Commit f7a55936 authored by Jonathan Gazeley's avatar Jonathan Gazeley
Browse files

Check in copy of freeradius from svn

parent ceff7b9b
######################################################################
######################################################################
## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ##
######################################################################
######################################################################
# -*- text -*-
#
# $Id$
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
always accept {
rcode = accept
}
######################################################################
######################################################################
## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ##
######################################################################
######################################################################
# This is the stock FreeRADIUS 'detail' log. We leave it unaltered
# and instead make further instantiations that inherit from it and
# change parameters if necessary
# -*- text -*-
#
# $Id$
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/detail.log
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0640
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
suppress {
User-Password
}
}
# -*- text -*-
#
# $Id$
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log-for-bsql {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-bsql.log
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
locking = yes
# You may also strip out passwords completely
suppress {
User-Password
EAP-Message
Framed-MTU
State
Message-Authenticator
Packet-Type
Proxy-State
Tunnel-Type
Tunnel-Medium-Type
Tunnel-Private-Group-Id
}
}
detail auth_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
log_packet_header = yes
}
# This is the same as the block above, except it allows passwords
# # to be written to the log file
detail auth_log_password {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
detailperm = 0600
}
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log
detailperm = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log
detailperm = 0600
}
linelog logtofile {
filename = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}.log
auth = yes
# Default log message
format = ""
# Match packet type to blocks below
reference = "logtofile.%{%{reply:Packet-Type}:-format}"
logtofile {
Access-Accept = "%t : Login OK: [%{User-Name}] (from client %C cli %{Calling-Station-Id} port %{Packet-Dst-Port})"
Access-Reject = "%t : Login incorrect: [%{User-Name}] (from client %C cli %{Calling-Station-Id} port %{Packet-Dst-Port})"
}
}
linelog logtosyslog {
filename = syslog
syslog_facility = local5
# Default log message
format = ""
# Match packet type to blocks below
reference = "logtosyslog.%{%{reply:Packet-Type}:-format}"
logtosyslog {
Access-Accept = "%{Virtual-Server}: Login OK: [%{User-Name}] (from client %S cli %{Calling-Station-Id})"
Access-Reject = "%{Virtual-Server}: Login incorrect: [%{User-Name}] (from client %S cli %{Calling-Station-Id})"
}
}
This diff is collapsed.
