init

.gitignore

@@ -0,0 +1,5 @@
+*.swp
+/data
+docker-compose.override.yml
+env_override*
+*.pyc

docker-compose.yml

@@ -0,0 +1,32 @@
+version: '2'
+
+services:
+  #    postgresql:
+  #        build: ./postgresql
+  #        container_name: radius-postgresql
+  #        networks:
+  #            radius.internal.docker:
+  #                aliases:
+  #                    - postgresql.radius.internal.docker
+  #        volumes:
+  #            - ./data/postgresql/data:/var/lib/postgresql/data
+  #            - ./data/postgresql/backup:/var/lib/postgresql/backup
+  #        ports:
+  #            - "127.0.0.1:34020:5432"
+  #        env_file:
+  #            - env
+
+    freeradius:
+        build: ./freeradius
+        container_name: radius-freeradius
+        networks:
+            radius.internal.docker:
+                aliases:
+                    - freeradius.radius.internal.docker
+        ports:
+            - "0.0.0.0:1812:1812/udp"
+        env_file:
+            - env
+
+networks:
+    radius.internal.docker:

env

@@ -0,0 +1,19 @@
+DHCP_TSIG_KEY_NAME=dhcpupdate
+DHCP_TSIG_KEY_ALGO=hmac-md5
+DHCP_TSIG_KEY_SECRET=Y2hhbmdlX2l0
+
+DHCP_DNS_MASTER=10.15.100.1
+DHCP_DNS_SERVER=10.15.100.1
+DHCP_TFTP_SERVER=10.15.100.1
+DHCP_ROUTERS=10.15.100.1
+
+DHCP_DOMAIN=example.com
+DHCP_SITE_DOMAIN=site.example.com
+DHCP_DYN_IPS_DOMAIN=dhcp.site.example.com
+DHCP_REV_DOMAIN=100.15.10.in-addr.arpa.
+
+DHCP_SUBNET=10.15.100.0
+DHCP_NETMASK=255.255.255.0
+DHCP_IP_FIRST=10.15.100.50
+DHCP_IP_LAST=10.15.100.250
+DHCP_BROADCAST=10.15.100.255

freeradius/Dockerfile

@@ -0,0 +1,35 @@
+FROM robinthoni/debian-multiarch:jessie
+
+MAINTAINER Robin Thoni <robin@rthoni.com>
+
+ARG CONFIG_DIR=/etc/default/config-files/
+
+RUN apt-get update && apt-get -y install\
+        freeradius &&\
+        apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN rm -rf /var/log/*
+
+COPY ./vars-vars /etc/vars-vars
+
+COPY ./vars-files /etc/vars-files
+
+COPY ./common.sh /common.sh
+
+COPY ./run.sh /run.sh
+
+#RUN echo 'bob     Cleartext-Password := "hello"' >> /etc/freeradius/users
+
+#RUN echo "client 0.0.0.0 {\nnetmask 0\nsecret testing123\n}" >> /etc/freeradius/clients.conf
+
+RUN mkdir "${CONFIG_DIR}"
+
+COPY config/users "${CONFIG_DIR}"/users
+
+COPY config/clients.conf "${CONFIG_DIR}"/clients.conf
+
+#COPY dhcpd.conf "${CONFIG_DIR}"/dhcpd.conf
+
+EXPOSE 80
+
+CMD ["/run.sh"]

freeradius/common.sh

@@ -0,0 +1,41 @@
+export CONFIG_DIR="/etc/default/config-files/"
+
+resolv_host()
+{
+  hostname="${1}"
+  ip=$(getent hosts "${hostname}" | cut -d' ' -f1)
+  echo "${ip}"
+}
+
+replace_var()
+{
+  file="${1}"
+  var="${2}"
+  sed -e "s?${var}?${!var}?g" -i "${file}"
+}
+
+replace_vars()
+{
+  file="${1}"
+  for var in $(cat /etc/vars-vars)
+  do
+    replace_var "${file}" "${var}"
+  done
+}
+
+replace_files()
+{
+  cat /etc/vars-files | while read line
+  do
+    filesrc="${CONFIG_DIR}$(echo "${line}" | awk '{print $1}')"
+    filedst=$(echo "${line}" | awk '{print $2}')
+    if [ -f "${filesrc}" ]
+    then
+      echo "Expanding file ${filesrc} to ${filedst}"
+      cp "${filesrc}" "${filedst}"
+      replace_vars "${filedst}"
+    else
+      echo "File ${filesrc} does not exist. Skipping."
+    fi
+  done
+}

freeradius/config/clients.conf

@@ -0,0 +1,241 @@
+# -*- text -*-
+##
+## clients.conf -- client configuration directives
+##
+##  $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
+
+#######################################################################
+#
+#  Define RADIUS clients (usually a NAS, Access Point, etc.).
+
+#
+#  Defines a RADIUS client.
+#
+#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
+#  to allow testing of the server after an initial installation.  If you
+#  are not going to be permitting RADIUS queries from localhost, we suggest
+#  that you delete, or comment out, this entry.
+#
+#
+
+#
+#  Each client has a "short name" that is used to distinguish it from
+#  other clients.
+#
+#  In version 1.x, the string after the word "client" was the IP
+#  address of the client.  In 2.0, the IP address is configured via
+#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
+#  format is still accepted.
+#
+client localhost {
+  #  Allowed values are:
+  # dotted quad (1.2.3.4)
+  #       hostname    (radius.example.com)
+  ipaddr = 127.0.0.1
+
+  #  OR, you can use an IPv6 address, but not both
+  #  at the same time.
+# ipv6addr = :: # any.  ::1 == localhost
+
+  #
+  #  A note on DNS:  We STRONGLY recommend using IP addresses
+  #  rather than host names.  Using host names means that the
+  #  server will do DNS lookups when it starts, making it
+  #  dependent on DNS.  i.e. If anything goes wrong with DNS,
+  #  the server won't start!
+  #
+  #  The server also looks up the IP address from DNS once, and
+  #  only once, when it starts.  If the DNS record is later
+  #  updated, the server WILL NOT see that update.
+  #
+
+  #  One client definition can be applied to an entire network.
+  #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
+  #  "netmask = 8"
+  #
+  #  If not specified, the default netmask is 32 (i.e. /32)
+  #
+  #  We do NOT recommend using anything other than 32.  There
+  #  are usually other, better ways to achieve the same goal.
+  #  Using netmasks of other than 32 can cause security issues.
+  #
+  #  You can specify overlapping networks (127/8 and 127.0/16)
+  #  In that case, the smallest possible network will be used
+  #  as the "best match" for the client.
+  #
+  #  Clients can also be defined dynamically at run time, based
+  #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
+  #  etc.
+  #  See raddb/sites-available/dynamic-clients for details.
+  #
+
+# netmask = 32
+
+  #
+  #  The shared secret use to "encrypt" and "sign" packets between
+  #  the NAS and FreeRADIUS.  You MUST change this secret from the
+  #  default, otherwise it's not a secret any more!
+  #
+  #  The secret can be any string, up to 8k characters in length.
+  #
+  #  Control codes can be entered vi octal encoding,
+  # e.g. "\101\102" == "AB"
+  #  Quotation marks can be entered by escaping them,
+  # e.g. "foo\"bar"
+  #
+  #  A note on security:  The security of the RADIUS protocol
+  #  depends COMPLETELY on this secret!  We recommend using a
+  #  shared secret that is composed of:
+  #
+  # upper case letters
+  # lower case letters
+  # numbers
+  #
+  #  And is at LEAST 8 characters long, preferably 16 characters in
+  #  length.  The secret MUST be random, and should not be words,
+  #  phrase, or anything else that is recognizable.
+  #
+  #  The default secret below is only for testing, and should
+  #  not be used in any real environment.
+  #
+  secret    = testing123
+
+  #
+  #  Old-style clients do not send a Message-Authenticator
+  #  in an Access-Request.  RFC 5080 suggests that all clients
+  #  SHOULD include it in an Access-Request.  The configuration
+  #  item below allows the server to require it.  If a client
+  #  is required to include a Message-Authenticator and it does
+  #  not, then the packet will be silently discarded.
+  #
+  #  allowed values: yes, no
+  require_message_authenticator = no
+
+  #
+  #  The short name is used as an alias for the fully qualified
+  #  domain name, or the IP address.
+  #
+  #  It is accepted for compatibility with 1.x, but it is no
+  #  longer necessary in 2.0
+  #
+# shortname = localhost
+
+  #
+  # the following three fields are optional, but may be used by
+  # checkrad.pl for simultaneous use checks
+  #
+
+  #
+  # The nastype tells 'checkrad.pl' which NAS-specific method to
+  #  use to query the NAS for simultaneous use.
+  #
+  #  Permitted NAS types are:
+  #
+  # cisco
+  # computone
+  # livingston
+  # juniper
+  # max40xx
+  # multitech
+  # netserver
+  # pathras
+  # patton
+  # portslave
+  # tc
+  # usrhiper
+  # other   # for all other types
+
+  #
+  nastype     = other # localhost isn't usually a NAS...
+
+  #
+  #  The following two configurations are for future use.
+  #  The 'naspasswd' file is currently used to store the NAS
+  #  login name and password, which is used by checkrad.pl
+  #  when querying the NAS for simultaneous use.
+  #
+# login       = !root
+# password    = someadminpas
+
+  #
+  #  As of 2.0, clients can also be tied to a virtual server.
+  #  This is done by setting the "virtual_server" configuration
+  #  item, as in the example below.
+  #
+# virtual_server = home1
+
+  #
+  #  A pointer to the "home_server_pool" OR a "home_server"
+  #  section that contains the CoA configuration for this
+  #  client.  For an example of a coa home server or pool,
+  #  see raddb/sites-available/originate-coa
+# coa_server = coa
+}
+
+# IPv6 Client
+#client ::1 {
+# secret    = testing123
+# shortname = localhost
+#}
+#
+# All IPv6 Site-local clients
+#client fe80::/16 {
+# secret    = testing123
+# shortname = localhost
+#}
+
+#client some.host.org {
+# secret    = testing123
+# shortname = localhost
+#}
+
+#
+#  You can now specify one secret for a network of clients.
+#  When a client request comes in, the BEST match is chosen.
+#  i.e. The entry from the smallest possible network.
+#
+#client 192.168.0.0/24 {
+# secret    = testing123-1
+# shortname = private-network-1
+#}
+#
+#client 192.168.0.0/16 {
+# secret    = testing123-2
+# shortname = private-network-2
+#}
+
+
+#client 10.10.10.10 {
+# # secret and password are mapped through the "secrets" file.
+# secret      = testing123
+# shortname   = liv1
+#       # the following three fields are optional, but may be used by
+#       # checkrad.pl for simultaneous usage checks
+# nastype     = livingston
+# login       = !root
+# password    = someadminpas
+#}
+
+#######################################################################
+#
+#  Per-socket client lists.  The configuration entries are exactly
+#  the same as above, but they are nested inside of a section.
+#
+#  You can have as many per-socket client lists as you have "listen"
+#  sections, or you can re-use a list among multiple "listen" sections.
+#
+#  Un-comment this section, and edit a "listen" section to add:
+#  "clients = per_socket_clients".  That IP address/port combination
+#  will then accept ONLY the clients listed in this section.
+#
+#clients per_socket_clients {
+# client 192.168.3.4 {
+#   secret = testing123
+#        }
+#}
+
+client everyone {
+  ipaddr = 0.0.0.0
+  netmask = 0
+  secret = testing123
+}

freeradius/config/eap.conf

@@ -0,0 +1,688 @@
+# -*- text -*-
+##
+##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+##  $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
+
+#######################################################################
+#
+#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
+#  is smart enough to figure this out on its own.  The most
+#  common side effect of setting 'Auth-Type := EAP' is that the
+#  users then cannot use ANY other authentication method.
+#
+#  EAP types NOT listed here may be supported via the "eap2" module.
+#  See experimental.conf for documentation.
+#
+  eap {
+    #  Invoke the default supported EAP type when
+    #  EAP-Identity response is received.
+    #
+    #  The incoming EAP messages DO NOT specify which EAP
+    #  type they will be using, so it MUST be set here.
+    #
+    #  For now, only one default EAP type may be used at a time.
+    #
+    #  If the EAP-Type attribute is set by another module,
+    #  then that EAP type takes precedence over the
+    #  default type configured here.
+    #
+    default_eap_type = peap
+
+    #  A list is maintained to correlate EAP-Response
+    #  packets with EAP-Request packets.  After a
+    #  configurable length of time, entries in the list
+    #  expire, and are deleted.
+    #
+    timer_expire     = 60
+
+    #  There are many EAP types, but the server has support
+    #  for only a limited subset.  If the server receives
+    #  a request for an EAP type it does not support, then
+    #  it normally rejects the request.  By setting this
+    #  configuration to "yes", you can tell the server to
+    #  instead keep processing the request.  Another module
+    #  MUST then be configured to proxy the request to
+    #  another RADIUS server which supports that EAP type.
+    #
+    #  If another module is NOT configured to handle the
+    #  request, then the request will still end up being
+    #  rejected.
+    ignore_unknown_eap_types = no
+
+    # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
+    # a User-Name attribute in an Access-Accept, it copies one
+    # more byte than it should.
+    #
+    # We can work around it by configurably adding an extra
+    # zero byte.
+    cisco_accounting_username_bug = no
+
+    #
+    #  Help prevent DoS attacks by limiting the number of
+    #  sessions that the server is tracking.  For simplicity,
+    #  this is taken from the "max_requests" directive in
+    #  radiusd.conf.
+    max_sessions = ${max_requests}
+
+    # Supported EAP-types
+
+    #
+    #  We do NOT recommend using EAP-MD5 authentication
+    #  for wireless connections.  It is insecure, and does
+    #  not provide for dynamic WEP keys.
+    #
+    md5 {
+    }
+
+    # Cisco LEAP
+    #
+    #  We do not recommend using LEAP in new deployments.  See:
+    #  http://www.securiteam.com/tools/5TP012ACKE.html
+    #
+    #  Cisco LEAP uses the MS-CHAP algorithm (but not
+    #  the MS-CHAP attributes) to perform it's authentication.
+    #
+    #  As a result, LEAP *requires* access to the plain-text
+    #  User-Password, or the NT-Password attributes.
+    #  'System' authentication is impossible with LEAP.
+    #
+    leap {
+    }
+
+    #  Generic Token Card.
+    #
+    #  Currently, this is only permitted inside of EAP-TTLS,
+    #  or EAP-PEAP.  The module "challenges" the user with
+    #  text, and the response from the user is taken to be
+    #  the User-Password.
+    #
+    #  Proxying the tunneled EAP-GTC session is a bad idea,
+    #  the users password will go over the wire in plain-text,
+    #  for anyone to see.
+    #
+    gtc {
+      #  The default challenge, which many clients
+      #  ignore..
+      #challenge = "Password: "
+
+      #  The plain-text response which comes back
+      #  is put into a User-Password attribute,
+      #  and passed to another module for
+      #  authentication.  This allows the EAP-GTC
+      #  response to be checked against plain-text,
+      #  or crypt'd passwords.
+      #
+      #  If you say "Local" instead of "PAP", then
+      #  the module will look for a User-Password
+      #  configured for the request, and do the
+      #  authentication itself.
+      #
+      auth_type = PAP
+    }
+
+    ## EAP-TLS
+    #
+    #  See raddb/certs/README for additional comments
+    #  on certificates.
+    #
+    #  If OpenSSL was not found at the time the server was
+    #  built, the "tls", "ttls", and "peap" sections will
+    #  be ignored.
+    #
+    #  Otherwise, when the server first starts in debugging
+    #  mode, test certificates will be created.  See the
+    #  "make_cert_command" below for details, and the README
+    #  file in raddb/certs
+    #
+    #  These test certificates SHOULD NOT be used in a normal
+    #  deployment.  They are created only to make it easier
+    #  to install the server, and to perform some simple
+    #  tests with EAP-TLS, TTLS, or PEAP.
+    #
+    #  See also:
+    #
+    #  http://www.dslreports.com/forum/remark,9286052~mode=flat
+    #
+    #  Note that you should NOT use a globally known CA here!
+    #  e.g. using a Verisign cert as a "known CA" means that
+    #  ANYONE who has a certificate signed by them can
+    #  authenticate via EAP-TLS!  This is likely not what you want.
+    tls {
+      #
+      #  These is used to simplify later configurations.
+      #
+      certdir = ${confdir}/certs
+      cadir = ${confdir}/certs
+
+      private_key_password = whatever
+      private_key_file = ${certdir}/server.key
+
+      #  If Private key & Certificate are located in
+      #  the same file, then private_key_file &
+      #  certificate_file must contain the same file
+      #  name.
+      #
+      #  If CA_file (below) is not used, then the
+      #  certificate_file below MUST include not
+      #  only the server certificate, but ALSO all
+      #  of the CA certificates used to sign the
+      #  server certificate.
+      certificate_file = ${certdir}/server.pem
+
+      #  Trusted Root CA list
+      #
+      #  ALL of the CA's in this list will be trusted
