#!/bin/sh
#
# Setup freeRADIUS 3 for both EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication.
#
# Wolfgang Schweer <wschweer@arcor.de>
# First edited: 2020-12-25
# Last edited:  2021-01-11

set -e

DIRNAME="/etc/freeradius/3.0/certs"

# Warn if freeRADIUS has already been configured.
if [ -f $DIRNAME/ca.der ]; then
echo "-------------------------------------------------------------------------"
	echo ""
	echo "The freeRADIUS server seems to have been configured already, exiting."
	echo ""
	echo "If 100% sure freeRADIUS should be configured from scratch again, run:"
	echo ""
	echo "rm -rf /etc/freeradius"
	echo "apt purge freeradius* -yq"
	echo "apt install freeradius freeradius-krb5 -yq"
	echo "Then run this tool again."
	echo ""
echo "-------------------------------------------------------------------------"
	exit 0
fi

# Check execute permission.
if [ ! -d $DIRNAME ] && [ $(id -u) -gt 0 ]; then
	echo "Please run $0 as root or use sudo, exiting."
	exit 0
fi

# Check if required packages are installed.
if [ ! -d $DIRNAME ] ; then
	echo "---------------------------------------------------------------------------------------"
	echo ""
	echo "Make sure the winbind, freeradius and freeradius-krb5 packages are installed, i.e. run:"
	echo "apt update && apt install winbind freeradius freeradius-krb5 -qy"
	echo ""
	echo "---------------------------------------------------------------------------------------"
	exit 0
fi

# Only run on a main server (kdadmin.local and /etc/debian-edu/www are required).
if test -r /etc/debian-edu/config ; then
	. /etc/debian-edu/config
fi
if ! echo "$PROFILE" | grep -q Main-Server ; then
	echo "It only makes sense to run $0 on a main server, exiting."
	exit 0
fi

cd $DIRNAME

# Kerberos principal and keytab setup-
if [ ! -f /etc/krb5.keytab.radius ] ; then
	kadmin.local ank -randkey radius/tjener.intern@INTERN
	kadmin.local ktadd -k /etc/krb5.keytab.radius radius/tjener.intern@INTERN
	chown freerad:freerad /etc/krb5.keytab.radius
fi

# Configure freeRADIUS EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication.
echo "" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "#--------------------- Debian Edu specific example -------------------------" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "# Uncomment the next two lines to only allow LDAP group 'teachers'." >> /etc/freeradius/3.0/mods-config/files/authorize
echo "#DEFAULT	Group != \"teachers\", Auth-Type := Reject" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "#		Reply-Message = \"Accessing wireless network is not allowed.\"" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "#---------------------------------------------------------------------------" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "# Please don't add anything below the next line!" >> /etc/freeradius/3.0/mods-config/files/authorize
echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/3.0/mods-config/files/authorize

sed -i '/copy_request/ s/no/yes/' /etc/freeradius/3.0/mods-available/eap
sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/3.0/mods-available/eap

sed -i '/keytab/ s#${localstatedir}/lib/radiusd/keytab#/etc/krb5.keytab.radius#' /etc/freeradius/3.0/mods-available/krb5
sed -i '/service/ s#name_of_principle#radius/tjener.intern#' /etc/freeradius/3.0/mods-available/krb5

sed -i '/request-nt-key/ s#/path/to/ntlm_auth#/usr/bin/ntlm_auth#' /etc/freeradius/3.0/mods-available/mschap
sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/3.0/mods-available/mschap
sed -i '/request-nt-key/ s#nt-key#nt-key --allow-mschapv2#' /etc/freeradius/3.0/mods-available/mschap

sed -i '/pam/  a\
        \
        #\
        # Kerberos Authentication\
        Auth-Type Kerberos {\
                    krb5\
        }' /etc/freeradius/3.0/sites-available/default

sed -i '/pam/  a\
        \
        #\
        # Kerberos Authentication\
        Auth-Type Kerberos {\
                    krb5\
        }' /etc/freeradius/3.0/sites-available/inner-tunnel

# Enable Kerberos module.
cd /etc/freeradius/3.0/mods-enabled

if [ ! -f krb5 ] ; then
	ln -s ../mods-available/krb5 krb5
fi

cd -

# Allow the freerad user to read the Winbind reply and the certificate key file.
/sbin/usermod -a -G winbindd_priv freerad
/sbin/usermod -a -G ssl-cert freerad

service freeradius stop

# Generate freeRADIUS specific CA and server certificates and make them available.
chmod +x bootstrap
PASSWORD="$(pwgen -1)"

for i in *.cnf xpextensions ; do
	sed -i "s#whatever#$PASSWORD#g" $i
	sed -i 's#FR#NO#g' $i
	sed -i 's#Example Inc.#Debian Edu#g' $i
	sed -i 's#admin@example.org#postmaster@postoffice.intern#g' $i
	sed -i 's#user@example.org#user@postoffice.intern#g' $i
	sed -i 's#example.org/example#intern/intern#g' $i
	sed -i 's#example.com/example#intern/intern#g' $i
	sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
	sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
	sed -i 's#*example.com#*intern#g' $i
	sed -i 's#radius.example.com#freeradius.intern#g' $i
	sed -i 's#= 60#= 3650#g' $i
	sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
done

sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap

./bootstrap

chmod 644 dh server.crt server.pem ca.pem ca.der
chmod 640 server.key
cp ca.pem /etc/ssl/certs/freeradius-ca.crt
cp server.crt /etc/ssl/certs/freeradius-server.crt
cp server.key /etc/ssl/private/freeradius-server.key
chown root:ssl-cert /etc/ssl/private/freeradius-server.key

if [ -d /etc/debian-edu/www/ ] ; then
	cp ca.der /etc/debian-edu/www/freeradius-ca.der
	cp ca.pem /etc/debian-edu/www/freeradius-ca.pem
	cp ca.pem /etc/debian-edu/www/freeradius-ca.crt
fi

# Cleanup the certs dir.
make clean

chmod -x bootstrap

# Start the configured freeRADIUS service and give some feedback.
service freeradius start

echo "------------------------------------------------------------------------------------"
echo "The freeRADIUS server has been configured."
echo ""
echo "Both CRT and DER encoded freeRADIUS CA certificates are available for download:"
echo "https://www.intern/freeradius-ca.pem (for end user devices running Linux)."
echo "https://www.intern/freeradius-ca.crt (Linux, Android and Windows)."
echo "https://www.intern/freeradius-ca.der (macOS, iOS, iPadOS and Windows)."
echo ""
echo "For simple site-specific configuration adjustments, see"
echo "/etc/freeradius/3.0/users        [allow/deny wireless using LDAP groups]"
echo "/etc/freeradius/3.0/huntgroups   [combine access points (APs) into dedicated groups]"
echo "/etc/freeradius/3.0/clients.conf [enable/disable APs via shared secret]"
echo ""
echo "------------------------------------------------------------------------------------"
