resource title. ##### `conditons` Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'. ##### `type` ##### `home_server` #### `freeradius::instantiate` Instantiate a module that is not automatically instantiated. Loading files/huntgroups.header 0 → 100644 +46 −0 Original line number Diff line number Diff line # # huntgroups This file defines the `huntgroups' that you have. A # huntgroup is defined by specifying the IP address of # the NAS and possibly a port range. Port can be identified # as just one port, or a range (from-to), and multiple ports # or ranges of ports must be separated by a comma. For # example: 1,2,3-8 # # Matching is done while RADIUS scans the user file; if it # includes the selection criterium "Huntgroup-Name == XXX" # the huntgroup is looked up in this file to see if it # matches. There can be multiple definitions of the same # huntgroup; the first one that matches will be used. # # This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. # # # Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name # called Alphen that matches on all three terminal servers. # #alphen NAS-IP-Address == 192.0.2.5 #alphen NAS-IP-Address == 192.0.2.6 #alphen NAS-IP-Address == 192.0.2.7 # # The POP in Delft consists of only one terminal server. # #delft NAS-IP-Address == 198.51.100.5 # # Ports 0-7 on the first terminal server in Alphen are connected to # a huntgroup that is for business users only. Note that only one # of the username or groupname has to match to get access (OR/OR). # # Note that this huntgroup is a subset of the "alphen" huntgroup. # #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7 # User-Name = rogerl, # User-Name = henks, # Group = business, # Group = staff manifests/client.pp +9 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ define freeradius::client ( $firewall = false, $ensure = present, $attributes = [], $huntgroups = undef, ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service Loading Loading @@ -76,4 +77,12 @@ define freeradius::client ( fail('Must specify $port if you specify $firewall') } } if $huntgroups { $huntgroups.each |$index, $huntgroup| { freeradius::huntgroup { "huntgroup.client.${shortname}.${index}": * => $huntgroup } } } } manifests/huntgroup.pp 0 → 100644 +22 −0 Original line number Diff line number Diff line # Install FreeRADIUS huntgroups define freeradius::huntgroup ( $ensure = present, $huntgroup = $title, $conditions = [], $order = 50, ) { $fr_basepath = $::freeradius::params::fr_basepath $fr_service = $::freeradius::params::fr_service $conditionals = join($conditions, ", ") $content = "${huntgroup}\t${conditionals}\n" concat::fragment { "huntgroup.${title}": ensure => $ensure, target => "${fr_basepath}/mods-config/preprocess/huntgroups", content => $content, order => $order, notify => Service[$fr_service], } } manifests/init.pp +14 −0 Original line number Diff line number Diff line Loading @@ -213,6 +213,20 @@ class freeradius ( order => 90, } # Install a huntgroups file concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups": owner => 'root', group => $freeradius::fr_group, mode => '0640', require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], } concat::fragment { 'huntgroups_header': target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups", source => 'puppet:///modules/freeradius/huntgroups.header', order => 10, } # Install FreeRADIUS packages package { 'freeradius': ensure => $package_ensure, Loading Loading
README.md +40 −0 Original line number Diff line number Diff line Loading @@ -277,6 +277,18 @@ freeradius::client { "wlan-controllers": } ``` ```puppet # Huntgroup Example freeradius::client { "asa01": ip => '192.168.0.1', secret => 'testing123', huntgroups => [ { name => 'firewall', conditions => [ 'NAS-IP-Address == 192.168.0.1' ] }, ] } ``` ##### `ip` The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`. Loading Loading @@ -332,6 +344,10 @@ Create a firewall exception for this virtual server. If this is set to `true`, y ##### `attributes` Array of attributes to assign to this client. Default: empty. ##### `huntgroups` Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup. #### `freeradius::config` Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d` Loading Loading @@ -440,6 +456,30 @@ fallback, such as the DEFAULT realm. For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead! #### `freeradius::huntgroup` Define a huntgroup given a name and the conditions under which a huntgroup matches a client. ```puppet freeradius::huntgroup { 'switchaccess': huntgroup => 'switchaccess', conditions => [ 'NAS-IP-Address == 192.168.0.1' ] } ##### `huntgroup` Name of the huntgroup to assign, if conditions are all met. Default to the resource title. ##### `conditons` Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'. ##### `type` ##### `home_server` #### `freeradius::instantiate` Instantiate a module that is not automatically instantiated. Loading
files/huntgroups.header 0 → 100644 +46 −0 Original line number Diff line number Diff line # # huntgroups This file defines the `huntgroups' that you have. A # huntgroup is defined by specifying the IP address of # the NAS and possibly a port range. Port can be identified # as just one port, or a range (from-to), and multiple ports # or ranges of ports must be separated by a comma. For # example: 1,2,3-8 # # Matching is done while RADIUS scans the user file; if it # includes the selection criterium "Huntgroup-Name == XXX" # the huntgroup is looked up in this file to see if it # matches. There can be multiple definitions of the same # huntgroup; the first one that matches will be used. # # This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. # # # Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name # called Alphen that matches on all three terminal servers. # #alphen NAS-IP-Address == 192.0.2.5 #alphen NAS-IP-Address == 192.0.2.6 #alphen NAS-IP-Address == 192.0.2.7 # # The POP in Delft consists of only one terminal server. # #delft NAS-IP-Address == 198.51.100.5 # # Ports 0-7 on the first terminal server in Alphen are connected to # a huntgroup that is for business users only. Note that only one # of the username or groupname has to match to get access (OR/OR). # # Note that this huntgroup is a subset of the "alphen" huntgroup. # #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7 # User-Name = rogerl, # User-Name = henks, # Group = business, # Group = staff
manifests/client.pp +9 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ define freeradius::client ( $firewall = false, $ensure = present, $attributes = [], $huntgroups = undef, ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service Loading Loading @@ -76,4 +77,12 @@ define freeradius::client ( fail('Must specify $port if you specify $firewall') } } if $huntgroups { $huntgroups.each |$index, $huntgroup| { freeradius::huntgroup { "huntgroup.client.${shortname}.${index}": * => $huntgroup } } } }
manifests/huntgroup.pp 0 → 100644 +22 −0 Original line number Diff line number Diff line # Install FreeRADIUS huntgroups define freeradius::huntgroup ( $ensure = present, $huntgroup = $title, $conditions = [], $order = 50, ) { $fr_basepath = $::freeradius::params::fr_basepath $fr_service = $::freeradius::params::fr_service $conditionals = join($conditions, ", ") $content = "${huntgroup}\t${conditionals}\n" concat::fragment { "huntgroup.${title}": ensure => $ensure, target => "${fr_basepath}/mods-config/preprocess/huntgroups", content => $content, order => $order, notify => Service[$fr_service], } }
manifests/init.pp +14 −0 Original line number Diff line number Diff line Loading @@ -213,6 +213,20 @@ class freeradius ( order => 90, } # Install a huntgroups file concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups": owner => 'root', group => $freeradius::fr_group, mode => '0640', require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], } concat::fragment { 'huntgroups_header': target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups", source => 'puppet:///modules/freeradius/huntgroups.header', order => 10, } # Install FreeRADIUS packages package { 'freeradius': ensure => $package_ensure, Loading