+      #  to issue client certificates for authentication.
+      #
+      #  In general, you should use self-signed
+      #  certificates for 802.1x (EAP) authentication.
+      #  In that case, this CA file should contain
+      #  *one* CA certificate.
+      #
+      #  This parameter is used only for EAP-TLS,
+      #  when you issue client certificates.  If you do
+      #  not use client certificates, and you do not want
+      #  to permit EAP-TLS authentication, then delete
+      #  this configuration item.
+      CA_file = ${cadir}/ca.pem
+
+      #
+      #  For DH cipher suites to work, you have to
+      #  run OpenSSL to create the DH file first:
+      #
+      #   openssl dhparam -out certs/dh 1024
+      #
+      dh_file = ${certdir}/dh
+      random_file = /dev/urandom
+
+
+      #
+      #  This can never exceed the size of a RADIUS
+      #  packet (4096 bytes), and is preferably half
+      #  that, to accomodate other attributes in
+      #  RADIUS packet.  On most APs the MAX packet
+      #  length is configured between 1500 - 1600
+      #  In these cases, fragment size should be
+      #  1024 or less.
+      #
+    # fragment_size = 1024
+
+      #  include_length is a flag which is
+      #  by default set to yes If set to
+      #  yes, Total Length of the message is
+      #  included in EVERY packet we send.
+      #  If set to no, Total Length of the
+      #  message is included ONLY in the
+      #  First packet of a fragment series.
+      #
+    # include_length = yes
+
+      #  Check the Certificate Revocation List
+      #
+      #  1) Copy CA certificates and CRLs to same directory.
+      #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+      #    'c_rehash' is OpenSSL's command.
+      #  3) uncomment the line below.
+      #  5) Restart radiusd
+    # check_crl = yes
+      CA_path = ${cadir}
+
+           #
+           #  If check_cert_issuer is set, the value will
+           #  be checked against the DN of the issuer in
+           #  the client certificate.  If the values do not
+           #  match, the cerficate verification will fail,
+           #  rejecting the user.
+           #
+           #  In 2.1.10 and later, this check can be done
+           #  more generally by checking the value of the
+           #  TLS-Client-Cert-Issuer attribute.  This check
+           #  can be done via any mechanism you choose.
+           #
+    #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+           #
+           #  If check_cert_cn is set, the value will
+           #  be xlat'ed and checked against the CN
+           #  in the client certificate.  If the values
+           #  do not match, the certificate verification
+           #  will fail rejecting the user.
+           #
+           #  This check is done only if the previous
+           #  "check_cert_issuer" is not set, or if
+           #  the check succeeds.
+           #
+           #  In 2.1.10 and later, this check can be done
+           #  more generally by checking the value of the
+           #  TLS-Client-Cert-CN attribute.  This check
+           #  can be done via any mechanism you choose.
+           #
+    # check_cert_cn = %{User-Name}
+    #
+      # Set this option to specify the allowed
+      # TLS cipher suites.  The format is listed
+      # in "man 1 ciphers".
+      cipher_list = "DEFAULT"
+
+      #
+      # As part of checking a client certificate, the EAP-TLS
+      # sets some attributes such as TLS-Client-Cert-CN. This
+      # virtual server has access to these attributes, and can
+      # be used to accept or reject the request.
+      #
+    # virtual_server = check-eap-tls
+
+      # This command creates the initial "snake oil"
+      # certificates when the server is run as root,
+      # and via "radiusd -X".
+      #
+      # As of 2.1.11, it *also* checks the server
+      # certificate for validity, including expiration.
+      # This means that radiusd will refuse to start
+      # when the certificate has expired.  The alternative
+      # is to have the 802.1X clients refuse to connect
+      # when they discover the certificate has expired.
+      #
+      # Debugging client issues is hard, so it's better
+      # for the server to print out an error message,
+      # and refuse to start.
+      #
+      make_cert_command = "${certdir}/bootstrap"
+
+      #
+      #  Elliptical cryptography configuration
+      #
+      #  Only for OpenSSL >= 0.9.8.f
+      #
+      ecdh_curve = "prime256v1"
+
+      #
+      #  Session resumption / fast reauthentication
+      #  cache.
+      #
+      #  The cache contains the following information:
+      #
+      #  session Id - unique identifier, managed by SSL
+      #  User-Name  - from the Access-Accept
+      #  Stripped-User-Name - from the Access-Request
+      #  Cached-Session-Policy - from the Access-Accept
+      #
+      #  The "Cached-Session-Policy" is the name of a
+      #  policy which should be applied to the cached
+      #  session.  This policy can be used to assign
+      #  VLANs, IP addresses, etc.  It serves as a useful
+      #  way to re-apply the policy from the original
+      #  Access-Accept to the subsequent Access-Accept
+      #  for the cached session.
+      #
+      #  On session resumption, these attributes are
+      #  copied from the cache, and placed into the
+      #  reply list.
+      #
+      #  You probably also want "use_tunneled_reply = yes"
+      #  when using fast session resumption.
+      #
+      cache {
+            #
+            #  Enable it.  The default is "no".
+            #  Deleting the entire "cache" subsection
+            #  Also disables caching.
+            #
+            #  You can disallow resumption for a
+            #  particular user by adding the following
+            #  attribute to the control item list:
+            #
+            #   Allow-Session-Resumption = No
+            #
+            #  If "enable = no" below, you CANNOT
+            #  enable resumption for just one user
+            #  by setting the above attribute to "yes".
+            #
+            enable = no
+
