From d3776d90f95ec82374e49d679803dacaa3178f44 Mon Sep 17 00:00:00 2001 From: Luca Rullo Date: Fri, 12 May 2023 22:42:30 +0000 Subject: [PATCH] Add: Freeradius && LDAP config --- Dockerfile | 26 ++ conf/ca.cnf | 62 +++ conf/eap | 979 +++++++++++++++++++++++++++++++++++++++++++++ conf/ldap | 647 ++++++++++++++++++++++++++++++ conf/server.cnf | 69 ++++ docker-compose.yml | 14 + entrypoint.sh | 6 + 7 files changed, 1803 insertions(+) create mode 100644 Dockerfile create mode 100644 conf/ca.cnf create mode 100644 conf/eap create mode 100644 conf/ldap create mode 100644 conf/server.cnf create mode 100644 docker-compose.yml create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..b48bcd1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,26 @@ +FROM debian:stable-slim as build + +RUN apt update && apt install -y wget tar + +RUN wget https://w1.fi/releases/wpa_supplicant-2.7.tar.gz && \ + tar -xzvf wpa_supplicant-2.7.tar.gz && \ + apt install -y build-essential pkg-config libnl-3-dev libssl-dev libnl-genl-3-dev + +RUN cd wpa_supplicant-2.7/wpa_supplicant && \ + cp defconfig .config && \ + echo "CONFIG_EAPOL_TEST=y" >> .config && \ + make eapol_test && \ + cp eapol_test /usr/local/bin + +FROM debian:stable-slim + +RUN apt update && apt dist-upgrade -y && \ + apt install -y freeradius freeradius-ldap freeradius-utils + +COPY --from=build /usr/local/bin/eapol_test /usr/local/bin/eapol_test + +ADD ./entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] + +CMD ["freeradius","-X"] diff --git a/conf/ca.cnf b/conf/ca.cnf new file mode 100644 index 0000000..ce31205 --- /dev/null +++ b/conf/ca.cnf @@ -0,0 +1,62 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./ +certs = $dir +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir +certificate = $dir/ca.pem +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/ca.key +RANDFILE = $dir/.rand +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +default_crl_days = 30 +default_md = sha256 +preserve = no +policy = policy_match +crlDistributionPoints = URI:http://www.example.org/example_ca.crl + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +distinguished_name = certificate_authority +default_bits = 2048 +input_password = SuperSecretPassword1234 +output_password = SuperSecretPassword1234 +x509_extensions = v3_ca + +[certificate_authority] +countryName = FR +stateOrProvinceName = Radius +localityName = Somewhere +organizationName = Example Inc. +emailAddress = admin@example.org +commonName = "Example Certificate Authority" + +[v3_ca] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +crlDistributionPoints = URI:http://www.example.org/example_ca.crl + diff --git a/conf/eap b/conf/eap new file mode 100644 index 0000000..82d68d5 --- /dev/null +++ b/conf/eap @@ -0,0 +1,979 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: a89a783663588017b12bcc076362e728261ba8f2 $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = md5 + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + # + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + # + cisco_accounting_username_bug = no + + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + # + max_sessions = ${max_requests} + + + ############################################################ + # + # Supported EAP-types + # + + + # EAP-MD5 + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + + # EAP-pwd -- secure password-based authentication + # + #pwd { + # group = 19 + + # server_id = theserver@example.com + + # This has the same meaning as for TLS. + # + # fragment_size = 1020 + + # The virtual server which determines the + # "known good" password for the user. + # Note that unlike TLS, only the "authorize" + # section is processed. EAP-PWD requests can be + # distinguished by having a User-Name, but + # no User-Password, CHAP-Password, EAP-Message, etc. + # + # virtual_server = "inner-tunnel" + #} + + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # + leap { + } + + + # EAP-GTC -- Generic Token Card + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + # + # challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + + # Common TLS configuration for TLS-based EAP types + # ------------------------------------------------ + # + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # If you do not currently have certificates signed by + # a trusted CA you may use the 'snakeoil' certificates. + # Included with the server in raddb/certs. + # + # If these certificates have not been auto-generated: + # cd raddb/certs + # make + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + # + tls-config tls-common { + private_key_password = SuperSecretPassword1234 + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If ca_file (below) is not used, then the + # certificate_file below SHOULD also include all of + # the intermediate CA certificates used to sign the + # server certificate, but NOT the root CA. + # + # Including the ROOT CA certificate is not useful and + # merely inflates the exchanged data volume during + # the TLS negotiation. + # + # This file should contain the server certificate, + # followed by intermediate certificates, in order. + # i.e. If we have a server certificate signed by CA1, + # which is signed by CA2, which is