Table of Contents

• Overview
• This is a SIMP module
• Module Description
• Beginning with freeradius
• Setup
  • Defaults
  • Set up Radius Server to use LDAP
    • Install freeradius and the LDAP module and site configuration.
    • Add radius clients:
  • Other configuration
    • Add sites and modules
  • Configure the Radius Server with Rsync
• Development
  • Acceptance tests

Overview

This module installs freeradius. The v3 manifests can be used to configure version 3 of freeradius. If an older version of freeradius is being used, rsync can be used to copy over configuration files created outside of Puppet. Rsync can also be used to copy over version 3 files.

This module includes a radiusd site and module that can be used to configure freeradius to work with a LDAP server.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

Module Description

This module installs and configures freeradius. Its main purpose is to integrate freeradius with an existing LDAP server. It includes manifests that creates a virtual server (site) that configures freeradius to listen on all available interfaces and authenticate via LDAP.

See REFERENCE.md for more details.

Beginning with freeradius

Before using pupmod-simp-freeradius make sure to read the freeradius documentation

Much of the freeradius documentation is in the default configuration files, some of which get overwritten by this module. It could be helpful to extract and store these files in a separate location using the command:

rpm2cpio <free radius rpm> | cpio -idmv

Setup

• Ensure the freeradius, freeradius-ldap and freeradius-utils packages are available to your package manager.

Defaults

• Configuration directory: /etc/raddb
• Log Directory: /var/log/freeradius
• Ldap Bind user: bind_dn
• Rsync: false

Set up Radius Server to use LDAP

This basic setup will configure RADIUS to listen on all interfaces and authenticate using LDAP.

Install freeradius and the LDAP module and site configuration.

Include the following in your Puppet code:

include 'freeradius'
include 'freeradius::v3::sites::ldap'
include 'freeradius::v3::modules::ldap'

If you are using a SIMP system, you can alternatively include the classes via Hiera:

---
simp::classes:
  - 'freeradius'
  - 'freeradius::v3::sites::ldap'
  - 'freeradius::v3::modules::ldap'

The default settings for radiusd.conf can be found in

• freeradius::v3::conf
• freeradius::v3::conf::log
• freeradius::v3::conf::security
• freeradius::v3::conf::thread_pool and can be changed using Hiera. See REFERENCE.md for more details.

The listener is setup in the freeradius::v3::sites::ldap class. Review that module if there is a need to change the listener or to use a global listener instead of one linked to a site.

Add radius clients:

Client configurations will need to be created to allow clients to talk to the server. See the default client.conf file installed by freeradius for information on how to configure clients.

The freeradius::v3::client defined type lets clients be created individually. Alternatively, a complete clients.conf file can be copied in by specifying the file source in Hiera with the variable freeradius::v3::conf::clients_conf_content.

Example clients:

  freeradius::v3::client { 'localhost':
    ipaddr => '127.0.0.1',
    secret => 'testing123',
    require_message_authenticator => false,
    nas_type => 'other',
    }

  freeradius::v3::client { 'mynetwork':
    ipaddr => '10.0.71.0/24',
    secret => 'testing123'
  }

or to copy over a file with clients defined, set the hiera variable:

---
# The setting is
# freeradius::v3::conf::clients_conf_content: <exact content to add to file>
freeradius::v3::conf::clients_conf_content: >
  Your entire
  configuration
  goes here

Other configuration

The following configurations are not needed for connection to LDAP. These are a few examples of alternate application configurations.

Add sites and modules

Other sites and modules you write can be added individually using freeradius::v3::site or freeradius::v3::module. In both cases, you specify the source file to be copied. For example, to specify a custom site:

freeradius::v3::site { 'mysite':
  source => puppet::///modules/mymodule/freeradius/mysite,
  enable => true
}

Existing sites that are in the sites-available directory can be added using

freeradius::v3::site { 'inner-triggers':
  enable => true
}

This will create the link and, if manage_sites_enabled is set to true, it will not be removed.

See the sites-available and mods-available directories on your system for examples and information on how to build the content of these files.

Configure the Radius Server with Rsync

If enabled, Freeradius will use the /var/simp/environments/<os>/Global/freeradius share on the SIMP rsync server. This allows for large or complex configurations that may not be appropriate for inclusion directly into puppet File resources.

Files in this directory will be copied via rsync to /etc/raddb. Make sure all permissions are correct, including the SELinux context.

In Hiera:

freeradius::use_rsync: true

Rsync will copy over all the files and overwrite anything that already exists. It will not purge any files.