+            #
+            #  Lifetime of the cached entries, in hours.
+            #  The sessions will be deleted after this
+            #  time.
+            #
+            lifetime = 24 # hours
+
+            #
+            #  The maximum number of entries in the
+            #  cache.  Set to "0" for "infinite".
+            #
+            #  This could be set to the number of users
+            #  who are logged in... which can be a LOT.
+            #
+            max_entries = 255
+      }
+
+      #
+      #  As of version 2.1.10, client certificates can be
+      #  validated via an external command.  This allows
+      #  dynamic CRLs or OCSP to be used.
+      #
+      #  This configuration is commented out in the
+      #  default configuration.  Uncomment it, and configure
+      #  the correct paths below to enable it.
+      #
+      verify {
+        #  A temporary directory where the client
+        #  certificates are stored.  This directory
+        #  MUST be owned by the UID of the server,
+        #  and MUST not be accessible by any other
+        #  users.  When the server starts, it will do
+        #  "chmod go-rwx" on the directory, for
+        #  security reasons.  The directory MUST
+        #  exist when the server starts.
+        #
+        #  You should also delete all of the files
+        #  in the directory when the server starts.
+    #         tmpdir = /tmp/radiusd
+
+        #  The command used to verify the client cert.
+        #  We recommend using the OpenSSL command-line
+        #  tool.
+        #
+        #  The ${..CA_path} text is a reference to
+        #  the CA_path variable defined above.
+        #
+        #  The %{TLS-Client-Cert-Filename} is the name
+        #  of the temporary file containing the cert
+        #  in PEM format.  This file is automatically
+        #  deleted by the server when the command
+        #  returns.
+    #       client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+      }
+
+      #
+      #  OCSP Configuration
+      #  Certificates can be verified against an OCSP
+      #  Responder. This makes it possible to immediately
+      #  revoke certificates without the distribution of
+      #  new Certificate Revokation Lists (CRLs).
+      #
+      ocsp {
+            #
+            #  Enable it.  The default is "no".
+            #  Deleting the entire "ocsp" subsection
+            #  Also disables ocsp checking
+            #
+            enable = no
+
+            #
+            #  The OCSP Responder URL can be automatically
+            #  extracted from the certificate in question.
+            #  To override the OCSP Responder URL set
+            #  "override_cert_url = yes". 
+            #
+            override_cert_url = yes
+
+            #
+            #  If the OCSP Responder address is not
+            #  extracted from the certificate, the
+            #  URL can be defined here.
+
+            #
+            #  Limitation: Currently the HTTP
+            #  Request is not sending the "Host: "
+            #  information to the web-server.  This
+            #  can be a problem if the OCSP
+            #  Responder is running as a vhost.
+            #
+            url = "http://127.0.0.1/ocsp/"
+
+            #
+            # If the OCSP Responder can not cope with nonce
+            # in the request, then it can be disabled here.
+            #
+            # For security reasons, disabling this option
+            # is not recommended as nonce protects against
+            # replay attacks.
+            #
+            # Note that Microsoft AD Certificate Services OCSP
+            # Responder does not enable nonce by default. It is
+            # more secure to enable nonce on the responder than
+            # to disable it in the query here.
+            # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+            #
+            # use_nonce = yes
+
+            #
+            # Number of seconds before giving up waiting
+            # for OCSP response. 0 uses system default.
+            #
+            # timeout = 0
+
+            #
+            # Normally an error in querying the OCSP
+            # responder (no response from server, server did
+            # not understand the request, etc) will result in
+            # a validation failure.
+            #
+            # To treat these errors as 'soft' failures and
+            # still accept the certificate, enable this
+            # option.
+            # 
+            # Warning: this may enable clients with revoked
+            # certificates to connect if the OCSP responder
+            # is not available. Use with caution.
+            #
+            # softfail = no
+      }
+    }
+
+    #  The TTLS module implements the EAP-TTLS protocol,
+    #  which can be described as EAP inside of Diameter,
+    #  inside of TLS, inside of EAP, inside of RADIUS...
+    #
+    #  Surprisingly, it works quite well.
+    #
+    #  The TTLS module needs the TLS module to be installed
+    #  and configured, in order to use the TLS tunnel
+    #  inside of the EAP packet.  You will still need to
+    #  configure the TLS module, even if you do not want
+    #  to deploy EAP-TLS in your network.  Users will not
+    #  be able to request EAP-TLS, as it requires them to
+    #  have a client certificate.  EAP-TTLS does not
+    #  require a client certificate.
+    #
+    #  You can make TTLS require a client cert by setting
+    #
+    # EAP-TLS-Require-Client-Cert = Yes
+    #
+    #  in the control items for a request.
+    #
+    ttls {
+      #  The tunneled EAP session needs a default
+      #  EAP type which is separate from the one for
+      #  the non-tunneled EAP module.  Inside of the
+      #  TTLS tunnel, we recommend using EAP-MD5.
+      #  If the request does not contain an EAP
+      #  conversation, then this configuration entry
+      #  is ignored.
+      default_eap_type = md5
+
+      #  The tunneled authentication request does
+      #  not usually contain useful attributes
+      #  like 'Calling-Station-Id', etc.  These
+      #  attributes are outside of the tunnel,
+      #  and normally unavailable to the tunneled
+      #  authentication request.
+      #
+      #  By setting this configuration entry to
+      #  'yes', any attribute which NOT in the
+      #  tunneled authentication request, but
+      #  which IS available outside of the tunnel,
+      #  is copied to the tunneled request.
+      #
+      # allowed values: {no, yes}
+      copy_request_to_tunnel = no
+
+      #  The reply attributes sent to the NAS are
+      #  usually based on the name of the user
+      #  'outside' of the tunnel (usually
+      #  'anonymous').  If you want to send the
+      #  reply attributes based on the user name
+      #  inside of the tunnel, then set this
+      #  configuration entry to 'yes', and the reply
+      #  to the NAS will be taken from the reply to
+      #  the tunneled request.
+      #
+      # allowed values: {no, yes}
+      use_tunneled_reply = no
+
+      #
+      #  The inner tunneled request can be sent
+      #  through a virtual server constructed
+      #  specifically for this purpose.
+      #
+      #  If this entry is commented out, the inner
+      #  tunneled request will be sent through
+      #  the virtual server that processed the
+      #  outer requests.
+      #
+      virtual_server = "inner-tunnel"
+
+      #  This has the same meaning as the
+      #  same field in the "tls" module, above.
+      #  The default value here is "yes".
+    # include_length = yes
+    }
+
+    ##################################################
+    #
+    #  !!!!! WARNINGS for Windows compatibility  !!!!!
+    #
+    ##################################################
+    #
+    #  If you see the server send an Access-Challenge,
+    #  and the client never sends another Access-Request,
+    #  then
+    #
+    #   STOP!
+    #
+    #  The server certificate has to have special OID's
+    #  in it, or else the Microsoft clients will silently
+    #  fail.  See the "scripts/xpextensions" file for
+    #  details, and the following page:
+    #
+    # http://support.microsoft.com/kb/814394/en-us
+    #
+    #  For additional Windows XP SP2 issues, see:
+    #
+    # http://support.microsoft.com/kb/885453/en-us
+    #
+    #
+    #  If is still doesn't work, and you're using Samba,
+    #  you may be encountering a Samba bug.  See:
+    #
+    # https://bugzilla.samba.org/show_bug.cgi?id=6563
+    #
+    #  Note that we do not necessarily agree with their
+    #  explanation... but the fix does appear to work.
+    #
+    ##################################################
+
+    #
+    #  The tunneled EAP session needs a default EAP type
+    #  which is separate from the one for the non-tunneled
+    #  EAP module.  Inside of the TLS/PEAP tunnel, we
+    #  recommend using EAP-MS-CHAPv2.
+    #
+    #  The PEAP module needs the TLS module to be installed
+    #  and configured, in order to use the TLS tunnel
+    #  inside of the EAP packet.  You will still need to
+    #  configure the TLS module, even if you do not want
+    #  to deploy EAP-TLS in your network.  Users will not
+    #  be able to request EAP-TLS, as it requires them to
+    #  have a client certificate.  EAP-PEAP does not
+    #  require a client certificate.
+    #
+    #
+    #  You can make PEAP require a client cert by setting
+    #
+    # EAP-TLS-Require-Client-Cert = Yes
+    #
+    #  in the control items for a request.
+    #
+    peap {
+      #  The tunneled EAP session needs a default
+      #  EAP type which is separate from the one for
+      #  the non-tunneled EAP module.  Inside of the
+      #  PEAP tunnel, we recommend using MS-CHAPv2,
+      #  as that is the default type supported by
+      #  Windows clients.
+      default_eap_type = mschapv2
+
+      #  the PEAP module also has these configuration
+      #  items, which are the same as for TTLS.
+      copy_request_to_tunnel = no
+      use_tunneled_reply = no
+
+      #  When the tunneled session is proxied, the
+      #  home server may not understand EAP-MSCHAP-V2.
+      #  Set this entry to "no" to proxy the tunneled
+      #  EAP-MSCHAP-V2 as normal MSCHAPv2.
+    # proxy_tunneled_request_as_eap = yes
+
+      #
+      #  The inner tunneled request can be sent
+      #  through a virtual server constructed
+      #  specifically for this purpose.
+      #
+      #  If this entry is commented out, the inner
+      #  tunneled request will be sent through
+      #  the virtual server that processed the
+      #  outer requests.
+      #
+      virtual_server = "inner-tunnel"
+
+      # This option enables support for MS-SoH
+      # see doc/SoH.txt for more info.
+      # It is disabled by default.
+      #
+#     soh = yes
+
+      #
+      # The SoH reply will be turned into a request which
+      # can be sent to a specific virtual server:
+      #
+#     soh_virtual_server = "soh-server"
+    }
+
+    #
+    #  This takes no configuration.
+    #
+    #  Note that it is the EAP MS-CHAPv2 sub-module, not
+    #  the main 'mschap' module.
+    #
+    #  Note also that in order for this sub-module to work,
+    #  the main 'mschap' module MUST ALSO be configured.
+    #
+    #  This module is the *Microsoft* implementation of MS-CHAPv2
+    #  in EAP.  There is another (incompatible) implementation
+    #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+    #  currently support.
+    #
+    mschapv2 {
+      #  Prior to version 2.1.11, the module never
+      #  sent the MS-CHAP-Error message to the
+      #  client.  This worked, but it had issues
+      #  when the cached password was wrong.  The
+      #  server *should* send "E=691 R=0" to the
+      #  client, which tells it to prompt the user
+      #  for a new password.
+      #
+      #  The default is to behave as in 2.1.10 and
+      #  earlier, which is known to work.  If you
+      #  set "send_error = yes", then the error
+      #  message will be sent back to the client.
+      #  This *may* help some clients work better,
+      #  but *may* also cause other clients to stop
+      #  working.
+      #
+#     send_error = no
+    }
+  }