signed by a root + # CA, then the "certificate_file" should contain + # server.pem, followed by CA1.pem, followed by + # CA2.pem. + # + # When using "ca_file" or "ca_dir", the + # "certificate_file" should contain only + # "server.pem". And then you may (or may not) need + # to set "auto_chain", depending on your version of + # OpenSSL. + # + # In short, SSL / TLS certificates are complex. + # There are many versions of software, each of which + # behave slightly differently. It is impossible to + # give advice which will work everywhere. Instead, + # we give general guidelines. + # + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # + # This file can contain multiple CA certificates. + # ALL of the CA's in this list will be trusted to + # issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + ca_file = /etc/ssl/certs/ca-certificates.crt + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that + # it sometimes gets the chains right from a certificate + # signature view, but wrong from the clients view. + # + # When setting "auto_chain = no", the server certificate + # file MUST include the full certificate chain. + # + # auto_chain = yes + + # If OpenSSL supports TLS-PSK, then we can use a + # fixed PSK identity and (hex) password. As of + # 3.0.18, these can be used at the same time as the + # certificate configuration, but only for TLS 1.0 + # through 1.2. + # + # If PSK and certificates are configured at the same + # time for TLS 1.3, then the server will warn you, + # and will disable TLS 1.3, as it will not work. + # + # The work around is to have two modules (or for + # RadSec, two listen sections). One will have PSK + # configured, and the other will have certificates + # configured. + # + # psk_identity = "test" + # psk_hexphrase = "036363823" + + # Dynamic queries for the PSK. If TLS-PSK is used, + # and psk_query is set, then you MUST NOT use + # psk_identity or psk_hexphrase. + # + # Instead, use a dynamic expansion similar to the one + # below. It keys off of TLS-PSK-Identity. It should + # return a of string no more than 512 hex characters. + # That string will be converted to binary, and will + # be used as the dynamic PSK hexphrase. + # + # Note that this query is just an example. You will + # need to customize it for your installation. + # + # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" + + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 2048 + # + dh_file = ${certdir}/dh + + # If your system doesn't have /dev/urandom, + # you will need to create this file, and + # periodically change its contents. + # + # For security reasons, FreeRADIUS doesn't + # write to files in its configuration + # directory. + # + # random_file = /dev/urandom + + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accommodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the lines below. + # 5) Restart radiusd + # check_crl = yes + + # Check if intermediate CAs have been revoked. + # check_all_crl = yes + + ca_path = ${cadir} + + # Accept an expired Certificate Revocation List + # + # allow_expired_crl = no + + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the certificate verification will fail, + # rejecting the user. + # + # This check can be done more generally by checking + # the value of the TLS-Client-Cert-Issuer attribute. + # This check can be done via any mechanism you + # choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Common-Name attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # + cipher_list = "DEFAULT" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) + # for choosing right cipher suite rather than + # using client-specified list which is OpenSSl default + # behavior. Setting this to "yes" means that OpenSSL + # will choose the servers ciphers, even if they do not + # best match what the client sends. + # + # TLS negotiation is usually good, but can be imperfect. + # This setting allows administrators to "fine tune" it + # if necessary. + # + cipher_server_preference = no + + # You can selectively disable TLS versions for + # compatability with old client devices. + # + # If your system has OpenSSL 1.1.0 or greater, do NOT + # use these. Instead, set tls_min_version and + # tls_max_version. + # + # disable_tlsv1_2 = no + disable_tlsv1_1 = yes + disable_tlsv1 = yes + + # Set min / max TLS version. Mainly for Debian + # "trusty", which disables older versions of TLS, and + # requires the application to manually enable them. + # + # If you are running Debian trusty, you should set + # these options, otherwise older clients will not be + # able to connect. + # + # Allowed values are "1.0", "1.1", "1.2", and "1.3". + # + # Note that the server WILL NOT permit negotiation of + # TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT + # finished. It is therefore impossible for the server + # to negotiate EAP-TLS correctly with TLS 1.3. + # + # The values must be in quotes. + # + tls_min_version = "1.2" + tls_max_version = "1.2" + + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # + ecdh_curve = "prime256v1" + + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # See also the "store" subsection below for + # additional attributes which can be cached. + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + # You can check if a session has been resumed by + # looking for the existence of the EAP-Session-Resumed + # attribute. Note that this attribute will *only* + # exist in the "post-auth" section. + # + # CAVEATS: The cache is stored and reloaded BEFORE + # the "post-auth" section is run. This limitation + # makes caching more difficult than it should be. In + # practice, it means that the first authentication + # session must set the reply attributes before the + # post-auth section is run. + # + # When the session is resumed, the attributes are + # restored and placed into the session-state list. + # + cache { + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # + # As of version 3.0.14, the session cache requires the use + # of the "name" and "persist_dir" configuration items, below. + # + # The internal OpenSSL session cache has been permanently + # disabled. + # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # + enable = no + + # Lifetime of the cached entries, in hours. The sessions will be + # deleted/invalidated after this time. + # + lifetime = 24 # hours + + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # + # The server will generate a random value if unset. + # This will change across server restart so you MUST + # set the "name" if you want to persist sessions (see + # below). + # + # name = "EAP module" + + # Simple directory-based storage of sessions. + # Two files per session will be written, the SSL + # state and the cached VPs. This will persist session + # across server restarts. + # + # The default directory is ${logdir}, for historical + # reasons. You should ${db_dir} instead. And check + # the value of db_dir in the main radiusd.conf file. + # It should not point to ${raddb} + # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # + # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # + # persist_dir = "${logdir}/tlscache" + + # + # As of 3.0.20, it is possible to partially + # control which attributes exist in the + # session cache. This subsection lists + # attributes which are taken from the reply, + # and saved to the on-disk cache. When the + # session is resumed, these attributes are + # added to the "session-state" list. The + # default configuration will then take care + # of copying them to the reply. + # + store { + Tunnel-Private-Group-Id + } + } + + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + # If OCSP checking is enabled, and the OCSP checks fail, + # the verify section is not run. + # + # If OCSP checking is disabled, the verify section is + # run on successful certificate validation. + # + verify { + # If the OCSP checks succeed, the verify section + # is run to allow additional checks. + # + # If you want to skip verify on OCSP success, + # uncomment this configuration item, and set it + # to "yes". + # + # skip_if_ocsp_ok = no + + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..ca_path} text is a reference to + # the ca_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # + # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # OCSP Configuration + # + # Certificates can be verified against an OCSP + # Responder. This makes it possible to immediately + # revoke certificates without the distribution of + # new Certificate Revocation Lists (CRLs). + # + ocsp { + # Enable it. The default is "no". + # Deleting the entire "ocsp" subsection + # also disables ocsp checking + # + enable = no + + # The OCSP Responder URL can be automatically + # extracted from the certificate in question. + # To override the OCSP Responder URL set + # "override_cert_url = yes". + # + override_cert_url = yes + + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # If the OCSP Responder can not cope with nonce + # in the request, then it can be disabled here. + # + # For security reasons, disabling this option + # is not recommended as nonce protects against + # replay attacks. + # + # Note that Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is + # more secure to enable nonce on the responder than + # to disable it in the query here. + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # + # use_nonce = yes + + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 + + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no + } + } + + + # EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # + tls { + # Point to the common TLS configuration + # + tls = tls-common + + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-Common-Name. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # + # virtual_server = check-eap-tls + } + + + # EAP-TTLS -- Tunneled TLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + ttls { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # + default_eap_type = md5 + + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # + copy_request_to_tunnel = no + + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # + use_tunneled_reply = no + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # + # include_length = yes + + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with EAP-TTLS, so this option is unlikely + # to be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-PEAP + # + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # https://support.microsoft.com/en-us/help/814394/ + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + peap { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # + default_eap_type = mschapv2 + + # The PEAP module also has these configuration + # items, which are the same as for TTLS. + # + copy_request_to_tunnel = no + + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # + # proxy_tunneled_request_as_eap = yes + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + + # Unlike EAP-TLS, PEAP does not require a client certificate. + # However, you can require one by setting the following + # option. You can also override this option by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with PEAP, so this option is unlikely to + # be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-MSCHAPv2 + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # + # send_error = no + + # Server identifier to send back in the challenge. + # This should generally be the host name of the + # RADIUS server. Or, some information to uniquely + # identify it. + # + # identity = "FreeRADIUS" + } + + + # EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # + #fast { + # Point to the common TLS configuration + # + # tls = tls-common + + # If 'cipher_list' is set here, it will over-ride the + # 'cipher_list' configuration from the 'tls-common' + # configuration. The EAP-FAST module has it's own + # over-ride for 'cipher_list' because the + # specifications mandata a different set of ciphers + # than are used by the other EAP methods. + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # + # Note - for OpenSSL 1.1.0 and above you may need + # to add ":@SECLEVEL=0" + # + # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + + # PAC lifetime in seconds (default: seven days) + # + # pac_lifetime = 604800 + + # Authority ID of the server + # + # If you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # + # authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # + # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # + # virtual_server = inner-tunnel + #} +} diff --git a/conf/ldap b/conf/ldap new file mode 100644 index 0000000..8eb7a08 --- /dev/null +++ b/conf/ldap @@ -0,0 +1,647 @@ +# -*- text -*- +# +# $Id: 1741d7e6ed472617f190f90a545272be980a6ff1 $ + +# +# Lightweight Directory Access Protocol (LDAP) +# +ldap { + # Note that this needs to match the name(s) in the LDAP server + # certificate, if you're using ldaps. See OpenLDAP documentation + # for the behavioral semantics of specifying more than one host. + # + # Depending on the libldap in use, server may be an LDAP URI. + # In the case of OpenLDAP this allows additional the following + # additional schemes: + # - ldaps:// (LDAP over SSL) + # - ldapi:// (LDAP over Unix socket) + # - ldapc:// (Connectionless LDAP) + server = 'localhost' +# server = 'ldap.rrdns.example.org' +# server = 'ldap.rrdns.example.org' + + # Port to connect on, defaults to 389, will be ignored for LDAP URIs. +# port = 389 + + # Administrator account for searching and possibly modifying. + # If using SASL + KRB5 these should be commented out. +# identity = 'cn=admin,dc=example,dc=org' +# password = mypass + + # Unless overridden in another section, the dn from which all + # searches will start from. + base_dn = 'dc=example,dc=org' + + # + # You can run the 'ldapsearch' command line tool using the + # parameters from this module's configuration. + # + # ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' + # + # That will give you the LDAP information for 'user'. + # + # Group membership can be queried by using the above "ldapsearch" string, + # and adding "memberof" qualifiers. For ActiveDirectory, use: + # + # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' + # + # Where 'user' is the user as above, and 'group' is the group you are querying for. + # + + # + # SASL parameters to use for admin binds + # + # When we're prompted by the SASL library, these control + # the responses given, as well as the identity and password + # directives above. + # + # If any directive is commented out, a NULL response will be + # provided to cyrus-sasl. + # + # Unfortunately the only way to control Keberos here is through + # environmental variables, as cyrus-sasl provides no API to + # set the krb5 config directly. + # + # Full documentation for MIT krb5 can be found here: + # + # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html + # + # At a minimum you probably want to set KRB5_CLIENT_KTNAME. + # + sasl { + # SASL mechanism +# mech = 'PLAIN' + + # SASL authorisation identity to proxy. +# proxy = 'autz_id' + + # SASL realm. Used for kerberos. +# realm = 'example.org' + } + + # + # Generic valuepair attribute + # + + # If set, this will attribute will be retrieved in addition to any + # mapped attributes. + # + # Values should be in the format: + # + # + # Where: + # : Is the attribute you wish to create + # with any valid list and request qualifiers. + # : Is any assignment operator (=, :=, +=, -=). + # : Is the value to parse into the new valuepair. + # If the value is wrapped in double quotes it + # will be xlat expanded. +# valuepair_attribute = 'radiusAttribute' + + # + # Mapping of