4.3 KiB
4.3 KiB
WLAN support
Supported modes authenticating via WLAN:
- WPA-Personal (WPA-PSK)
authentication via preshared key (psk) - WPA-Enterprise (WPA-802.1x) with EAP-TLS
authentication via client certificates (eap-tls)
Which method is used is determined by the variable wlan
Choices:
"none"<- (default)"psk""eap-tls"
Common Configuration / Variables
- wlan
Authentication mode
Type: String
Values:- "none" <-- (default)
- "psk" <-- set to use WPA-Personal
- "eap-tls" <-- set to use WPA-Enterprise with EAP-TLS
- wlan_ssid
SSID of used WLAN
Type: String - wlan_enable_on_boot
If set totruewlan will be enabled on boot
Type: Boolean
Default:true
WPA-Personal
Requirements
WLAN with configured WPA-Personal (WPA-PSK)
Additional Configuration / Variables
- wlan_password
Password of WLAN. Only forwlan: "psk"
Type: String
Examples
One class of devices with wlan access
inventory.yml
laptop:
hosts:
10.0.13.[1-28]:
vars:
wlan: "psk"
wlan_ssid: "devicesPSK"
wlan_password: "topsecretpasswd"
Two device classes with different wlan access
inventory.yml
laptop_students:
hosts:
10.0.13.[1-28]:
vars:
wlan: "psk"
wlan_ssid: "Students"
wlan_password: "topsecretpasswd1"
laptop_teachers:
hosts:
10.0.23.[1-82]:
vars:
wlan: "psk"
wlan_ssid: "Teachers"
wlan_password: "topsecretpasswd2"
WPA-Enterprise with EAP-TLS
Authentication is based on individual certificates, which will be automaticaly created on the radius server.
Every devices gets his own certificate. When creating new certificates, the old one will be revoked.
Requirements
- You need to run a freeradius server. For installation see https://codeberg....
- The user, running this playbook, must have access to the radius-Server via ssh.
Additional Configuration / Variables
- wlan_eap_ca
CA data for certs and crl
Type: Dictionary of StringsKeys:- C <-- default: "DE"
- ST <-- default: "Baden-Wuerttemberg"
- L <-- default: "Reutlingen"
- O <-- default: "Linuxschule"
- emailAddress <-- default: "admin@example.com"
- CN <-- default: "Radius Certificate Authority"
- password <-- default: "OtherVerySecurePassw0rd"
- wlan_force_issue
Force to issue a new certificateOnly forwlan: "eap-tls"
Type: Bolean
Values:- true
- false <-- (default)
- wlan_eap_ca_crl
URL of the certificate revocation list
Type: String
Default: "http://radius.{{ domain }}/radius-ca.crl"
Examples
inventory.yml:
infrastructure:
hosts:
radius_server:
ansible_host: 10.0.0.15
ansible_user: ansible
laptop:
vars:
wlan: "eap-tls"
wlan_ssid: "devices8021x"
wlan_eap_ca:
C: "DE"
ST: "Baden-Wuerttemberg"
L: "Reutlingen"
O: "Linuxschule"
emailAddress: "admin@example.com"
CN: "Radius Certificate Authority"
password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
complex example with both modes
We have three groups of devices (one with psk, two with eap-tls):
inventory.yml
all:
vars:
wlan_ssid: "WLAName" # teacher and staff are using the same ssid
wlan_eap_ca:
C: "DE"
ST: "Baden-Wuerttemberg"
L: "Reutlingen"
O: "Linuxschule"
emailAddress: "admin@example.com"
CN: "Radius Certificate Authority"
password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
infrastructure:
hosts:
radius_server:
ansible_host: 10.0.0.15
ansible_user: ansible
laptop_students:
hosts:
10.0.13.[1-28]:
vars:
wlan: "psk"
wlan_ssid: "Students" # ssid "WLAN" from group "all" will be overwritten
wlan_password: "topsecretpasswd"
laptop_teachers:
hosts:
10.0.23.[1-82]:
vars:
wlan: "eap-tls"
wlan_enable_on_boot: false
laptop_staff:
hosts:
10.0.61.[1-20]:
vars:
wlan: "eap-tls"
example: Force issue of new certs
The issue of certificates can be forced.
Force issue of new certs for hosts in group laptop_teacher.
If there is a valid certificate, the old one will be revoked and a new certificate will be issued.
ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true"