Eduroam Configuration

From NREN
Revision as of 11:59, 31 December 2018 by Indiver (talk | contribs)

Basic Setup for eduroam

Lab Plan

  • Basic Ubuntu 18.04 is installed
    • Install FreeRADIUS
    • Basic Configuration
    • Testing
  • Configure Wifi
    • Configure Certificates for WPA2 Enterprise
    • Configure WiFi - uni1, uni2, uni3, uni4
 (For lab use only)
 SSIDs should be lowercase "eduroam" for the production deployment
  • Check IDP (Local university login)
  • Configure Peering
    • Check peering

freeRadius 3.0

Add a user to the freeradius authorize File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize) 

 ## Users - user logins
 #######################################################################
 "bob@uni0.edu.np"	Cleartext-Password := "hello"
       Reply-Message := "Hello, %{User-Name}"


Reload freeradius 

 # systemctl restart freeradius


Testing 

 # radtest bob@uni0.edu.np hello localhost 20 testing123


File: clients.conf 

 ## clients.conf -- client configuration directives
 #######################################################################
 client localhost {
 	ipaddr = 127.0.0.1
 	secret = testing123
 	nas_type = other	# localhost isn't usually a NAS...
 }
 
 client testing {
 	ipaddr = 45.64.162.158
 	secret = testing123
 	nas_type = other
 }
 
 client nepal-flr-1 {
 	ipaddr 		= 202.52.0.18
 	netmask		= 32
 	secret		= longSecretPasswordHere
 	require_message_authenticator	= no
 	shortname	= nepal-flr-1
 	nastype		= other
 	virtual_server	= eduroam
 }

File: sites-available/eduroam -- radius configuration 

 ## sites-available/eduroam -- radius configuration
 #######################################################################
 server eduroam {
 	listen {
 		type = "auth"
 		ipaddr = *
 		port = 0
 	}
 	listen {
 		type = "acct"
 		ipaddr = *
 		port = 0
 	}
 	authorize {
 		# only use filter_username from version > 3.0.7 on
 		filter_username
 		if ("%{client:shortname}" != "nepal-flr-1") {
 			update request {
 				Operator-Name := "1nren.net.np"
 				# the literal number "1" above is an important prefix! Do not change it!
 			}
 		}
 		# if you want detailed logging
 		auth_log
 		suffix
 		mschap
 		eap
 		files
 		#sql
 		pap
 	}
 	authenticate {
 		Auth-Type PAP {
 			pap
 		}
 		Auth-Type CHAP {
 			chap
 		}
 		Auth-Type MS-CHAP {
 			mschap
 		}
 		digest
 		eap 
 	}
 	preacct {
 		suffix
 	}
 	accounting {
 		detail
 		#sql
 	}
 	post-auth {
 		reply_log
 		Post-Auth-Type REJECT {
 			reply_log
 		}
 	}
 	pre-proxy {
 		pre_proxy_log
 		if("%{Packet-Type}" != "Accounting-Request") {
 			attr_filter.pre-proxy
 		}
 	}
 	post-proxy {
 		post_proxy_log
 		attr_filter.post-proxy
 	}
 }

File: sites-available/eduroam-inner-tunnel 

 ## sites-available/eduroam-inner-tunnel -- radius configuration
 #######################################################################
 server eduroam-inner-tunnel {
 	authorize {
 		auth_log
 		eap
 		mschap
 		#sql
 		files
 	}
 	authenticate {
 		eap
 		mschap
 		Auth-Type MS-CHAP {
 			mschap
 		}
 	}
 	post-auth {
 		reply_log
 	}
 }

File: proxy.conf 

 ## proxy.conf 
 #######################################################################
 proxy server {
         default_fallback        = no
 }
  
 home_server npflr1 {
         type                    = auth+acct
         ipaddr                  = 202.52.0.18
         port                    = 1812
         secret                  = longSecretPasswordHere
         status_check            = status-server
 }
  
 home_server npflr2 {
         type                    = auth+acct
         ipaddr                  = 202.52.0.4
         port                    = 1812
         secret                  = longSecretPasswordHere
         status_check            = status-server
 }
  
 home_server_pool EDUROAM {
         type                    = fail-over
         home_server             = npflr1
         home_server             = npflr2
 }
  
 realm NULL {
         nostrip
 }
 
 realm "^uni0\.edu\.np" {
 	nostrip
 }
 
 realm "~.+$" {
         pool                    = EDUROAM
         nostrip
 }

File: mods-available/eap.conf 

 ##  mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
 #######################################################################
 
 eap {
 	default_eap_type = peap
 	timer_expire     = 60
 	ignore_unknown_eap_types = no
 	cisco_accounting_username_bug = no
 	max_sessions = ${max_requests}
 
 	tls {
 		certdir = ${confdir}/certs
 		cadir = ${confdir}/certs
 		private_key_password = whatever
 		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 		ca_file = /etc/ssl/certs/ca-certificates.crt
 		dh_file = ${certdir}/dh
 		random_file = /dev/urandom
 		fragment_size = 1024
 		include_length = yes
 		check_crl = no
 		cipher_list = "DEFAULT"
 	}
 
 	ttls {
 		default_eap_type = mschapv2
 		copy_request_to_tunnel = yes
 		use_tunneled_reply = yes
 		virtual_server = "eduroam-inner-tunnel"
 	}
 
 	peap {
 		default_eap_type = mschapv2
 		copy_request_to_tunnel = yes
 		use_tunneled_reply = yes
 		virtual_server = "eduroam-inner-tunnel"
 	}
 
 	mschapv2 {
 	}
 }
Retrieved from "https://training.nren.net.np/index.php?title=Eduroam_Configuration&oldid=5"