LDAP directory attributes to RADIUS dictionary attributes. + # + + # WARNING: Although this format is almost identical to the unlang + # update section format, it does *NOT* mean that you can use other + # unlang constructs in module configuration files. + # + # Configuration items are in the format: + # + # + # Where: + # : Is the destination RADIUS attribute + # with any valid list and request qualifiers. + # : Is any assignment attribute (=, :=, +=, -=). + # : Is the attribute associated with user or + # profile objects in the LDAP directory. + # If the attribute name is wrapped in double + # quotes it will be xlat expanded. + # + # Request and list qualifiers may also be placed after the 'update' + # section name to set defaults destination requests/lists + # for unqualified RADIUS attributes. + # + # Note: LDAP attribute names should be single quoted unless you want + # the name value to be derived from an xlat expansion, or an + # attribute ref. + update { + control:Password-With-Header += 'userPassword' +# control:NT-Password := 'ntPassword' +# reply:Reply-Message := 'radiusReplyMessage' +# reply:Tunnel-Type := 'radiusTunnelType' +# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' +# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' + + # Where only a list is specified as the RADIUS attribute, + # the value of the LDAP attribute is parsed as a valuepair + # in the same format as the 'valuepair_attribute' (above). + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + # Set to yes if you have eDirectory and want to use the universal + # password mechanism. +# edir = no + + # Set to yes if you want to bind as the user after retrieving the + # Cleartext-Password. This will consume the login grace, and + # verify user authorization. +# edir_autz = no + + # Note: set_auth_type was removed in v3.x.x + # + # Equivalent functionality can be achieved by adding the + # following "if" statement to the authorize {} section of + # the virtual server, after the "ldap" module. For example: + # + # ... + # ldap + # if ((ok || updated) && User-Password && !control:Auth-Type) { + # update { + # control:Auth-Type := ldap + # } + # } + # ... + # + # You will also need to uncomment the "Auth-Type LDAP" block in the + # "authenticate" section. + # + + # + # Name of the attribute that contains the user DN. + # The default name is LDAP-UserDn. + # + # If you have multiple LDAP instances, you should + # change this configuration item to: + # + # ${.:instance}-LDAP-UserDn + # + # That change allows the modules to set their own + # User DN, and to not conflict with each other. + # + user_dn = "LDAP-UserDn" + + # + # User object identification. + # + user { + # Where to start searching in the tree for users + base_dn = "${..base_dn}" + + # Filter for user objects, should be specific enough + # to identify a single user object. + # + # For Active Directory, you should use + # "samaccountname=" instead of "uid=" + # + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + + # SASL parameters to use for user binds + # + # When we're prompted by the SASL library, these control + # the responses given. + # + # Any of the config items below may be an attribute ref + # or and expansion, so different SASL mechs, proxy IDs + # and realms may be used for different users. + sasl { + # SASL mechanism +# mech = 'PLAIN' + + # SASL authorisation identity to proxy. +# proxy = &User-Name + + # SASL realm. Used for kerberos. +# realm = 'example.org' + } + + # Search scope, may be 'base', 'one', sub' or 'children' +# scope = 'sub' + + # Server side result sorting + # + # A list of space delimited attributes to order the result + # set by, if the filter matches multiple objects. + # Only the first result in the set will be processed. + # + # If the attribute name is prefixed with a hyphen '-' the + # sorting order will be reversed for that attribute. + # + # If sort_by is set, and the server does not support sorting + # the search will fail. +# sort_by = '-uid' + + # If this is undefined, anyone is authorised. + # If it is defined, the contents of this attribute + # determine whether or not the user is authorised +# access_attribute = 'dialupAccess' + + # Control whether the presence of 'access_attribute' + # allows access, or denys access. + # + # If 'yes', and the access_attribute is present, or + # 'no' and the access_attribute is absent then access + # will be allowed. + # + # If 'yes', and the access_attribute is absent, or + # 'no' and the access_attribute is present, then + # access will not be allowed. + # + # If the value of the access_attribute is 'false', it + # will negate the result. + # + # e.g. + # access_positive = yes + # access_attribute = userAccessAllowed + # + # With an LDAP object containing: + # userAccessAllowed: false + # + # Will result in the user being locked out. +# access_positive = yes + } + + # + # User membership checking. + # + group { + # Where to start searching in the tree for groups + base_dn = "${..base_dn}" + + # Filter for group objects, should match all available + # group objects a user might be a member of. + # + # If using Active Directory you are likely to need "group" + # instead of "posixGroup". + filter = '(objectClass=posixGroup)' + + # Search scope, may be 'base', 'one', sub' or 'children' +# scope = 'sub' + + # Attribute that uniquely identifies a group. + # Is used when converting group DNs to group + # names. +# name_attribute = cn + + # Filter to find all group objects a user is a member of. + # That is, group objects with attributes that + # identify members (the inverse of membership_attribute). + # + # Note that this configuration references the "user_dn" + # configuration defined above. + # +# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" + + # The attribute, in user objects, which contain the names + # or DNs of groups a user is a member of. + # + # Unless a conversion between group name and group DN is + # needed, there's no requirement for the group objects + # referenced to actually exist. + # + # If the LDAP server does not support the "memberOf" + # attribute (or equivalent), then you will need to use the + # membership_filter option above instead. If you can't see + # the memberOf attribute then it is also possible that the + # LDAP bind user does not have the correct permissions to + # view it. + membership_attribute = 'memberOf' + + # If cacheable_name or cacheable_dn are enabled, + # all group information for the user will be + # retrieved from the directory and written to LDAP-Group + # attributes appropriate for the instance of rlm_ldap. + # + # For group comparisons these attributes will be checked + # instead of querying the LDAP directory directly. + # + # This feature is intended to be used with rlm_cache. + # + # If you wish to use this feature, you should enable + # the type that matches the format of your check items + # i.e. if your groups are specified as DNs then enable + # cacheable_dn else enable cacheable_name. +# cacheable_name = 'no' +# cacheable_dn = 'no' + + # Override the normal cache attribute (-LDAP-Group or + # LDAP-Group if using the default instance) and create a + # custom attribute. This can help if multiple module instances + # are used in fail-over. +# cache_attribute = 'LDAP-Cached-Membership' + + # If the group being checked is specified as a name, but + # the user's groups are referenced by DN, and one of those + # group DNs is invalid, the whole group check is treated as + # invalid, and a negative result will be returned. + # When set to 'yes', this option ignores invalid DN + # references. +# allow_dangling_group_ref = 'no' + } + + # + # User profiles. RADIUS profile objects contain sets of attributes + # to insert into the request. These attributes are mapped using + # the same mapping scheme applied to user objects (the update section above). + # + profile { + # Filter for RADIUS profile objects +# filter = '(objectclass=radiusprofile)' + + # The default profile. This may be a DN or an attribute + # reference. + # To get old v2.2.x style behaviour, or to use the + # &User-Profile attribute to specify the default profile, + # set this to &control:User-Profile. +# default = 'cn=radprofile,dc=example,dc=org' + + # The LDAP attribute containing profile DNs to apply + # in addition to the default profile above. These are + # retrieved from the user object, at the same time as the + # attributes from the update section, are are applied + # if authorization is successful. +# attribute = 'radiusProfileDn' + } + + # + # Bulk load clients from the directory + # + client { + # Where to start searching in the tree for clients + base_dn = "${..base_dn}" + + # + # Filter to match client objects + # + filter = '(objectClass=radiusClient)' + + # Search scope, may be 'base', 'one', 'sub' or 'children' +# scope = 'sub' + + # + # Sets default values (not obtained from LDAP) for new client entries + # + template { +# login = 'test' +# password = 'test' +# proto = tcp +# require_message_authenticator = yes + + # Uncomment to add a home_server with the same + # attributes as the client. +# coa_server { +# response_window = 2.0 +# } + } + + # + # Client attribute mappings are in the format: + # = + # + # The following attributes are required: + # * ipaddr | ipv4addr | ipv6addr - Client IP Address. + # * secret - RADIUS shared secret. + # + # All other attributes usually supported in a client + # definition are also supported here. + # + # Schemas are available in doc/schemas/ldap for openldap and eDirectory + # + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' +# shortname = 'radiusClientShortname' +# nas_type = 'radiusClientType' +# virtual_server = 'radiusClientVirtualServer' +# require_message_authenticator = 'radiusClientRequireMa' + } + } + + # Load clients on startup +# read_clients = no + + # + # Modify user object on receiving Accounting-Request + # + + # Useful for recording things like the last time the user logged + # in, or the Acct-Session-ID for CoA/DM. + # + # LDAP modification items are in the format: + # + # + # Where: + # : The LDAP attribute to add modify or delete. + # : One of the assignment operators: + # (:=, +=, -=, ++). + # Note: '=' is *not* supported. + # : The value to add modify or delete. + # + # WARNING: If using the ':=' operator with a multi-valued LDAP + # attribute, all instances of the attribute will be removed and + # replaced with a single