Difference between revisions of "Eduroam Configuration"

From NREN
Line 1: Line 1:
'''Basic Setup for eduroam'''
+
'''freeRADIUS basic configuration for eduroam'''
  
== Setup ==
+
Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process.
* Install Ubuntu 18.04 server
+
  Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam
** Update Ubuntu
 
** Install FreeRADIUS
 
** Basic Configuration
 
** Testing
 
* Configure Wifi
 
** Configure Certificates for WPA2 Enterprise
 
** Configure WiFi - uni1, uni2, uni3, uni4
 (For lab use only)
 SSIDs should be lowercase "eduroam" for the production deployment
 
* Check IDP (Local university login)
 
* Configure Peering
 
** Check peering
 
  
=== freeRadius 3.0 ===
+
== Configuration ==
Install freeRadius
+
Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.
  $ sudo apt install freeradius
 
  
Add a user to the freeradius authorize
+
=== Users ===
 
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
 
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
  
Line 25: Line 14:
 
   "bob@uni0.edu.np" Cleartext-Password := "hello"
 
   "bob@uni0.edu.np" Cleartext-Password := "hello"
 
         Reply-Message := "Hello, %{User-Name}"
 
         Reply-Message := "Hello, %{User-Name}"
 
  
 
Reload freeradius
 
Reload freeradius
 
 
   # systemctl restart freeradius
 
   # systemctl restart freeradius
 
  
 
Testing
 
Testing
 +
  # radtest bob@uni0.edu.np hello localhost 7 testing123
  
  # radtest bob@uni0.edu.np hello localhost 20 testing123
+
Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly.
  
 +
=== Clients (NAS) ===
 +
File: /etc/freeradius/3.0/clients.conf
  
File: clients.conf
 
 
   ## clients.conf -- client configuration directives
 
   ## clients.conf -- client configuration directives
 
   #######################################################################
 
   #######################################################################
Line 62: Line 50:
 
   }
 
   }
 
    
 
    
File: sites-available/eduroam -- radius configuration
+
File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration
 
   ## sites-available/eduroam -- radius configuration
 
   ## sites-available/eduroam -- radius configuration
 
   #######################################################################
 
   #######################################################################
 +
  The domain users will add to their username to have their credentials
 +
  # routed to your institution.  You will also need to register this
 +
  # and your RADIUS server addresses with your NRO.
 +
  operator_name = "uni0.edu.np"
 +
 
 +
  # The VLAN to assign eduroam visitors
 +
  eduroam_guest_vlan = "1"
 +
 
 +
  # The VLAN to assign your students/staff
 +
  eduroam_local_vlan = "1"
 +
 
 
   server eduroam {
 
   server eduroam {
 
   listen {
 
   listen {
   type = "auth"
+
   type = auth
 
   ipaddr = *
 
   ipaddr = *
   port = 0
+
   port = 1812
  }
 
  listen {
 
  type = "acct"
 
  ipaddr = *
 
  port = 0
 
 
   }
 
   }
 +
 
 
   authorize {
 
   authorize {
   # only use filter_username from version > 3.0.7 on
+
   # Log requests before we change them
   filter_username
+
  linelog_recv_request
   if ("%{client:shortname}" != "nepal-flr-1") {
+
 
   update request {
+
  # split_username_nai is a policy in the default distribution to
   Operator-Name := "1nren.net.np"
+
  # split a username into username and domain. We reject user-name
   # the literal number "1" above is an important prefix! Do not change it!
+
  # strings without domains, as they're not routable.
 +
   split_username_nai
 +
   if (noop || !&Stripped-User-Domain) {
 +
  reject
 +
  }
 +
 
 +
  # Send the request to the NRO for your region.
 +
  # The details of the FLRs (Federation Level RADIUS servers)
 +
  # are in proxy.conf.
 +
  # You can make this condition as complex as you like, to
 +
  # include additional subdomains just concatenate the conditions
 +
  # with &&.
 +
  if (&Stripped-User-Domain != "${operator_name}") {
 +
   update {
 +
   control:Load-Balance-Key := &Calling-Station-ID
 +
  control:Proxy-To-Realm := 'eduroam_flr'
 +
 
 +
  # Operator name (RFC 5580) identifies the network the
 +
  # request originated from. It's not absolutely necessary
 +
  # but it helps with debugging.
 +
   request:Operator-Name := "1${operator_name}"
 
   }
 
   }
 +
  return
 +
  }
 +
 
 +
  # If the EAP module returns 'ok' or 'updated', it means it has handled
 +
  # the request and we don't need to call any other modules in this
 +
  # section.
 +
  eap {
 +
  ok = return
 +
  updated = return
 
