[feature] Allowed deploying WPA Enterprise 2 TTLS-PAP #462

Closes #462

README.md

@@ -1255,6 +1255,36 @@ Below are listed all the variables you can customize (you may also want to take
     # FreeRADIUS listen address for the openwisp_site.
     # Defaults to "*", i.e. listen on all interfaces.
     freeradius_openwisp_site_listen_ipaddr: "10.8.0.1"
+    # A list of dict that includes organization's name, UUID, RADIUS token, and
+    # ports for authentication, accounting, and inner tunnel. This list of dict
+    # is used to generate FreeRADIUS sites that support WPA Enterprise
+    # (EAP-TTLS-PAP) authentication.
+    # Defaults to an empty list.
+    freeradius_eap_orgs:
+        # The name should not contain spaces or special characters
+      - name: openwisp
+        # UUID of the organization can be retrieved from the OpenWISP admin
+        uuid: 00000000-0000-0000-0000-000000000000
+        # Radius token of the organization can be retrieved from the OpenWISP admin
+        radius_token: secret-radius-token
+        # Port used by the authentication service for this FreeRADIUS site
+        auth_port: 1832
+        # Port used by the accounting service for this FreeRADIUS site
+        acct_port: 1833
+        # Port used by the authentication service of inner tunnel for this FreeRADIUS site
+        inner_tunnel_auth_port: 18330
+    # Sets the source path of the template that contains freeradius site configuration
+    # for WPA Enterprise (EAP-TTLS-PAP) authentication.
+    # Defaults to "templates/freeradius/eap/openwisp_site.j2" shipped in the role.
+    freeradius_eap_openwisp_site_template_src: custom_eap_openwisp_site.j2
+    # Sets the source path of the template that contains freeradius inner tunnel
+    # configuration for WPA Enterprise (EAP-TTLS-PAP) authentication.
+    # Defaults to "templates/freeradius/eap/inner_tunnel.j2" shipped in the role.
+    freeradius_eap_inner_tunnel_template_src: custom_eap_inner_tunnel.j2
+    # Sets the source path of the template that contains freeradius EAP configuration
+    # for WPA Enterprise (EAP-TTLS-PAP) authentication.
+    # Defaults to "templates/freeradius/eap/eap.j2" shipped in the role.
+    freeradius_eap_template_src: custom_eap.j2
     cron_delete_old_notifications: "'hour': 0, 'minute': 0"
     cron_deactivate_expired_users: "'hour': 0, 'minute': 5"
     cron_delete_old_radiusbatch_users: "'hour': 0, 'minute': 10"

defaults/main.yml

@@ -197,6 +197,10 @@ freeradius_rest:
 freeradius_expire_attr_after_seconds: 86400
 freeradius_safe_characters: "+@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
 freeradius_openwisp_site_listen_ipaddr: "*"
+freeradius_eap_orgs: []
+freeradius_eap_openwisp_site_template_src: freeradius/eap/openwisp_site.j2
+freeradius_eap_inner_tunnel_template_src: freeradius/eap/inner_tunnel.j2
+freeradius_eap_template_src: freeradius/eap/eap.j2
 cron_delete_old_notifications: "'hour': 0, 'minute': 0"
 cron_deactivate_expired_users: "'hour': 0, 'minute': 5"
 cron_delete_old_radiusbatch_users: "'hour': 0, 'minute': 10"

tasks/freeradius.yml

@@ -200,3 +200,14 @@
     owner: freerad
     group: freerad
   notify: Restart freeradius
+
+- debug:
+    msg: "{{ freeradius_eap_orgs }}"
+
+- name: Copy configuration for WPA Enterprise TTLS
+  include_tasks: tasks/freeradius_eap.yml
+  loop: "{{ freeradius_eap_orgs }}"
+  loop_control:
+    loop_var: org
+  when: freeradius_eap_orgs
+  tags: [freeradius_eap]

tasks/freeradius_eap.yml

@@ -0,0 +1,55 @@
+---
+
+- name: "Copy {{ org.name }} EAP openwisp_site"
+  template:
+    src: "{{ freeradius_eap_openwisp_site_template_src }}"
+    dest: "{{ freeradius_dir }}/sites-available/{{ org.name }}_eap_openwisp_site"
+    owner: freerad
+    group: freerad
+    mode: '0644'
+  notify: Restart freeradius
+  tags: [freeradius_eap]
+
+- name: "Create a symlink in sites-enabled for {{ org.name }} EAP openwisp_site"
+  ansible.builtin.file:
+    src: "{{ freeradius_dir }}/sites-available/{{ org.name }}_eap_openwisp_site"
+    dest: "{{ freeradius_dir }}/sites-enabled/{{ org.name }}_eap_openwisp_site"
+    state: link
+  notify: Restart freeradius
+  tags: [freeradius_eap]
+
+- name: "Copy {{ org.name }} eap_inner_tunnel"
+  template:
+    src: "{{ freeradius_eap_inner_tunnel_template_src }}"
+    dest: "{{ freeradius_dir }}/sites-available/{{ org.name }}_eap_inner_tunnel"
+    owner: freerad
+    group: freerad
+    mode: '0644'
+  notify: Restart freeradius
+  tags: [freeradius_eap]
+
+- name: "Create a symlink in sites-enabled for {{ org.name }} eap_inner_tunnel"
+  ansible.builtin.file:
+    src: "{{ freeradius_dir }}/sites-available/{{ org.name }}_eap_inner_tunnel"
+    dest: "{{ freeradius_dir }}/sites-enabled/{{ org.name }}_eap_inner_tunnel"
+    state: link
+  notify: Restart freeradius
+  tags: [freeradius_eap]
+
+- name: Copy {{ org.name }} custom EAP configuration in mods-available
+  template:
+    src: "{{ freeradius_eap_template_src }}"
+    dest: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}"
+    owner: freerad
+    group: freerad
+    mode: '0644'
+  notify: Restart freeradius
+  tags: [freeradius_eap]
+
+- name: Create a symlink in mods-enabled
+  ansible.builtin.file:
+    src: "{{ freeradius_dir }}/mods-available/eap-org_{{ org.name }}"
+    dest: "{{ freeradius_dir }}/mods-enabled/eap-org_{{ org.name }}"
+    state: link
+  notify: Restart freeradius
+  tags: [freeradius_eap]

