Tutorial BIND9

2024-07-25T14:51:02Z

Indiver:

DNS and DNSSec

2024-07-25T11:37:18Z

Indiver:

DNS Workshop

== Workshop Info ==
This is an introductory workshop for '''DNS and DNSSec'''. After the completion of the workshops, participants are expected to be able to setup Nameservers, diagnose and troubleshoot DNS issues and get an understanding of DNS Security Extensions.

* Venue: (TBD), Conference Hall
* Time: 10:00 to 17:00
* Dates:
** DNS and DNSSEc 101 - 2014-03-31
** DNS and DNSSEc Hands-On - 2014-07-29

== Workshop Contents ==
* Presentation Slides (to be added)
* Lab Contents (to be added)

=== Agenda ===
Following topics are covered in Presentations and Lab.
* DNS Refresher
** The inverted tree
** Database
** Root and Resilience
* Tools
* DNS Resolution
* Resource Records and Response
* Deploying Nameserver
* Understanding DNSSec

=== How to Access the Lab ===
The LAB consists of several VMs, each will be assigned to a group. Workshop participants are divided into multiple groups. Each group will have access to a VM to implement, test and troubleshoot.

Access to the VMs are restricted from outside the Lab. To access the VMs, please login to the Jumphost. The details for Jumphost:

* hostname: TBD
* ssh username: labuser
* ssh password: TBD

=== Virtual Machines ===
{| class="wikitable"
|+ Lab VM info
|-
! Group !! Hostname !! Username !! Password
|-
| One || lab1 || labuser || labpassword
|-
| Two || lab2 || labuser || labpassword
|-
| Three || lab3 || labuser || labpassword
|-
| Four || lab4 || labuser || labpassword
|-
| Five || lab5 || labuser || labpassword
|-
| Six || lab6 || labuser || labpassword
|}

=== Resolver setup ===
* [[Tutorial_Unbound|Setting up a resolver]]
* [[Tutorial_BIND9|Setting up an authoritative server]]

After completing the resolver lab, DO NOT FORGET to disable the services, as the next lab also installs BIND, which also listens on the same port.
<pre>
sudo systemctl stop unbound
sudo systemctl disable unbound
</pre>

[[Category:Workshops]]

Tutorial BIND9

2024-07-25T11:34:35Z

Indiver: /* TL;DR */

2019-01-01T12:44:08Z

Indiver: fixed typo

'''freeRADIUS basic configuration for eduroam'''

Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process.
Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam

== Configuration ==
Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.

=== Users ===
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)

## Users - user logins
#######################################################################
"bob@uni0.edu.np" Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"

Reload freeradius
# systemctl restart freeradius

Testing
# radtest bob@uni0.edu.np hello localhost 7 testing123

Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly. If you get the expected results, basic setup of freeradius is complete. Now you can move on to setting up 802.1X related parts.

=== Clients (NAS) ===
File: /etc/freeradius/3.0/clients.conf

## clients.conf -- client configuration directives
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nas_type = other # localhost isn't usually a NAS...
}

client testing {
ipaddr = 45.64.162.158
secret = testing123
nas_type = other
}

client nepal-flr-1 {
ipaddr = 202.52.0.18
netmask = 32
secret = longSecretPasswordHere
require_message_authenticator = no
shortname = nepal-flr-1
nastype = other
virtual_server = eduroam
}

=== Sites - eduroam ===
File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration
## sites-available/eduroam -- radius configuration
#######################################################################
# The domain users will add to their username to have their credentials
# routed to your institution. You will also need to register this
# and your RADIUS server addresses with your NRO.
operator_name = "uni0.edu.np"

# The VLAN to assign eduroam visitors
eduroam_guest_vlan = "1"

# The VLAN to assign your students/staff
eduroam_local_vlan = "1"

server eduroam {
listen {
type = auth
ipaddr = *
port = 1812
}

authorize {
# Log requests before we change them
linelog_recv_request

# split_username_nai is a policy in the default distribution to
# split a username into username and domain. We reject user-name
# strings without domains, as they're not routable.
split_username_nai
if (noop || !&Stripped-User-Domain) {
reject
}

# Send the request to the NRO for your region.
# The details of the FLRs (Federation Level RADIUS servers)
# are in proxy.conf.
# You can make this condition as complex as you like, to
# include additional subdomains just concatenate the conditions
# with &&.
if (&Stripped-User-Domain != "${operator_name}") {
update {
control:Load-Balance-Key := &Calling-Station-ID
control:Proxy-To-Realm := 'eduroam_flr'

# Operator name (RFC 5580) identifies the network the
# request originated from. It's not absolutely necessary
# but it helps with debugging.
request:Operator-Name := "1${operator_name}"
}
return
}

# If the EAP module returns 'ok' or 'updated', it means it has handled
# the request and we don't need to call any other modules in this
# section.
eap {
ok = return
updated = return
}
}

pre-proxy {
attr_filter.pre-proxy
linelog_send_proxy_request
}

post-proxy {
attr_filter.post-proxy
linelog_recv_proxy_response
}

authenticate {
eap
}

post-auth {
# To implement eduroam you must:
# - Use wireless access points or a controller which supports
# dynamic VLAN assignments.
# - Have that feature enabled.
# - Have the guest_vlan/local_vlan available to the controller,
# or to all your access points.
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&control:Proxy-To-Realm) {
update reply {
Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
}
}
else {
update reply {
Tunnel-Private-Group-ID := ${eduroam_local_vlan}
}
}