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

Reference

Table of Contents

Classes

• freeradius
• freeradius::config: Manage the permissions on directories and files and then either
• freeradius::config::rsync: Rsync the configurations files to $freeradius::confdir. It does not
• freeradius::install: Install the freeradius server
• freeradius::service: Configure the radiusd service
• freeradius::v3::conf: @summary configure the radiusd.conf file If clients_conf_content is set, it will add that content to the clients.conf file and inclu
• freeradius::v3::conf::instantiate: Creates the 'instantiate' section of radiusd.conf
• freeradius::v3::conf::log: Add a 'log' section to freeradius
• freeradius::v3::conf::security: Add a 'security' section to freeradius.
• freeradius::v3::conf::thread_pool: Add a 'thread pool' section to the freeradius configuration
• freeradius::v3::conf::users: Set up the freeradius users entries
• freeradius::v3::modules::ldap: Set up the LDAP module configuration.
• freeradius::v3::sites::ldap: This will create a site that will authenticate using LDAP and listen

Defined types

• freeradius::v3::client: Add a client to /etc/raddb/clients.d/
• freeradius::v3::conf::user: Use concat to add content to the users file that is created by
• freeradius::v3::listen: Add a 'listen' section to a freeradius configuration file.
• freeradius::v3::listener: Create a global listener in the conf.d directory
• freeradius::v3::module: Copies a module definition file to the modules-available directory
• freeradius::v3::site: Copies a site definition file to the sites-available directory and

Data types

• Freeradius::Deref: Control under which situations aliases are followed
• Freeradius::Listen: Types of packets to listen for
• Freeradius::Logdest: Destination for log messages
• Freeradius::Nas: NAS-specific method to use when checking for simultaneous use
• Freeradius::Scope: LDAP search scope

Classes

freeradius

The freeradius class.

Parameters

The following parameters are available in the freeradius class:

• firewall
• freeradius_name
• user
• uid
• group
• gid
• sysconfdir
• confdir
• logdir
• testcerts
• use_rsync
• package_ensure
• manage_sites_enabled
• pki
• fips
• app_pki_dir
• app_pki_cert
• app_pki_key
• app_pki_ca
• app_pki_ca_dir
• app_pki_external_source

firewall

Data type: Boolean

If true set rules to open ports on firewall

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})

freeradius_name

Data type: String

Name of the package

Default value: 'freeradius'

user

Data type: String

Default value: 'radiusd'

uid

Data type: Integer

Default value: 95

group

Data type: String

Default value: 'radiusd'

gid

Data type: Integer

The user and group information for the local system that is used to run freeradius.

Default value: 95

sysconfdir

Data type: Stdlib::Absolutepath

Top level configuration directory.

Default value: '/etc'

confdir

Data type: Stdlib::Absolutepath

The configuration directories where the radius files are kept.

Default value: "${sysconfdir}/raddb"

logdir

Data type: Stdlib::Absolutepath

freeradius log directory

Default value: '/var/log/freeradius'

testcerts

Data type: Boolean

Whether or not freeradius should generate test certs at installation time.

Default value: false

use_rsync

Data type: Boolean

If true rsync will be used to copy configuration files into place. The other configuration manifests only work with freeradius version 3 or later, if you are using an earlier version you will need to copy files this way. rsync will not remove any files so you can use a combination of rsync and manifests.

Default value: false

package_ensure

Data type: String

String to pass to the freeradius package ensure attribute

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

manage_sites_enabled

Data type: Boolean

If true then only sites managed by puppet will be allowed in the sites-enabled directory. Files that are rsync'd are not "managed" by puppet. Use the freeradius::v3::site define or a file resource to create sites.

Default value: false

pki

Data type: Variant[Boolean,Enum['simp']]

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

fips

Data type: Boolean

Default value: simplib::lookup('simp_options::fips', {'default_value' => false })

app_pki_dir

Data type: Stdlib::Absolutepath

Default value: '/etc/pki/simp_apps/freeradius/x509'

app_pki_cert

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"

app_pki_key

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"

app_pki_ca

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/cacerts/cacerts.pem"

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/cacerts"

app_pki_external_source

Data type: Stdlib::Absolutepath

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

freeradius::config

rsync content or create content

freeradius::config::rsync

remove any other files that exist in that directory

The defaults in this module use the freeradius share set up by the simp-simp module in the simp::server::rsync_shares manifest

== Parameters

Parameters

The following parameters are available in the freeradius::config::rsync class:

• rsync_source
• rsync_server
• radius_rsync_user
• radius_rsync_password
• rsync_timeout
• rsync_bwlimit

rsync_source

Data type: String

The source on the rsync server

Default value: "freeradius_${facts['environment']}_${facts['os']['name']}/"

rsync_server

Data type: Simplib::Host

Default: 127.0.0.1 If $use_rsync_radiusd_conf is true, specify the rsync server from which to pull here.

Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1'})

radius_rsync_user

Data type: String

Since radius holds sensitive information, the rsync space should be accordingly protected. This has been designed with the assuption that you will utilize the internal simplib::passgen mechanism to set the password. You can optionally specify $radius_rsync_password

Default value: "freeradius_systems_${facts['environment']}_${facts['os']['name'].downcase}"

radius_rsync_password

Data type: String

If no password is specified, simplib::passgen will be used

Default value: simplib::passgen($radius_rsync_user)

rsync_timeout

Data type: Integer

Default: '2' If $use_rsync_radiusd_conf is true, specify the rsync connection timeout here.

Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2})

rsync_bwlimit

Data type: Optional[Integer]

rsync bandwidth limit

Default value: undef

freeradius::install

Install the freeradius server

freeradius::service

Configure the radiusd service

freeradius::v3::conf

@summary configure the radiusd.conf file

If clients_conf_content is set, it will add that content to the clients.conf file and include it in the source. Otherwise it includes clients.d/* and clients will have to be set up using the v3/client class.

If trigger_conf_content is set it will add that content to trigger.conf and include this file in the radius.conf.

Freeradius Parameters

The following parameters are settings in the radius.conf file.

@see radiusd.conf(5) for additional information.

@see Extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv for detailed information on the parameters.

SIMP-Related Parameters

These parameters are effective in a larger SIMP installation

Custom Content Parameters

These parameters add custom content to various parts of the configuration.

Parameters

The following parameters are available in the freeradius::v3::conf class:

• cleanup_delay
• correct_escapes
• default_acct_listener
• hostname_lookups
• localstatedir
• max_request_time
• max_requests
• radius_ports
• trusted_nets
• protocol
• clients_conf_content
• proxy_conf_content
• trigger_conf_content
• users_conf_content

cleanup_delay

Data type: Integer[2,10]

Default value: 5

correct_escapes

Data type: Boolean

Default value: true

default_acct_listener

Data type: Boolean

Default value: true

hostname_lookups

Data type: Boolean

Default value: false

localstatedir

Data type: Stdlib::AbsolutePath

Default value: '/var'

max_request_time

Data type: Integer[2,120]

Default value: 30

max_requests

Data type: Integer[256]

Default value: 1024

radius_ports

Data type: Array[Simplib::Port]

The ports where freeradius will listen

Default value: [1812, 1813]

trusted_nets

Data type: Simplib::Netlist

Networks and/or hosts that are allowed to access the RADIUS server

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1']})

protocol

Data type: Enum['udp','tcp','ALL']

What protocols will be used to make sure the firewall is opened correctly

Default value: 'ALL'

clients_conf_content

Data type: Optional[String]

Content for the clients.conf file if not creating clients individually

Default value: undef

proxy_conf_content

Data type: Optional[String]

If $proxy_request is true, use this content for the proxy.conf file

Default value: undef

trigger_conf_content

Data type: Optional[String]

This content for the trigger.conf file

Default value: undef

users_conf_content

Data type: Optional[String]

The content for the authorize file

Default value: undef

freeradius::v3::conf::instantiate

in a file under conf.d.

This section is included by the directive $INCLUDE conf.d/ in the radiusd.conf file.

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::instantiate class:

• content

content

Data type: Optional[String]

The literal content of the section that you would like to add. Leading and trailing spaces will be removed.

Default value: undef

freeradius::v3::conf::log

Add a 'log' section to freeradius

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::log class:

• destination
• log_file
• syslog_facility
• stripped_names
• auth
• auth_badpass
• auth_goodpass
• msg_goodpass
• msg_badpass
• msg_denied

destination

Data type: Freeradius::Logdest

Default value: 'syslog'

log_file

Data type: Stdlib::AbsolutePath

Default value: "${freeradius::logdir}/radius.log"

syslog_facility

Data type: Simplib::Syslog::Facility

Default value: 'local6'

stripped_names

Data type: Boolean

Default value: false

auth

Data type: Boolean

Default value: true

auth_badpass

Data type: Boolean

Default value: false

auth_goodpass

Data type: Boolean

Default value: false

msg_goodpass

Data type: Optional[String]

Default value: undef

msg_badpass

Data type: Optional[String]

Default value: undef

msg_denied

Data type: Optional[String]

Default value: undef

freeradius::v3::conf::security

Add a 'security' section to freeradius.