attribute. + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + # + # Post-Auth can modify LDAP objects too + # + post-auth { + update { + description := "Authenticated at %S" + } + } + + # + # LDAP connection-specific options. + # + # These options set timeouts, keep-alives, etc. for the connections. + # + options { + # Control under which situations aliases are followed. + # May be one of 'never', 'searching', 'finding' or 'always' + # default: libldap's default which is usually 'never'. + # + # LDAP_OPT_DEREF is set to this value. +# dereference = 'always' + + # + # The following two configuration items control whether the + # server follows references returned by LDAP directory. + # They are mostly for Active Directory compatibility. + # If you set these to 'no', then searches will likely return + # 'operations error', instead of a useful result. + # + chase_referrals = yes + rebind = yes + + # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). + # Note - uncomment when using GSS-API sasl mechanism along with TLS + # encryption against Active-Directory LDAP servers (this disables + # sealing and signing at the GSS level as required by AD). + #sasl_secprops = 'noanonymous,noplain,maxssf=0' + + # Seconds to wait for LDAP query to finish. default: 20 + res_timeout = 10 + + # Seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + srv_timelimit = 3 + + # Seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = 60 + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = 3 + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = 3 + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + ldap_debug = 0x0028 + } + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the 'tls_*' configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 636) connections +# start_tls = yes + +# ca_file = ${certdir}/cacert.pem + +# ca_path = ${certdir} +# certificate_file = /path/to/radius.crt +# private_key_file = /path/to/radius.key +# random_file = /dev/urandom + + # Certificate Verification requirements. Can be: + # 'never' (do not even bother trying) + # 'allow' (try, but don't fail if the certificate + # cannot be verified) + # 'demand' (fail if the certificate does not verify) + # 'hard' (similar to 'demand' but fails if TLS + # cannot negotiate) + # + # The default is libldap's default, which varies based + # on the contents of ldap.conf. + +# require_cert = 'demand' + } + + # As of version 3.0, the 'pool' section has replaced the + # following configuration items: + # + # ldap_connections_number + + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # directory being available. + start = ${thread[pool].start_servers} + + # Minimum number of connections to keep open + min = ${thread[pool].min_spare_servers} + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = ${thread[pool].max_servers} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + spare = ${thread[pool].max_spare_servers} + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + retry_delay = 30 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # Idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of 'idle_timeout', + # 'uses', or 'lifetime', then the total number of + # connections MAY fall below 'min'. When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the 'min' connections, + # or increase lifetime/idle_timeout. + } +} diff --git a/conf/server.cnf b/conf/server.cnf new file mode 100644 index 0000000..8245705 --- /dev/null +++ b/conf/server.cnf @@ -0,0 +1,69 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./ +certs = $dir +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir +certificate = $dir/server.pem +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/server.key +RANDFILE = $dir/.rand +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +default_crl_days = 30 +default_md = sha256 +preserve = no +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +distinguished_name = server +default_bits = 2048 +input_password = SuperSecretPassword1234 +output_password = SuperSecretPassword1234 +req_extensions = v3_req + +[server] +countryName = FR +stateOrProvinceName = Radius +localityName = Somewhere +organizationName = Example Inc. +emailAddress = admin@example.org +commonName = "Example Server Certificate" + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +# This should be a host name of the RADIUS server. +# Note that the host name is exchanged in EAP *before* +# the user machine has network access. So the host name +# here doesn't really have to match anything in DNS. +[alt_names] +DNS.1 = radius.example.com + +# NAIRealm from RFC 7585 +otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..e19944a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,14 @@ +version: "3" +services: + radius: + image: registry.audio-lab.org/radius + build: . + volumes: + # ldap + #- ./conf/ldap:/etc/freeradius/3.0/mods-enabled/ldap:ro + # certs + - ./conf/ca.cnf:/etc/freeradius/3.0/certs/ca.cnf:ro + - ./conf/server.cnf:/etc/freeradius/3.0/certs/server.cnf:ro + ports: + - 1812:1812 + - 1813:1813 diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..9d25f33 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Regenerate Cert +cd /etc/freeradius/3.0/certs/ && make + +exec $@