it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use wlan_eap_ca_crl for URL of the certificate revocation list

Browse source
This commit is contained in:
Raphael Dannecker 2025-04-01 15:31:19 +02:00
parent f6b77c64cf
commit 320ad3a51d
4 changed files with 520 additions and 508 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
doc/wlan.md
View file

@ -106,6 +106,10 @@ Every devices gets his own certificate. When creating new certificates, the old
Values: Values:
* true * true
* false <-- (default) * false <-- (default)
* **wlan_eap_ca_crl**
URL of the certificate revocation list
Type: *String*
Default: "http://radius.{{ domain }}/radius-ca.crl"
### Examples ### Examples
@ -128,6 +132,7 @@ laptop:
emailAddress: "admin@example.com" emailAddress: "admin@example.com"
CN: "Radius Certificate Authority" CN: "Radius Certificate Authority"
password: "secret4radiusCA" password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
``` ```
## complex example with both modes ## complex example with both modes
@ -139,12 +144,15 @@ inventory.yml
all: all:
vars: vars:
wlan_ssid: "WLAName" # teacher and staff are using the same ssid wlan_ssid: "WLAName" # teacher and staff are using the same ssid
radiusca_password: "secret4radiusCA" wlan_eap_ca:
country_name: "DE" C: "DE"
state_or_province_name: "Baden-Württemberg" ST: "Baden-Wuerttemberg"
locality_name: "Stuttgart" L: "Reutlingen"
organization_name: "Baumschule" O: "Linuxschule"
admin_email: "admin@example.com" emailAddress: "admin@example.com"
CN: "Radius Certificate Authority"
password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
infrastructure: infrastructure:
hosts: hosts:
@ -179,4 +187,4 @@ The issue of certificates can be forced.
Force issue of new certs for hosts in group laptop_teacher. Force issue of new certs for hosts in group laptop_teacher.
If there is a valid certificate, the old one will be revoked and a new certificate will be issued. If there is a valid certificate, the old one will be revoked and a new certificate will be issued.
ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true" ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true"

1003
inventory.yml
View file

File diff suppressed because it is too large Load diff

1
roles/lmn_wlan/defaults/main.yaml
View file

@ -11,4 +11,5 @@ wlan_eap_ca:
emailAddress: "admin@example.com" emailAddress: "admin@example.com"
CN: "Radius Certificate Authority" CN: "Radius Certificate Authority"
password: "OtherVerySecurePassw0rd" password: "OtherVerySecurePassw0rd"
wlan_eap_ca_crl: "http://radius.{{ domain }}/radius-ca.crl"
wlan_enable_on_boot: true wlan_enable_on_boot: true

2
roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
View file

@ -15,7 +15,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
force: true force: true
mode: "0644" mode: "0644"
url: "http://radius.steinbeis.schule/radius-ca.crl" url: "{{ wlan_eap_ca_crl }}"
dest: /tmp/radius-ca.crl dest: /tmp/radius-ca.crl
when: cert_client_active.stat.exists when: cert_client_active.stat.exists