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::security class:

• max_attributes
• reject_delay
• status_server
• allow_core_dumps
• chroot
• chroot_path
• chroot_user
• chroot_group

max_attributes

Data type: Integer

Default value: 200

reject_delay

Data type: Integer[1,5]

Default value: 1

status_server

Data type: Boolean

Default value: true

allow_core_dumps

Data type: Boolean

Default value: false

chroot

Data type: Boolean

whether or not to run radiusd in a chroot

Default value: false

chroot_path

Data type: Optional[Stdlib::Absolutepath]

directory where the server does "chroot"

Default value: undef

chroot_user

Data type: Optional[String]

User to run daemon as,must be defined if using a chroot

Default value: undef

chroot_group

Data type: Optional[String]

Group to run daemon as.

Default value: undef

freeradius::v3::conf::thread_pool

Add a 'thread pool' section to the freeradius configuration

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::thread_pool class:

• start_servers
• max_servers
• min_spare_servers
• max_spare_servers
• max_requests_per_server
• max_queue_size
• auto_limit_acct

start_servers

Data type: Integer

Default value: 5

max_servers

Data type: Integer

Default value: 32

min_spare_servers

Data type: Integer

Default value: 3

max_spare_servers

Data type: Integer

Default value: 10

max_requests_per_server

Data type: Integer

Default value: 0

max_queue_size

Data type: Optional[Integer]

Default value: undef

auto_limit_acct

Data type: Boolean

Default value: false

freeradius::v3::conf::users

Set up the freeradius users entries

freeradius::v3::modules::ldap

Set up the LDAP module configuration.

Parameters

The following parameters are available in the freeradius::v3::modules::ldap class:

• base_dn
• app_pki_key
• app_pki_cert
• app_pki_ca_dir
• confdir
• group
• base_filter
• client_scope
• client_filter
• client_attribute_identifier
• client_attribute_secret
• client_attribute_shortname
• client_attribute_nas_type
• client_attribute_virtual_server
• client_attribute_require_message_authenticator
• default_profile
• group_scope
• group_filter
• group_name_attribute
• group_membership_filter
• group_membership_attribute
• group_cacheable_name
• group_cacheable_dn
• identity
• ldap_connections_number
• ldap_debug
• ldap_timeout
• ldap_timelimit
• options_chase_referrals
• options_dereference
• options_idle
• options_interval
• options_net_timeout
• options_probes
• options_rebind
• password
• pool_start
• pool_min
• pool_max
• pool_spare
• pool_uses
• pool_lifetime
• pool_idle_timeout
• port
• profile_attribute
• random_file
• require_cert
• retry_delay
• start_tls
• user_filter
• user_access_attribute
• user_access_positive
• user_scope
• server
• post_auth_content
• accounting_content
• content

base_dn

Data type: String

Default value: simplib::lookup('simp_options::ldap::base_dn')

app_pki_key

Data type: Stdlib::AbsolutePath

Path and name of the private SSL key file

Default value: $freeradius::app_pki_key

app_pki_cert

Data type: Stdlib::AbsolutePath

Path and name of the public SSL certificate

Default value: $freeradius::app_pki_cert

app_pki_ca_dir

Data type: Stdlib::AbsolutePath

Path to the CA.

Default value: $freeradius::app_pki_ca_dir

confdir

Data type: Stdlib::Absolutepath

Freeradius configuration directory

Default value: $freeradius::confdir

group

Data type: String

Group radiusd is running under.

Default value: $freeradius::group

base_filter

Data type: String

Default value: '(objectclass=radiusprofile)'

client_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

client_filter

Data type: String

Default value: '(objectClass=frClient)'

client_attribute_identifier

Data type: String

Default value: 'radiusClientIdentifier'

client_attribute_secret

Data type: String

Default value: 'radiusClientSecret'

client_attribute_shortname

Data type: Optional[String]

Default value: undef

client_attribute_nas_type

Data type: Optional[String]

Default value: undef

client_attribute_virtual_server

Data type: Optional[String]

Default value: undef

client_attribute_require_message_authenticator

Data type: Optional[String]

Default value: undef

default_profile

Data type: Optional[String]

Default value: undef

group_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

group_filter

Data type: String

Default value: '(objectClass=posixGroup)'

group_name_attribute

Data type: String

Default value: 'cn'

group_membership_filter

Data type: String

Default value: '(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))'

group_membership_attribute

Data type: String

If this does not contain a value then Group Membership Checking will not be enabled.