   }
 
   }
   # if you want detailed logging
+
  }
   auth_log
+
 
   suffix
+
  pre-proxy {
   mschap
+
   attr_filter.pre-proxy
 +
   linelog_send_proxy_request
 +
  }
 +
 
 +
  post-proxy {
 +
   attr_filter.post-proxy
 +
   linelog_recv_proxy_response
 +
  }
 +
 
 +
  authenticate {
 
   eap
 
   eap
  files
 
  #sql
 
  pap
 
 
   }
 
   }
   authenticate {
+
 
   Auth-Type PAP {
+
   post-auth {
   pap
+
   # To implement eduroam you must:
 +
  # - Use wireless access points or a controller which supports
 +
                  #  dynamic VLAN assignments.
 +
  # - Have that feature enabled.
 +
  # - Have the guest_vlan/local_vlan available to the controller,
 +
                  #  or to all your access points.
 +
  # eduroam user traffic *MUST* be segregated, this is *NOT* optional.
 +
  update reply {
 +
  Tunnel-Type := VLAN
 +
  Tunnel-Medium-Type := IEEE-802
 +
  }
 +
  if (&control:Proxy-To-Realm) {
 +
  update reply {
 +
  Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
 +
   }
 
   }
 
   }
   Auth-Type CHAP {
+
   else {
   chap
+
  update reply {
 +
  Tunnel-Private-Group-ID := ${eduroam_local_vlan}
 +
   }
 
   }
 
   }
   Auth-Type MS-CHAP {
+
 
   mschap
+
  # We're sending a response to one of OUR network devices for one of
 +
  # OUR users so provide it with the real user-identity.
 +
   if (&session-state:Stripped-User-Name) {
 +
   update reply {
 +
  User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
 +
  }
 
   }
 
   }
  digest
+
 
  eap
+
   linelog_send_accept
  }
+
 
  preacct {
 
  suffix
 
  }
 
  accounting {
 
  detail
 
   #sql
 
  }
 
  post-auth {
 
  reply_log
 
 
   Post-Auth-Type REJECT {
 
   Post-Auth-Type REJECT {
   reply_log
+
   attr_filter.access_reject
 +
  linelog_send_reject
 
   }
 
   }
  }
 
  pre-proxy {
 
  pre_proxy_log
 
  if("%{Packet-Type}" != "Accounting-Request") {
 
  attr_filter.pre-proxy
 
  }
 
  }
 
  post-proxy {
 
  post_proxy_log
 
  attr_filter.post-proxy
 
 
   }
 
   }
 
   }
 
   }

Revision as of 18:11, 1 January 2019

freeRADIUS basic configuration for eduroam

Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process. 

 Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam

Configuration

Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.

Users

File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize) 

 ## Users - user logins
 #######################################################################
 "bob@uni0.edu.np"	Cleartext-Password := "hello"
       Reply-Message := "Hello, %{User-Name}"

Reload freeradius 

 # systemctl restart freeradius

Testing 

 # radtest bob@uni0.edu.np hello localhost 7 testing123

Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly.

Clients (NAS)

File: /etc/freeradius/3.0/clients.conf 

 ## clients.conf -- client configuration directives
 #######################################################################
 client localhost {
 	ipaddr = 127.0.0.1
 	secret = testing123
 	nas_type = other	# localhost isn't usually a NAS...
 }
 
 client testing {
 	ipaddr = 45.64.162.158
 	secret = testing123
 	nas_type = other
 }
 
 client nepal-flr-1 {
 	ipaddr 		= 202.52.0.18
 	netmask		= 32
 	secret		= longSecretPasswordHere
 	require_message_authenticator	= no
 	shortname	= nepal-flr-1
 	nastype		= other
 	virtual_server	= eduroam
 }

File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration 

 ## sites-available/eduroam -- radius configuration
 #######################################################################
  The domain users will add to their username to have their credentials 
 # routed to your institution.  You will also need to register this
 # and your RADIUS server addresses with your NRO.
 operator_name = "uni0.edu.np"
 
 # The VLAN to assign eduroam visitors
 eduroam_guest_vlan = "1"
 
 # The VLAN to assign your students/staff
 eduroam_local_vlan = "1"
 
 server eduroam {
 	listen {
 		type = auth
 		ipaddr = *
 		port = 1812
 	}
 
 	authorize {
 		# Log requests before we change them
 		linelog_recv_request
 
 		# split_username_nai is a policy in the default distribution to 
 		# split a username into username and domain.  We reject user-name 
 		# strings without domains, as they're not routable.
 		split_username_nai
 		if (noop || !&Stripped-User-Domain) {
 			reject
 		}
 