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/*.log {
daily
rotate 7
nocreate
missingok
compress
}
/var/log/radius/checkrad.log {
weekly
rotate 1
create
missingok
compress
}
/var/log/radius/radius*.log {
weekly
rotate 26
create
missingok
compress
}
/var/log/radius/radutmp {
weekly
rotate 1
create
compress
missingok
}
/var/log/radius/radwtmp {
weekly
rotate 1
create
compress
missingok
}
/var/log/radius/sqltrace.sql {
weekly
rotate 1
create
compress
missingok
}
lastrotate
kill -HUP `cat /var/run/radiusd/radiusd.pid`
endscript
# -*- text -*-
######################################################################
#
# Control socket interface.
#
# In the future, we will add username/password checking for
# connections to the control socket. We will also add
# command authorization, where the commands entered by the
# administrator are run through a virtual server before
# they are executed.
#
# For now, anyone who has permission to connect to the socket
# has nearly complete control over the server. Be warned!
#
# This functionality is NOT enabled by default.
#
# See also the "radmin" program, which is used to communicate
# with the server over the control socket.
#
# $Id$
#
######################################################################
listen {
#
# Listen on the control socket.
#
type = control
#
# Socket location.
#
# This file is created with the server's uid and gid.
# It's permissions are r/w for that user and group, and
# no permissions for "other" users. These permissions form
# minimal security, and should not be relied on.
#
socket = ${run_dir}/${name}.sock
#
# The following two parameters perform authentication and
# authorization of connections to the control socket.
#
# If not set, then ANYONE can connect to the control socket,
# and have complete control over the server. This is likely
# not what you want.
#
# One, or both, of "uid" and "gid" should be set. If set, the
# corresponding value is checked. Unauthorized users result
# in an error message in the log file, and the connection is
# closed.
#
#
# Name of user that is allowed to connect to the control socket.
#
uid = radiusd
#
# Name of group that is allowed to connect to the control socket.
#
gid = radiusd
#
# Access mode.
#
# This can be used to give *some* administrators access to
# monitor the system, but not to change it.
#
# ro = read only access (default)
# rw = read/write access.
#
mode = rw
}
######################################################################
######################################################################
## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ##
######################################################################
######################################################################
# -*- text -*-
######################################################################
#
# A virtual server to handle ONLY Status-Server packets.
#
# Server statistics can be queried with a properly formatted
# Status-Server request. See dictionary.freeradius for comments.
#
# If radiusd.conf has "status_server = yes", then any client
# will be able to send a Status-Server packet to any port
# (listen section type "auth", "acct", or "status"), and the
# server will respond.
#
# If radiusd.conf has "status_server = no", then the server will
# ignore Status-Server packets to "auth" and "acct" ports. It
# will respond only if the Status-Server packet is sent to a
# "status" port.
#
# The server statistics are available ONLY on socket of type
# "status". Qeuries for statistics sent to any other port
# are ignored.
#
# Similarly, a socket of type "status" will not process
# authentication or accounting packets. This is for security.
#
# $Id$
#
######################################################################
server status {
listen {
type = status
ipaddr = *
port = 18120
}
#
# We recommend that you list ONLY management clients here.
# i.e. NOT your NASes or Access Points, and for an ISP,
# DEFINITELY not any RADIUS servers that are proxying packets
# to you.
#
# If you do NOT list a client here, then any client that is
# globally defined (i.e. all of them) will be able to query
# these statistics.
#
# Do you really want your partners seeing the internal details
# of what your RADIUS server is doing?
#
client localhost {
ipaddr = 127.0.0.1
secret = SECRET
}
#
# Simple authorize section. The "Autz-Type Status-Server"
# section will work here, too. See "raddb/sites-available/default".
authorize {
ok
# respond to the Status-Server request.
Autz-Type Status-Server {
ok
}
}
}
# Statistics can be queried via a number of methods:
#
# All packets received/sent by the server (1 = auth, 2 = acct)
# FreeRADIUS-Statistics-Type = 3
#
# All packets proxied by the server (4 = proxy-auth, 8 = proxy-acct)
# FreeRADIUS-Statistics-Type = 12
#
# All packets sent && received:
# FreeRADIUS-Statistics-Type = 15
#
# Internal server statistics:
# FreeRADIUS-Statistics-Type = 16
#
# All packets for a particular client (globally defined)
# FreeRADIUS-Statistics-Type = 35
# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
#
# All packets for a client attached to a "listen" ip/port
# FreeRADIUS-Statistics-Type = 35
# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
# FreeRADIUS-Stats-Server-Port = 1812
#
# All packets for a "listen" IP/port
# FreeRADIUS-Statistics-Type = 67
# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
# FreeRADIUS-Stats-Server-Port = 1812
#
# All packets for a home server IP / port
# FreeRADIUS-Statistics-Type = 131
# FreeRADIUS-Stats-Server-IP-Address = 192.168.1.2
# FreeRADIUS-Stats-Server-Port = 1812
#
# You can also get exponentially weighted moving averages of
# response times (in usec) of home servers. Just set the config
# item "historic_average_window" in a home_server section.
#
# By default it is zero (don't calculate it). Useful values
# are between 100, and 10,000. The server will calculate and
# remember the moving average for this window, and for 10 times
# that window.
#
#
# Some of this could have been simplified. e.g. the proxy-auth and
# proxy-acct bits aren't completely necessary. But using them permits
# the server to be queried for ALL inbound && outbound packets at once.
# This gives a good snapshot of what the server is doing.
#
# Due to internal limitations, the statistics might not be exactly up
# to date. Do not expect all of the numbers to add up perfectly.
# The Status-Server packets are also counted in the total requests &&
# responses. The responses are counted only AFTER the response has
# been sent.
#
# Install FreeRADIUS config snippets
define freeradius::attr ($source) {
file { "/etc/raddb/attr.d/${name}":
mode => '0640',
owner => 'root',
group => 'radiusd',
source => $source,
require => File['/etc/raddb/attr.d'],
notify => Service['radiusd'],
}
}
# Install FreeRADIUS clients (WISMs or testing servers)
define freeradius::client (
$ip=undef,
$ip6=undef,
$net=undef,
$shortname,
$secret,
$server=undef,
$virtual_server=undef,
$nastype=undef,
$netmask=undef,
$redirect=undef,
$port=undef,
$srcip=undef,
) {
file { "/etc/raddb/clients.d/${shortname}.conf":
mode => '0640',
owner => 'root',
group => 'radiusd',
content => template('freeradius/client.conf.erb'),
require => File['clients.d'],
notify => Service['radiusd'],
}
}
# Install FreeRADIUS config snippets
define freeradius::config ($source) {
file { "/etc/raddb/conf.d/${name}":
mode => '0640',
owner => 'root',
group => 'radiusd',
source => $source,
require => File['/etc/raddb/conf.d'],
notify => Service['radiusd'],
}
}
# == Class: freeradius
#
# Full description of class freeradius here.
#
# === Parameters
#
# Document parameters here.
#
# [*sample_parameter*]
# Explanation of what this parameter affects and what it defaults to.
# e.g. "Specify one or more upstream ntp servers as an array."
#
# === Variables
#
# Here you should define a list of variables that this module would require.
#
# [*sample_variable*]
# Explanation of how this variable affects the funtion of this class and if
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
# External Node Classifier as a comma separated list of hostnames." (Note,
# global variables should be avoided in favor of class parameters as
# of Puppet 2.6.)
#
# === Examples
#
# class { freeradius:
# servers => [ 'pool.ntp.org', 'ntp.local.company.com' ],
# }
#
# === Authors
#
# Author Name <author@domain.com>
#
# === Copyright
#
# Copyright 2014 Your name here, unless otherwise noted.
#
# Base class to install FreeRADIUS
class freeradius {
include samba
include nagios::plugins::radius
file { 'radiusd.conf':
name => '/etc/raddb/radiusd.conf',
mode => '0640',
owner => 'root',
group => 'radiusd',
source => 'puppet:///modules/freeradius/radiusd.conf',
require => Package['freeradius'],
notify => Service['radiusd'],