Update to 2021-12-01 19:13

roles/radius_server/templates/clients.conf.j2

@@ -0,0 +1,7 @@
+{% for client in rad_clients %}
+client {{ client.name }} {
+  ipaddr = {{ client.ip }}
+  secret = {{ client.secret }}
+  nas_type = {{ client.nas_type | default('other') }}
+}
+{% endfor %}

roles/radius_server/templates/modules/eap.conf.j2

@@ -0,0 +1,27 @@
+eap {
+  default_eap_type = tls
+  tls-config tls-common {
+{% if rad_tls_key_pass is defined %}
+    private_key_password = {{ rad_tls_key_pass }}
+{% endif %}
+    private_key_file = /etc/radius/certs/key.pem
+    certificate_file = /etc/radius/certs/cert.pem
+{% if rad_tls_ca is defined %}
+    ca_file = /etc/radius/certs/ca.pem
+{% endif %}
+    dh_file = /etc/radius/certs/dh.pem
+    ca_path = /etc/radius/certs/
+    ecdh_curve = "prime256v1"
+{% if rad_tls_issuert is defined %}
+    check_cert_issuer = "{{ rad_tls_issuer }}"
+{% endif %}
+    verify {
+      tmpdir = /run/radiusd/tls
+      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}{% if rad_crl_notify is defined %} --notify-crl='{{ rad_crl_notify }}'{% endif %}"
+    }
+  }
+
+  tls {
+    tls = tls-common
+  }
+}

roles/radius_server/templates/radiusd.conf.j2

@@ -0,0 +1,46 @@
+prefix = /usr
+localstatedir = /var/lib/radiusd
+logdir = /var/log/radius
+run_dir = /run/radiusd
+correct_escapes = true
+max_request_time = 30
+cleanup_delay = 5
+max_requests = 16384
+hostname_lookups = no
+log {
+  destination = syslog
+  syslog_facility = daemon
+  colourise = yes
+  stripped_names = no
+  auth = yes
+  auth_badpass = no
+  auth_goodpass = no
+}
+security {
+  user = radiusd
+  group = radiusd
+  allow_core_dumps = no
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+proxy_requests  = no
+
+$INCLUDE clients.conf
+
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+  auto_limit_acct = no
+}
+modules {
+  $INCLUDE modules/eap.conf
+}
+instantiate {
+}
+policy {
+}
+$INCLUDE sites.conf

roles/radius_server/templates/radiusd.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service
+
+[Service]
+Type=simple
+PIDFile=/var/run/radiusd/radiusd.pid
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -f -d /etc/radius
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=256M
+
+[Install]
+WantedBy=multi-user.target

roles/radius_server/templates/sites.conf.j2

@@ -0,0 +1,31 @@
+server site {
+  listen {
+    type = auth
+    ipaddr = *
+    port = {{ rad_auth_port }}
+    limit {
+      max_connections = 16
+      lifetime = 0
+      idle_timeout = 30
+    }
+  }
+
+  authorize {
+    eap {
+      ok = return
+    }
+  }
+
+  authenticate {
+    eap
+  }
+
+  session {
+  }
+
+  post-auth {
+    update {
+      &reply: += &session-state:
+    }
+  }
+}

roles/radius_server/templates/tmpfiles.conf

@@ -0,0 +1,2 @@
+d /run/radiusd 710 radiusd radiusd
+d /run/radiusd/tls 700 radiusd radiusd