Default value: 'memberOf'

group_cacheable_name

Data type: Boolean

Default value: false

group_cacheable_dn

Data type: Boolean

Default value: false

identity

Data type: String

Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => "cn=hostAuth,ou=Hosts,%{lookup('simp_options::ldap::base_dn')}", 'value_type' => String })

ldap_connections_number

Data type: Integer[1]

Default value: 5

ldap_debug

Data type: Optional[String]

Default value: undef

ldap_timeout

Data type: Integer

Default value: 4

ldap_timelimit

Data type: Integer

Default value: 3

options_chase_referrals

Data type: Boolean

Default value: false

options_dereference

Data type: Freeradius::Deref

Default value: 'never'

options_idle

Data type: Integer

Default value: 60

options_interval

Data type: Integer

Default value: 3

options_net_timeout

Data type: Integer

Default value: 1

options_probes

Data type: Integer

Default value: 3

options_rebind

Data type: Boolean

Default value: false

password

Data type: String

Default value: simplib::lookup('simp_options::ldap::bind_pw')

pool_start

Data type: Integer[1]

Default value: 5

pool_min

Data type: Integer[1]

Default value: 4

pool_max

Data type: Integer[1]

Default value: 10

pool_spare

Data type: Integer[1]

Default value: 3

pool_uses

Data type: Integer[0]

Default value: 0

pool_lifetime

Data type: Integer[0]

Default value: 0

pool_idle_timeout

Data type: Integer[1]

Default value: 60

port

Data type: Simplib::Port

Default value: 389

profile_attribute

Data type: Optional[String]

Default value: undef

random_file

Data type: Stdlib::AbsolutePath

Default value: '/dev/urandom'

require_cert

Data type: String

Default value: 'demand'

retry_delay

Data type: Integer[1]

Default value: 30

start_tls

Data type: Boolean

Default value: true

user_filter

Data type: String

Default value: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'

user_access_attribute

Data type: Optional[String]

Default value: undef

user_access_positive

Data type: Boolean

Default value: true

user_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

server

Data type: Array[Simplib::Uri]

Default value: simplib::lookup('simp_options::ldap::uri')

post_auth_content

Data type: Optional[String]

Override the contents of the post-auth section of the configuration

• Do NOT include the post-auth header or beginning or end curly brace

Default value: undef

accounting_content

Data type: Optional[String]

Override the contents of the accounting section of the configuration

• Do NOT include the accounting header or beginning or end curly brace

Default value: undef

content

Data type: Optional[String]

Specify the entire contents of the configuration file

• All other options will be ignored

Default value: undef

freeradius::v3::sites::ldap

on the interface defined by listen_ip

The Default is to listen on all interfaces.

• See also
  • /etc/raddb/sites-available/default
    • for more information on sites

Parameters

The following parameters are available in the freeradius::v3::sites::ldap class:

• site_name
• enable
• confdir
• include_listener
• group
• listen_ip
• max_connections
• lifetime
• idle_timeout

site_name

Data type: String

The name of the site

Default value: 'default'

enable

Data type: Boolean

Whether to enable the site or not

Default value: true

confdir

Data type: Stdlib::Absolutepath

Configuration directory for freeradius

Default value: $freeradius::confdir

include_listener

Data type: Boolean

If set to true then 'listen' sections will be set up for the site. Otherwise the listen_ip will be ignored and the user will be required to set up a listener using the listener.pp module.

Default value: true

group

Data type: String

Group radiusd runs under.

Default value: $freeradius::group

listen_ip

Data type: Simplib::Host

The ip addresses to listen on. See setting ipaddr in sites-enabled/default.

Default value: 'ALL'

max_connections

Data type: Integer

Default value: 16

lifetime

Data type: Integer

Default value: 0

idle_timeout

Data type: Integer

Default value: 30

Defined types

freeradius::v3::client

Add a client to /etc/raddb/clients.d/

• See also
  • clients.conf(5)
    • for additional information.

Parameters

The following parameters are available in the freeradius::v3::client defined type:

• secret
• ipaddr
• client_name
• coa_server
• idle_timeout
• lifetime
• login
• max_connections
• nas_type
• password
• proto
• require_message_authenticator
• response_window
• shortname
• virtual_server

secret

Data type: String

If you do not specify a secret, then one will be created for you using $name as the id.

Default value: simplib::passgen("freeradius_${name}")

ipaddr

Data type:

Variant[Simplib::IP,
          Simplib::IP::CIDR]

If set to something with a ':' in it, will be treated as ipv6addr instead.

client_name

Data type: String

Default value: $name

coa_server

Data type: Optional[String]

Default value: undef

idle_timeout

Data type: Integer

Default value: 30

lifetime

Data type: Integer

Default value: 0

login

Data type: Optional[String]

Default value: undef

max_connections

Data type: Integer

Default value: 16

nas_type

Data type: Optional[Freeradius::Nas]

Default value: undef

password

Data type: Optional[String]

Default value: undef

proto

Data type: Optional[Enum['udp','tcp','*']]

Default value: undef

require_message_authenticator

Data type: Boolean

Default value: true

response_window

Data type: Optional[Float[0.0]]

Default value: undef

shortname

Data type: Optional[String]

Default value: undef

virtual_server

Data type: Optional[String]

Default value: undef

freeradius::v3::conf::user

'freeradius::v3::conf::users` module.

This module should not be used if freeradius::v3::conf::user_conf_source is set in hiera. That setting will copy (what is expected to be) a complete users file into place that you have defined.

• See also
  • users(5)
    • for additional details on user entries.

Examples

Adding the normal defaults for PPP

freeradius::v3::conf::user { 'default_ppp':
  is_default => true,
  order => '500',
  content => '
   Framed-Protocol == PPP
   Framed-Protocol = PPP,
   Framed-Compression = Van-Jacobson-TCP-IP'
}

Adding a disabled user

freeradius::v3::conf::user { 'lameuser':
 order => '0',
 content => '
  Auth-Type := Reject
  Reply-Message = "Your account has been disabled."'
}

Parameters

The following parameters are available in the freeradius::v3::conf::user defined type:

• name
• content
• is_default
• order
• confdir

name

The name of the user. If $is_default is set to true, this will be treated as a DEFAULT user entry and the name will be used for uniqueness. It is recommended to use something like 'default_ppp', 'default_slip', etc... for these entries.

content

Data type: String

The actual content of the entry per users(5). The $name will be used as the left hand initial value unless $is_default = true. All other portions must be properly included, starting with the initial comparison or assignment.

• Leading whitespace is ignored.

is_default

Data type: Boolean

Whether or not the entry is for a DEFAULT user entry.

Default value: false

order

Data type: Integer[1]

An ordering number for including the entries in the file. This does not have to be numeric, but you may end up with strange results if it is not. The default is alphabetic.

Default value: 100

confdir

Data type: Stdlib::Absolutepath

The configuration directory for radiusd.

• Generally, you will want default entries at the end of the file, but this is not strictly enforced. You have been warned!

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

freeradius::v3::listen

The following parameters are all configuration parameters.

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::listen defined type:

• target
• listen_type
• order
• idle_timeout
• interface
• ipaddr
• lifetime
• max_connections
• max_pps
• per_socket_clients
• port

target

Data type: Stdlib::Absolutepath

The concat target to add this section to

listen_type

Data type: Freeradius::Listen

order

Data type: Integer[1]

Indicates the order for this element amoung the concat fragments.

Default value: 100

idle_timeout

Data type: Optional[Integer]

Default value: undef

interface

Data type: Optional[String]

Default value: undef

ipaddr

Data type: Simplib::Host

Be careful not to use the same IP address on more than one listener

Default value: 'ALL'

lifetime

Data type: Optional[Integer]

Default value: undef

max_connections

Data type: Optional[Integer]

Default value: undef

max_pps

Data type: Optional[Integer]

Default value: undef

per_socket_clients

Data type: Optional[String]

Default value: undef

port

Data type: Optional[Simplib::Port]

Default value: undef

freeradius::v3::listener

The following parameters are all configuration parameters.

• See also
  • For

    * detailed information on the parameters, extract the original
    

    /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::listener defined type:

• listen_type
• order
• confdir
• group
• idle_timeout
• interface
• ipaddr
• lifetime
• max_connections
• max_pps
• per_socket_clients
• port

listen_type

Data type: Freeradius::Listen

order

Data type: Integer[1]

Indicates the order for this element amoung the concat fragments.