# We're sending a response to one of OUR network devices for one of
# OUR users so provide it with the real user-identity.
if (&session-state:Stripped-User-Name) {
update reply {
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
}
}

linelog_send_accept

Post-Auth-Type REJECT {
attr_filter.access_reject
linelog_send_reject
}
}
}

=== Sites - eduroam-inner ===
File: sites-available/eduroam-inner
## sites-available/eduroam-inner -- radius configuration
#######################################################################
server eduroam-inner {
listen {
type = auth
ipaddr = *
port = 18120 # Used for testing only. Requests proxied internally.
}

authorize {
# The outer username is considered garabage for autz purposes, but
# the domain portion of the outer and inner identities must match.
split_username_nai
if (noop || (&Stripped-User-Domain && \
(&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
reject
}

# Make the user's real identity available to anything that needs
# it in the outer server.
update {
&outer.session-state:Stripped-User-Name := &Stripped-User-Name
}

# EAP for PEAPv0 (EAP-MSCHAPv2)
inner-eap {
ok = return
}

# THIS IS SITE SPECIFIC
#
# The files module is *ONLY* used for testing. It lets you define
# credentials in a flat file, IT WILL NOT SCALE.
#
# - If you use OpenLDAP with salted password hashes you should
# call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use OpenLDAP with cleartext passwords you should
# call the 'ldap' module here and use EAP-TTLS or PEAPv0.
# - If you use an SQL DB with salted password hashes you should call
# the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use an SQL DB with cleartext passwords you should call
# the 'sql' module here and use EAP-TTLS or PEAPv0.
# - If you use Novell you should call the 'ldap' module here and
# set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
# PEAPv0.
# - If you use Active Directory, you don't need anything here (remove
# the call to files) but you'll need to follow this
# [guide](freeradius-active-directory-integration-howto) and use
# EAP-TTLS-PAP or PEAPv0.
# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
#
# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
# supplicant is configured. PEAPv0 has a slight edge in that you need to
# crack MSCHAPv2 to get the user's password (but this is not hard).
files

pap
mschap
}

authenticate {
inner-eap
mschap
pap

# Comment pap above and uncomment the stanza below if you're using
# Active Directory; this will allow it to work with EAP-TTLS/PAP.
#Auth-Type pap {
# ntlm_auth
#}
}
}

=== Proxy ===
File: /etc/freeradius/3.0/proxy.conf
## proxy.conf
#######################################################################
## proxy.conf
#######################################################################
proxy server {
default_fallback = no
}

home_server npflr1 {
type = auth+acct
ipaddr = 202.52.0.18
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}

home_server npflr2 {
type = auth+acct
ipaddr = 202.52.0.4
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}

home_server_pool EDUROAM {
type = fail-over
home_server = npflr1
home_server = npflr2
}

realm NULL {
nostrip
}

realm "~^uni0\.edu\.np" {
nostrip
}

realm "~.+$" {
auth_pool = EDUROAM
nostrip
}

=== mods - eap ===
File: /etc/freeradius/3.0/mods-available/eap.conf
## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap {
# The initial EAP type requested. Change this to peap if you're
# using peap, or tls if you're using EAP-TLS.
default_eap_type = ttls

# The maximum time an EAP-Session can continue for
timer_expire = 60

# The maximum number of ongoing EAP sessions
max_sessions = ${max_requests}

tls-config tls-common {
# The public certificate that your server will present
certificate_file = ${certdir}/server.pem

# The private key for the public certificate
private_key_file = ${certdir}/server.key

# The password to decrypt 'private_key_file'
private_key_password = whatever

# The certificate of the authority that issued 'certificate_file'
ca_file = ${cadir}/ca.pem

# If your AP drops packets towards the client, try reducing this.
fragment_size = 1024

# When issuing client certificates embed the OCSP URL in the
# certificate if you want to be able to revoke them later.
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
}
}

tls {
tls = tls-common
}

ttls {
tls = tls-common
default_eap_type = mschapv2
virtual_server = "eduroam-inner"
}

peap {
tls = tls-common
default_eap_type = mschapv2
virtual_server = "eduroam-inner"
}
}

=== Inner EAP ===
File: /etc/freeradius/3.0/mods-available/inner-eap.conf
## mods-available/inner-eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap inner-eap {
default_eap_type = mschapv2
timer_expire = 60
max_sessions = ${max_requests}

mschapv2 {
send_error = yes
}
}

=== Logging ===
File: /etc/freeradius/3.0/mods-available/linelog
## mods-available/linelog
#######################################################################
linelog linelog_recv_request {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Recv-Request, %{pairs:request:}"
}

linelog linelog_send_accept {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Accept, %{pairs:request:}"
}

linelog linelog_send_reject {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Reject, %{pairs:request:}"
}

linelog linelog_send_proxy_request {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
}

linelog linelog_recv_proxy_response {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Recv-Proxy-Response, %{pairs:proxy-reply:}"
}

=== Enable Configs ===
Then enable configurations as necessary. Remove unnecessary configs.

cd /etc/freeradius/3.0/mods-enabled/
ln -s ../mods-available/inner-eap .
ln -s ../mods-available/linelog .

cd /etc/freeradius/3.0/sites-enabled/
ln -s ../sites-available/eduroam
ln -s ../sites-available/eduroam-inner
rm default
rm inner

At each step, understand what you are doing and why. Please consult with the trainer if in doubt.

== Complete ==
You should now have a working config. Perform Test as per [[Eduroam_Basics#Testing_tools]]