freeradius/config/users

@@ -0,0 +1,205 @@
+#
+# Please read the documentation file ../doc/processing_users_file,
+# or 'man 5 users' (after installing the server) for more information.
+#
+# This file contains authentication security and configuration
+# information for each user.  Accounting requests are NOT processed
+# through this file.  Instead, see 'acct_users', in this directory.
+#
+# The first field is the user's name and can be up to
+# 253 characters in length.  This is followed (on the same line) with
+# the list of authentication requirements for that user.  This can
+# include password, comm server name, comm server port number, protocol
+# type (perhaps set by the "hints" file), and huntgroup name (set by
+# the "huntgroups" file).
+#
+# If you are not sure why a particular reply is being sent by the
+# server, then run the server in debugging mode (radiusd -X), and
+# you will see which entries in this file are matched.
+#
+# When an authentication request is received from the comm server,
+# these values are tested. Only the first match is used unless the
+# "Fall-Through" variable is set to "Yes".
+#
+# A special user named "DEFAULT" matches on all usernames.
+# You can have several DEFAULT entries. All entries are processed
+# in the order they appear in this file. The first entry that
+# matches the login-request will stop processing unless you use
+# the Fall-Through variable.
+#
+# If you use the database support to turn this file into a .db or .dbm
+# file, the DEFAULT entries _have_ to be at the end of this file and
+# you can't have multiple entries for one username.
+#
+# Indented (with the tab character) lines following the first
+# line indicate the configuration values to be passed back to
+# the comm server to allow the initiation of a user session.
+# This can include things like the PPP configuration values
+# or the host to log the user onto.
+#
+# You can include another `users' file with `$INCLUDE users.other'
+#
+
+#
+# For a list of RADIUS attributes, and links to their definitions,
+# see:
+#
+# http://www.freeradius.org/rfc/attributes.html
+#
+
+#
+# Deny access for a specific user.  Note that this entry MUST
+# be before any other 'Auth-Type' attribute which results in the user
+# being authenticated.
+#
+# Note that there is NO 'Fall-Through' attribute, so the user will not
+# be given any additional resources.
+#
+#lameuser Auth-Type := Reject
+#   Reply-Message = "Your account has been disabled."
+
+#
+# Deny access for a group of users.
+#
+# Note that there is NO 'Fall-Through' attribute, so the user will not
+# be given any additional resources.
+#
+#DEFAULT  Group == "disabled", Auth-Type := Reject
+#   Reply-Message = "Your account has been disabled."
+#
+
+#
+# This is a complete entry for "steve". Note that there is no Fall-Through
+# entry so that no DEFAULT entry will be used, and the user will NOT
+# get any attributes in addition to the ones listed here.
+#
+#steve  Cleartext-Password := "testing"
+# Service-Type = Framed-User,
+# Framed-Protocol = PPP,
+# Framed-IP-Address = 172.16.3.33,
+# Framed-IP-Netmask = 255.255.255.0,
+# Framed-Routing = Broadcast-Listen,
+# Framed-Filter-Id = "std.ppp",
+# Framed-MTU = 1500,
+# Framed-Compression = Van-Jacobsen-TCP-IP
+
+#
+# This is an entry for a user with a space in their name.
+# Note the double quotes surrounding the name.
+#
+#"John Doe" Cleartext-Password := "hello"
+#   Reply-Message = "Hello, %{User-Name}"
+
+#
+# Dial user back and telnet to the default host for that port
+#
+#Deg  Cleartext-Password := "ge55ged"
+# Service-Type = Callback-Login-User,
+# Login-IP-Host = 0.0.0.0,
+# Callback-Number = "9,5551212",
+# Login-Service = Telnet,
+# Login-TCP-Port = Telnet
+
+#
+# Another complete entry. After the user "dialbk" has logged in, the
+# connection will be broken and the user will be dialed back after which
+# he will get a connection to the host "timeshare1".
+#
+#dialbk Cleartext-Password := "callme"
+# Service-Type = Callback-Login-User,
+# Login-IP-Host = timeshare1,
+# Login-Service = PortMaster,
+# Callback-Number = "9,1-800-555-1212"
+
+#
+# user "swilson" will only get a static IP number if he logs in with
+# a framed protocol on a terminal server in Alphen (see the huntgroups file).
+#
+# Note that by setting "Fall-Through", other attributes will be added from
+# the following DEFAULT entries
+#
+#swilson  Service-Type == Framed-User, Huntgroup-Name == "alphen"
+#   Framed-IP-Address = 192.168.1.65,
+#   Fall-Through = Yes
+
+#
+# If the user logs in as 'username.shell', then authenticate them
+# using the default method, give them shell access, and stop processing
+# the rest of the file.
+#
+#DEFAULT  Suffix == ".shell"
+#   Service-Type = Login-User,
+#   Login-Service = Telnet,
+#   Login-IP-Host = your.shell.machine
+
+
+#
+# The rest of this file contains the several DEFAULT entries.
+# DEFAULT entries match with all login names.
+# Note that DEFAULT entries can also Fall-Through (see first entry).
+# A name-value pair from a DEFAULT entry will _NEVER_ override
+# an already existing name-value pair.
+#
+
+#
+# Set up different IP address pools for the terminal servers.
+# Note that the "+" behind the IP address means that this is the "base"
+# IP address. The Port-Id (S0, S1 etc) will be added to it.
+#
+#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "alphen"
+#   Framed-IP-Address = 192.168.1.32+,
+#   Fall-Through = Yes
+
+#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "delft"
+#   Framed-IP-Address = 192.168.2.32+,
+#   Fall-Through = Yes
+
+#
+# Sample defaults for all framed connections.
+#
+#DEFAULT  Service-Type == Framed-User
+# Framed-IP-Address = 255.255.255.254,
+# Framed-MTU = 576,
+# Service-Type = Framed-User,
+# Fall-Through = Yes
+
+#
+# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
+# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
+# by the terminal server in which case there may not be a "P" suffix.
+# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
+#
+DEFAULT Framed-Protocol == PPP
+  Framed-Protocol = PPP,
+  Framed-Compression = Van-Jacobson-TCP-IP
+
+#
+# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
+#
+DEFAULT Hint == "CSLIP"
+  Framed-Protocol = SLIP,
+  Framed-Compression = Van-Jacobson-TCP-IP
+
+#
+# Default for SLIP: dynamic IP address, SLIP mode.
+#
+DEFAULT Hint == "SLIP"
+  Framed-Protocol = SLIP
+
+#
+# Last default: rlogin to our main server.
+#
+#DEFAULT
+# Service-Type = Login-User,
+# Login-Service = Rlogin,
+# Login-IP-Host = shellbox.ispdomain.com
+
+# #
+# # Last default: shell on the local terminal server.
+# #
+# DEFAULT
+#   Service-Type = Administrative-User
+
+bob Cleartext-Password := "hello"
+
+# On no match, the user is denied access.

freeradius/run.sh

@@ -0,0 +1,7 @@
+#! /usr/bin/env bash
+
+. /common.sh
+
+replace_files
+
+freeradius -X

freeradius/vars-files

@@ -0,0 +1,3 @@
+users /etc/freeradius/users
+clients.conf /etc/freeradius/clients.conf
+eap.conf /etc.freeradius/eap.conf

freeradius/vars-vars

@@ -0,0 +1,19 @@
+DHCP_TSIG_KEY_NAME
+DHCP_TSIG_KEY_ALGO
+DHCP_TSIG_KEY_SECRET
+
+DHCP_DNS_MASTER
+DHCP_DNS_SERVER
+DHCP_TFTP_SERVER
+DHCP_ROUTERS
+
+DHCP_DOMAIN
+DHCP_SITE_DOMAIN
+DHCP_DYN_IPS_DOMAIN
+DHCP_REV_DOMAIN
+
+DHCP_SUBNET
+DHCP_NETMASK
+DHCP_IP_FIRST
+DHCP_IP_LAST
+DHCP_BROADCAST

update_vars.sh

@@ -0,0 +1,7 @@
+#! /usr/bin/env sh
+
+vars=$(cat env | cut -d= -f1)
+for docker in isc-dhcp tftpd apache
+do
+  echo "${vars}" > "./${docker}/vars-vars"
+done