Default value: 100

confdir

Data type: Stdlib::Absolutepath

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

idle_timeout

Data type: Optional[Integer]

Default value: undef

interface

Data type: Optional[String]

Default value: undef

ipaddr

Data type: Simplib::Host

Be careful not to use the same ip address in more than one listener

Default value: 'ALL'

lifetime

Data type: Optional[Integer]

Default value: undef

max_connections

Data type: Optional[Integer]

Default value: undef

max_pps

Data type: Optional[Integer]

Default value: undef

per_socket_clients

Data type: Optional[String]

Default value: undef

port

Data type: Optional[Simplib::Port]

Default value: undef

freeradius::v3::module

and if it is enabled, links it to the mods-enabled directory.

If neither content or source is defined and ft it enabled then it will just create a link.

• See also
  • mods-available
    • for further documentation on modules.

Parameters

The following parameters are available in the freeradius::v3::module defined type:

• enabled
• content
• source
• confdir
• group

enabled

Data type: Boolean

If true a link will be created in mods-enabled to enable the site.

Default value: false

content

Data type: Optional[String]

The actual content of the module. Only one of content or source can be used.

Default value: undef

source

Data type: Optional[String]

The source file of the module definition. Only one of content or source can be used.

Default value: undef

confdir

Data type: Stdlib::Absolutepath

The configuration directory

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

The group radiusd will run under

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

freeradius::v3::site

if it is enabled, links it to the sites-enabled directory.

Note: If freeradius::manage_sites is enabled any site not defined in puppet will be purged.

If neither content or source is defined and it is enabled then it will just create a link.

• See also
  • site
    • definitions in sites-available for further documentation on sites.

Parameters

The following parameters are available in the freeradius::v3::site defined type:

• enabled
• content
• source
• confdir
• group

enabled

Data type: Boolean

If true a link will be created in sites-enabled to enable the site.

Default value: false

content

Data type: Optional[String]

The actual content of the entry per. Only one of content or source can be used.

Default value: undef

source

Data type: Optional[String]

The source file of the site definition. Only one of content or source can be used.

Default value: undef

confdir

Data type: Stdlib::Absolutepath

The configuration directory

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

The group radiusd will run under

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

Data types

Freeradius::Deref

Control under which situations aliases are followed

Alias of Enum['never', 'searching', 'finding', 'always']

Freeradius::Listen

Types of packets to listen for

Alias of Enum['auth', 'acct', 'proxy', 'detail', 'status', 'coa']

Freeradius::Logdest

Destination for log messages

Alias of Enum['files', 'syslog', 'stdout', 'stderr']

Freeradius::Nas

NAS-specific method to use when checking for simultaneous use

Alias of Enum['cisco', 'computone', 'livingston', 'max40xx', 'multitech', 'netserver', 'pathras', 'patton', 'portslave', 'tc', 'usrhiper', 'other']

Freeradius::Scope

LDAP search scope

Alias of Enum['base', 'one', 'sub', 'children']

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 8.7.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Wed Jan 17 2024 Richard Gardner rick@sicura.us - 8.6.1

• Updated hiera.yaml facts to support puppet 8

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 8.6.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 8.5.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 8.4.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 8.3.0

• Add RockyLinux 8 support

• Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.2.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Thu Dec 17 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 8.1.2

• Maintenance update for module assets

• Wed Sep 16 2020 Liz Nemsick lnemsick.simp@gmail.com - 8.1.1-0

• Advertise OEL support in the metadata.json.

• Tue Mar 31 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

  • Fix missing group_filter option in LDAP
  • Add support for overriding post-auth in LDAP
  • Add support for overriding accounting in LDAP
  • Add support for specifying the entire file content
  • Fix OEL tests
  • Add support for simplib < 5

• Mon Aug 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0

• Remove simp_options::puppet::server from the default lookup logic for freeradius::v3::modules::ldap::server. In systems that use Bolt to compile and apply manifests, that setting will not be available.
• Add types documentation

• Tue Jul 02 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.0.1-0

• Updated documentation
  • Cleaned up for puppet strings
  • Added REFERENCE.md
  • Updated README.md
• Switched all FIPS checks to use top level inherited checks
• Add Puppet 6 support

• Tue Mar 12 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 8.0.0-0

• Refactored API
• Strong typed all variables and updated functions for puppet 5 compatability.
• Removed support for freeradius version 2 and CentOS 6.
• Inner-tunnel site is not added by default any more.
• Added check for FIPS mode and fail if server is in FIPS mode.
• Created ldap site and module to be used to integrate freeradius with ldap server. Instructions for use are in the README.
• SQL sites are not added by default.
• Update the upper bound of stdlib to < 6.0.0
• Added acceptance and spec tests

• Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.1-0

• Confine puppet version in metadata.json

• Tue Jan 17 2017 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0

• Updated global catalysts
• Refactored module
• Application certs now managed in /etc/pki/simp_apps/freeradius/x509

• Thu Dec 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

• Updated to use the environment-aware rsync in SIMP 6

• Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 6.0.0-0

• Bump major version number for SIMP 6

• Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.4-0

• Minor cleanup

• Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.4-0

• Updated iptables dependency version

• Tue Aug 02 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.2-0

• Update to the new naming scheme

• Sat May 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.1-0

• Update to fix the absence of the logdir variable after the v2/v3 refactor.

• Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Ensure Puppet 4 compatibility. This changes the (always incorrect, but allowed) '2' and '3' paths to 'v2' and 'v3'.
  • Be sure to check and update your Hiera data!
• Fixed the case where the radius_version fact does not exist.

• Wed Dec 02 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.0-6

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Common module assets have been normalized.
• Fixed a bug with the radius_rsync_user passgen.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.0-5

• migration to simplib and simpcat (lib/ only)

• Mon Jun 29 2015 Nick Miller nick.miller@onyxpoint.com - 4.2.0-4

• Moved validation from the templates and put them in their own functions

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-3

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-2

• Changed puppet-server requirement to puppet

• Fri Dec 19 2014 Kendall Moore kmoore@keywcorp.com - 4.2.0-1

• Added default site and updated LDAP module.

• Fri Sep 19 2014 Kendall Moore kmoore@keywcorp.com - 4.2.0-0

• Added a fact 'radius_version' to fetch the installed version of freeradius from the system.
• Updated for RHEL 7/FreeRADIUS 3.X
• Moved FreeRADIUS 2.X/3.X into their own namespaces due to significant differences.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed MD5 file checksums for FIPS compliance.

• Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Deleted stock classes and related spec tests so they can be ported to the simp module.

• Mon Apr 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Convert the ldap module over to using the new hiera variables.

• Fri Apr 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Removed all references to $pupbuildloc since it is no longer used.

• Mon Feb 24 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

• Fixed bug in conf/listen logic.

• Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Fixed booleans in ERB templates

• Fri Jan 10 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0

• Updated for puppet 3 and hiera compatibility.
• Removed all singleton defines.
• Changed all boolean strings to native booleans.
• Updated all code documentation.

• Thu Oct 03 2013 Kendall Moore kmoore@keywcorp.com - 4.0-6

• Updated all erb templates to properly scope variables.

• Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7

• Use 'versioncmp' for all version comparisons.

• Fri May 17 2013 Adam Yohrling adam.yohrling@onyxpoint.com 4.0-6

• Updated the LDAP configuration to support specifying the server port as well as using SSL instead of START_TLS.

• Mon Feb 25 2013 Maintenance 4.0-5

• Added a call to $::rsync_timeout to the rsync call since it is now required.

• Fri Nov 30 2012 Maintenance 4.0.0-4

• Created a Cucumber test to ensure that FreeRADIUS installs correctly when including freeradius in the puppet server manifest.

• Thu Jun 07 2012 Maintenance 4.0.0-3

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Moved mit-tests to /usr/share/simp...
• Created separate definition for adding clients.
• Removed trailing whitespace in the t_allowed_nastype enumerator.
• Updated the groupname_attribute and groupmembership_filter values and templating.
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-2

• Improved test stubs.

• Mon Dec 26 2011 Maintenance 4.0.0-1

• Updated the spec file to not require a separate file list.
• Scoped all of the top level variables.

• Mon Nov 07 2011 Maintenance 4.0.0-0

• Updated to handle RHEL6 properly.

• Mon Oct 10 2011 Maintenance 2.0.0-2

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
• Modified all multi-line exec statements to act as defined on a single line to address bugs in puppet 2.7.5

• Sat Mar 19 2011 Maintenance - 2.0.0-1

• Added comments to freeradius::modules::ldap to note that users will need to manage their own service restart if they user alternate certificates.
• Ensure that the freeradius daemon restarts when cacerts is updated.
• Updated to use rsync native type

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-1

• Converting all spec files to check for directories prior to copy.

• Fri Jul 02 2010 Maintenance 1.0-0

• Initial offering, probably less than ideal.