Added support for 802-1X wifi-authentification and certificate-rollout on clients
This commit is contained in:
Finn Hercke
parent
97b9ba8d97
commit
f447d1dca6
3 changed files with 227 additions and 129 deletions
71
roles/lmn_wlan_8021x/tasks/main.yml
Normal file
71
roles/lmn_wlan_8021x/tasks/main.yml
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
---
|
||||
- name: Set facts
|
||||
ansible.builtin.set_fact:
|
||||
wpa_hostname: "{{ ansible_hostname }}"
|
||||
|
||||
- name: Create private key for client certificate
|
||||
community.crypto.openssl_privatekey:
|
||||
path: /etc/ssl/private/{{ ssid }}.key
|
||||
|
||||
- name: Create CSR for client certificate
|
||||
community.crypto.openssl_csr_pipe:
|
||||
common_name: "{{ wpa_hostname }}"
|
||||
country_name: "{{ country_name }}"
|
||||
state_or_province_name: "{{ state_or_province_name }}"
|
||||
locality_name: "{{ locality_name }}"
|
||||
organization_name: "{{ organization_name }}"
|
||||
privatekey_path: /etc/ssl/private/{{ ssid }}.key
|
||||
email_address: "{{ admin_email }}"
|
||||
register: csr
|
||||
|
||||
- name: Sign CSR on Radius
|
||||
community.crypto.x509_certificate_pipe:
|
||||
csr_content: "{{ csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: /etc/freeradius/3.0/certs/ca.pem
|
||||
ownca_privatekey_path: /etc/freeradius/3.0/certs/ca.key
|
||||
ownca_privatekey_passphrase: "{{ radiusca_password }}"
|
||||
ownca_not_after: +1825d #5 Years
|
||||
delegate_to: radius
|
||||
register: certificate
|
||||
|
||||
- name: Create issued-Notice folder on radius-server
|
||||
file:
|
||||
dest: "/etc/freeradius/3.0/certs/issued"
|
||||
state: directory
|
||||
delegate_to: radius
|
||||
|
||||
- name: Write certificate to client
|
||||
copy:
|
||||
dest: /etc/ssl/certs/{{ ssid }}.crt
|
||||
content: "{{ certificate.certificate }}"
|
||||
|
||||
- name: Extrcat Serial from Certificate
|
||||
command: 'openssl x509 -noout -serial -in /etc/ssl/certs/{{ ssid }}.crt'
|
||||
register: cert_serial
|
||||
|
||||
- name: Create issued-Notice-file on radius-server
|
||||
copy:
|
||||
dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}"
|
||||
content: "{{ cert_serial.stdout }}"
|
||||
delegate_to: radius
|
||||
|
||||
- name: Delete {{ ssid }} if exists
|
||||
command: 'nmcli c delete {{ ssid }}'
|
||||
ignore_errors: true
|
||||
|
||||
- name: Create {{ ssid }} via nmcli
|
||||
command: >
|
||||
nmcli c add type wifi
|
||||
ifname {{ ansible_interfaces | select('search', 'wl.+') | first }}
|
||||
con-name "{{ ssid }}"
|
||||
connection.permissions ""
|
||||
802-11-wireless.ssid "{{ ssid }}"
|
||||
802-11-wireless-security.key-mgmt wpa-eap
|
||||
802-1x.eap tls
|
||||
802-1x.identity {{ ansible_hostname }}
|
||||
802-1x.client-cert /etc/ssl/certs/{{ ssid }}.crt
|
||||
802-1x.private-key /etc/ssl/private/{{ ssid }}.key
|
||||
802-1x.private-key-password dummy
|
||||
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue