Forge Home

freeradius

manages FreeRADIUS authentication servers

11,821 downloads

85 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 8.7.0 (latest)
  • 8.6.1
  • 8.5.0
  • 8.3.0
  • 8.2.0
  • 8.1.1
  • 8.1.0
  • 8.0.1
  • 7.0.1
  • 7.0.0
  • 5.0.3
  • 5.0.2
released Sep 16th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-freeradius', '8.7.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-freeradius
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-freeradius --version 8.7.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

simp/freeradius — version 8.7.0 Sep 16th 2024

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents

Overview

This module installs freeradius. The v3 manifests can be used to configure version 3 of freeradius. If an older version of freeradius is being used, rsync can be used to copy over configuration files created outside of Puppet. Rsync can also be used to copy over version 3 files.

This module includes a radiusd site and module that can be used to configure freeradius to work with a LDAP server.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

Module Description

This module installs and configures freeradius. Its main purpose is to integrate freeradius with an existing LDAP server. It includes manifests that creates a virtual server (site) that configures freeradius to listen on all available interfaces and authenticate via LDAP.

See REFERENCE.md for more details.

Beginning with freeradius

Before using pupmod-simp-freeradius make sure to read the freeradius documentation

Much of the freeradius documentation is in the default configuration files, some of which get overwritten by this module. It could be helpful to extract and store these files in a separate location using the command:

rpm2cpio <free radius rpm> | cpio -idmv

Setup

  • Ensure the freeradius, freeradius-ldap and freeradius-utils packages are available to your package manager.

Defaults

  • Configuration directory: /etc/raddb
  • Log Directory: /var/log/freeradius
  • Ldap Bind user: bind_dn
  • Rsync: false

Set up Radius Server to use LDAP

This basic setup will configure RADIUS to listen on all interfaces and authenticate using LDAP.

Install freeradius and the LDAP module and site configuration.

Include the following in your Puppet code:

include 'freeradius'
include 'freeradius::v3::sites::ldap'
include 'freeradius::v3::modules::ldap'

If you are using a SIMP system, you can alternatively include the classes via Hiera:

---
simp::classes:
  - 'freeradius'
  - 'freeradius::v3::sites::ldap'
  - 'freeradius::v3::modules::ldap'

The default settings for radiusd.conf can be found in

  • freeradius::v3::conf
  • freeradius::v3::conf::log
  • freeradius::v3::conf::security
  • freeradius::v3::conf::thread_pool and can be changed using Hiera. See REFERENCE.md for more details.

The listener is setup in the freeradius::v3::sites::ldap class. Review that module if there is a need to change the listener or to use a global listener instead of one linked to a site.

Add radius clients:

Client configurations will need to be created to allow clients to talk to the server. See the default client.conf file installed by freeradius for information on how to configure clients.

The freeradius::v3::client defined type lets clients be created individually. Alternatively, a complete clients.conf file can be copied in by specifying the file source in Hiera with the variable freeradius::v3::conf::clients_conf_content.

Example clients:

  freeradius::v3::client { 'localhost':
    ipaddr => '127.0.0.1',
    secret => 'testing123',
    require_message_authenticator => false,
    nas_type => 'other',
    }

  freeradius::v3::client { 'mynetwork':
    ipaddr => '10.0.71.0/24',
    secret => 'testing123'
  }

or to copy over a file with clients defined, set the hiera variable:

---
# The setting is
# freeradius::v3::conf::clients_conf_content: <exact content to add to file>
freeradius::v3::conf::clients_conf_content: >
  Your entire
  configuration
  goes here

Other configuration

The following configurations are not needed for connection to LDAP. These are a few examples of alternate application configurations.

Add sites and modules

Other sites and modules you write can be added individually using freeradius::v3::site or freeradius::v3::module. In both cases, you specify the source file to be copied. For example, to specify a custom site:

freeradius::v3::site { 'mysite':
  source => puppet::///modules/mymodule/freeradius/mysite,
  enable => true
}

Existing sites that are in the sites-available directory can be added using

freeradius::v3::site { 'inner-triggers':
  enable => true
}

This will create the link and, if manage_sites_enabled is set to true, it will not be removed.

See the sites-available and mods-available directories on your system for examples and information on how to build the content of these files.

Configure the Radius Server with Rsync

If enabled, Freeradius will use the /var/simp/environments/<os>/Global/freeradius share on the SIMP rsync server. This allows for large or complex configurations that may not be appropriate for inclusion directly into puppet File resources.

Files in this directory will be copied via rsync to /etc/raddb. Make sure all permissions are correct, including the SELinux context.

In Hiera:

freeradius::use_rsync: true

Rsync will copy over all the files and overwrite anything that already exists. It will not purge any files.

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.