 		# Send the request to the NRO for your region.
 		# The details of the FLRs (Federation Level RADIUS servers)
 		# are in proxy.conf.
 		# You can make this condition as complex as you like, to 
 		# include additional subdomains just concatenate the conditions
 		# with &&.
 		if (&Stripped-User-Domain != "${operator_name}") {
 			update {
 				control:Load-Balance-Key := &Calling-Station-ID
 				control:Proxy-To-Realm := 'eduroam_flr'
 				
 				# Operator name (RFC 5580) identifies the network the 
 				# request originated from. It's not absolutely necessary
 				# but it helps with debugging.
 				request:Operator-Name := "1${operator_name}"
 			}
 			return
 		}
 
 		# If the EAP module returns 'ok' or 'updated', it means it has handled
 		# the request and we don't need to call any other modules in this
 		# section.
 		eap {
 			ok = return
 			updated = return
 		}
 	}
 
 	pre-proxy {
 		attr_filter.pre-proxy
 		linelog_send_proxy_request
 	}
 
 	post-proxy {
 		attr_filter.post-proxy
 		linelog_recv_proxy_response
 	}
 
 	authenticate {
 		eap
 	}
 
 	post-auth {
 		# To implement eduroam you must:
 		# - Use wireless access points or a controller which supports 
                 #   dynamic VLAN assignments.
 		# - Have that feature enabled.
 		# - Have the guest_vlan/local_vlan available to the controller,
                 #   or to all your access points.
 		# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
 		update reply {
 			Tunnel-Type := VLAN
 			Tunnel-Medium-Type := IEEE-802
 		}
 		if (&control:Proxy-To-Realm) {
 			update reply {
 				Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
 			}
 		}
 		else {
 			update reply {
 				Tunnel-Private-Group-ID := ${eduroam_local_vlan}
 			}
 		}
 
 		# We're sending a response to one of OUR network devices for one of 
 		# OUR users so provide it with the real user-identity.
 		if (&session-state:Stripped-User-Name) {
 			update reply {
 				User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
 			}
 		}
 
 		linelog_send_accept
 
 		Post-Auth-Type REJECT {
 			attr_filter.access_reject
 			linelog_send_reject
 		}
 	}
 }

File: sites-available/eduroam-inner-tunnel 

 ## sites-available/eduroam-inner-tunnel -- radius configuration
 #######################################################################
 server eduroam-inner-tunnel {
 	authorize {
 		auth_log
 		eap
 		mschap
 		#sql
 		files
 	}
 	authenticate {
 		eap
 		mschap
 		Auth-Type MS-CHAP {
 			mschap
 		}
 	}
 	post-auth {
 		reply_log
 	}
 }

File: proxy.conf 

 ## proxy.conf 
 #######################################################################
 proxy server {
         default_fallback        = no
 }
  
 home_server npflr1 {
         type                    = auth+acct
         ipaddr                  = 202.52.0.18
         port                    = 1812
         secret                  = longSecretPasswordHere
         status_check            = status-server
 }
  
 home_server npflr2 {
         type                    = auth+acct
         ipaddr                  = 202.52.0.4
         port                    = 1812
         secret                  = longSecretPasswordHere
         status_check            = status-server
 }
  
 home_server_pool EDUROAM {
         type                    = fail-over
         home_server             = npflr1
         home_server             = npflr2
 }
  
 realm NULL {
         nostrip
 }
 
 realm "^uni0\.edu\.np" {
 	nostrip
 }
 
 realm "~.+$" {
         pool                    = EDUROAM
         nostrip
 }

File: mods-available/eap.conf 

 ##  mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
 #######################################################################
 
 eap {
 	default_eap_type = peap
 	timer_expire     = 60
 	ignore_unknown_eap_types = no
 	cisco_accounting_username_bug = no
 	max_sessions = ${max_requests}
 
 	tls {
 		certdir = ${confdir}/certs
 		cadir = ${confdir}/certs
 		private_key_password = whatever
 		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 		ca_file = /etc/ssl/certs/ca-certificates.crt
 		dh_file = ${certdir}/dh
 		random_file = /dev/urandom
 		fragment_size = 1024
 		include_length = yes
 		check_crl = no
 		cipher_list = "DEFAULT"
 	}
 
 	ttls {
 		default_eap_type = mschapv2
 		copy_request_to_tunnel = yes
 		use_tunneled_reply = yes
 		virtual_server = "eduroam-inner-tunnel"
 	}
 
 	peap {
 		default_eap_type = mschapv2
 		copy_request_to_tunnel = yes
 		use_tunneled_reply = yes
 		virtual_server = "eduroam-inner-tunnel"
 	}
 
 	mschapv2 {
 	}
 }
Retrieved from "https://training.nren.net.np/index.php?title=Eduroam_Configuration&oldid=27"