templates/freeradius/eap/eap.j2

@@ -0,0 +1,38 @@
+eap eap-org_{{ org.name }} {
+    default_eap_type = ttls
+    timer_expire = 60
+    ignore_unknown_eap_types = no
+    cisco_accounting_username_bug = no
+    max_sessions = ${max_requests}
+
+    tls-config tls-common {
+        # make sure to have a valid SSL certificate for production usage
+        private_key_password = whatever
+        private_key_file = ${certdir}/server.pem
+        certificate_file = ${certdir}/server.pem
+        ca_file = ${cadir}/ca.pem
+        dh_file = ${certdir}/dh
+        ca_path = ${cadir}
+        cipher_list = "DEFAULT"
+        cipher_server_preference = no
+        ecdh_curve = "prime256v1"
+
+        cache {
+            enable = no
+        }
+
+        ocsp {
+            enable = no
+            override_cert_url = yes
+            url = "http://127.0.0.1/ocsp/"
+        }
+    }
+
+    ttls {
+        tls = tls-common
+        default_eap_type = pap
+        copy_request_to_tunnel = yes
+        use_tunneled_reply = yes
+        virtual_server = "inner_tunnel-org_{{ org.name }}"
+    }
+}

templates/freeradius/eap/inner_tunnel.j2

@@ -0,0 +1,84 @@
+server inner_tunnel-org_{{ org.name }} {
+    listen {
+        ipaddr = 127.0.0.1
+        port = {{ org.inner_tunnel_auth_port }}
+        type = auth
+    }
+
+    api_token_header = "Authorization: Bearer {{ org.uuid }} {{ org.radius_token }}"
+    authorize {
+        filter_username
+        update control { &REST-HTTP-Header += "${...api_token_header}" }
+        rest
+        eap-org_{{ org.name }} {
+            ok = return
+        }
+
+        chap
+        mschap
+        suffix
+
+        update control {
+            &Proxy-To-Realm := LOCAL
+        }
+
+        eap {
+            ok = return
+        }
+
+        -ldap
+
+        pap
+
+        expiration
+        logintime
+    }
+
+    authenticate {
+        Auth-Type PAP {
+            pap
+        }
+
+        Auth-Type CHAP {
+            chap
+        }
+
+        Auth-Type MS-CHAP {
+            mschap
+        }
+        eap
+    }
+
+    session {}
+
+    post-auth {
+        if (0) {
+            update reply {
+                User-Name !* ANY
+                Message-Authenticator !* ANY
+                EAP-Message !* ANY
+                Proxy-State !* ANY
+                MS-MPPE-Encryption-Types !* ANY
+                MS-MPPE-Encryption-Policy !* ANY
+                MS-MPPE-Send-Key !* ANY
+                MS-MPPE-Recv-Key !* ANY
+            }
+            update {
+                &outer.session-state: += &reply:
+            }
+        }
+
+        Post-Auth-Type REJECT {
+            attr_filter.access_reject
+            update outer.session-state {
+                &Module-Failure-Message := &request:Module-Failure-Message
+            }
+        }
+    }
+
+    pre-proxy {}
+    post-proxy {
+        eap-org_{{ org.name }}
+        eap
+    }
+}

templates/freeradius/eap/openwisp_site.j2

@@ -0,0 +1,79 @@
+server openwisp_site-org_{{ org.name }} {
+    listen {
+        type = auth
+        ipaddr = {{ org.listen_ipaddr | default(freeradius_openwisp_site_listen_ipaddr) }}
+        port = {{ org.auth_port }}
+        limit {
+            max_connections = 16
+            lifetime = 0
+            idle_timeout = 30
+        }
+    }
+
+    listen {
+        ipaddr = {{ org.listen_ipaddr | default(freeradius_openwisp_site_listen_ipaddr) }}
+        port = {{ org.acct_port }}
+        type = acct
+        limit {}
+    }
+
+    api_token_header = "Authorization: Bearer {{ org.uuid }} {{ org.radius_token }}"
+    authorize {
+        eap-org_{{ org.name }} {
+          ok = return
+        }
+        update control { &REST-HTTP-Header += "${...api_token_header}" }
+        filter_username
+        rest
+        expiration
+        logintime
+    }
+
+    authenticate {
+        Auth-Type eap-org_{{ org.name }} {
+            eap-org_{{ org.name }}
+        }
+        Auth-Type PAP {
+            pap
+        }
+
+        Auth-Type CHAP {
+            chap
+        }
+
+        Auth-Type MS-CHAP {
+            mschap
+        }
+
+        Auth-Type EAP {
+            eap
+        }
+    }
+
+    preacct {
+        preprocess
+        acct_unique
+        suffix
+        files
+    }
+
+    accounting {
+        update control { &REST-HTTP-Header += "${...api_token_header}" }
+        rest
+    }
+
+    session {}
+
+    post-auth {
+        update control { &REST-HTTP-Header += "${...api_token_header}" }
+        rest
+
+        Post-Auth-Type REJECT {
+        update control { &REST-HTTP-Header += "${....api_token_header}" }
+            rest
+        }
+    }
+
+    pre-proxy {}
+    post-proxy {}
+}