Difference between revisions of "Eduroam Configuration"
From NREN
| Line 33: | Line 33: | ||
nas_type = other # localhost isn't usually a NAS... | nas_type = other # localhost isn't usually a NAS... | ||
} | } | ||
| − | + | ||
| − | + | client testing { | |
| − | + | ipaddr = 45.64.162.158 | |
| − | + | secret = testing123 | |
| − | + | nas_type = other | |
| − | + | } | |
| − | + | ||
| − | + | client nepal-flr-1 { | |
| − | + | ipaddr = 202.52.0.18 | |
| − | + | netmask = 32 | |
| − | + | secret = longSecretPasswordHere | |
| − | + | require_message_authenticator = no | |
| − | + | shortname = nepal-flr-1 | |
| − | + | nastype = other | |
| − | + | virtual_server = eduroam | |
| − | + | } | |
=== Sites - eduroam === | === Sites - eduroam === | ||
Revision as of 12:29, 1 January 2019
freeRADIUS basic configuration for eduroam
Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process.
Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam
Configuration
Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.
Users
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
## Users - user logins
#######################################################################
"bob@uni0.edu.np" Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Reload freeradius
# systemctl restart freeradius
Testing
# radtest bob@uni0.edu.np hello localhost 7 testing123
Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly. If you get the expected results, basic setup of freeradius is complete. Now you can move on to setting up 802.1X related parts.
Clients (NAS)
File: /etc/freeradius/3.0/clients.conf
## clients.conf -- client configuration directives
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nas_type = other # localhost isn't usually a NAS...
}
client testing {
ipaddr = 45.64.162.158
secret = testing123
nas_type = other
}
client nepal-flr-1 {
ipaddr = 202.52.0.18
netmask = 32
secret = longSecretPasswordHere
require_message_authenticator = no
shortname = nepal-flr-1
nastype = other
virtual_server = eduroam
}
Sites - eduroam
File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration
## sites-available/eduroam -- radius configuration
#######################################################################
The domain users will add to their username to have their credentials
# routed to your institution. You will also need to register this
# and your RADIUS server addresses with your NRO.
operator_name = "uni0.edu.np"
# The VLAN to assign eduroam visitors
eduroam_guest_vlan = "1"
# The VLAN to assign your students/staff
eduroam_local_vlan = "1"
server eduroam {
listen {
type = auth
ipaddr = *
port = 1812
}
authorize {
# Log requests before we change them
linelog_recv_request
# split_username_nai is a policy in the default distribution to
# split a username into username and domain. We reject user-name
# strings without domains, as they're not routable.
split_username_nai
if (noop || !&Stripped-User-Domain) {
reject
}
# Send the request to the NRO for your region.
# The details of the FLRs (Federation Level RADIUS servers)
# are in proxy.conf.
# You can make this condition as complex as you like, to
# include additional subdomains just concatenate the conditions
# with &&.
if (&Stripped-User-Domain != "${operator_name}") {
update {
control:Load-Balance-Key := &Calling-Station-ID
control:Proxy-To-Realm := 'eduroam_flr'
# Operator name (RFC 5580) identifies the network the
# request originated from. It's not absolutely necessary
# but it helps with debugging.
request:Operator-Name := "1${operator_name}"
}
return
}
# If the EAP module returns 'ok' or 'updated', it means it has handled
# the request and we don't need to call any other modules in this
# section.
eap {
ok = return
updated = return
}
}
pre-proxy {
attr_filter.pre-proxy
linelog_send_proxy_request
}
post-proxy {
attr_filter.post-proxy
linelog_recv_proxy_response
}
authenticate {
eap
}
post-auth {
# To implement eduroam you must:
# - Use wireless access points or a controller which supports
# dynamic VLAN assignments.
# - Have that feature enabled.
# - Have the guest_vlan/local_vlan available to the controller,
# or to all your access points.
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&control:Proxy-To-Realm) {
update reply {
Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
}
}
else {
update reply {
Tunnel-Private-Group-ID := ${eduroam_local_vlan}
}
}
# We're sending a response to one of OUR network devices for one of
# OUR users so provide it with the real user-identity.
if (&session-state:Stripped-User-Name) {
update reply {
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
}
}
linelog_send_accept
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog_send_reject
}
}
}
Sites - eduroam-inner
File: sites-available/eduroam-inner
## sites-available/eduroam-inner -- radius configuration
#######################################################################
server eduroam-inner-tunnel {
authorize {
auth_log
eap
mschap
#sql
files
}
authenticate {
eap
mschap
Auth-Type MS-CHAP {
mschap
}
}
post-auth {
reply_log
}
}
File: proxy.conf
## proxy.conf
#######################################################################
proxy server {
default_fallback = no
}
home_server npflr1 {
type = auth+acct
ipaddr = 202.52.0.18
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server npflr2 {
type = auth+acct
ipaddr = 202.52.0.4
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = npflr1
home_server = npflr2
}
realm NULL {
nostrip
}
realm "^uni0\.edu\.np" {
nostrip
}
realm "~.+$" {
pool = EDUROAM
nostrip
}
File: mods-available/eap.conf
## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
