Eduroam Configuration
From NREN
freeRADIUS basic configuration for eduroam
Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process.
Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam
Configuration
Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.
Users
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
## Users - user logins
#######################################################################
"bob@uni0.edu.np" Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Reload freeradius
# systemctl restart freeradius
Testing
# radtest bob@uni0.edu.np hello localhost 7 testing123
Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly.
Clients (NAS)
File: /etc/freeradius/3.0/clients.conf
## clients.conf -- client configuration directives
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nas_type = other # localhost isn't usually a NAS...
}
client testing {
ipaddr = 45.64.162.158
secret = testing123
nas_type = other
}
client nepal-flr-1 {
ipaddr = 202.52.0.18
netmask = 32
secret = longSecretPasswordHere
require_message_authenticator = no
shortname = nepal-flr-1
nastype = other
virtual_server = eduroam
}
File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration
## sites-available/eduroam -- radius configuration
#######################################################################
The domain users will add to their username to have their credentials
# routed to your institution. You will also need to register this
# and your RADIUS server addresses with your NRO.
operator_name = "uni0.edu.np"
# The VLAN to assign eduroam visitors
eduroam_guest_vlan = "1"
# The VLAN to assign your students/staff
eduroam_local_vlan = "1"
server eduroam {
listen {
type = auth
ipaddr = *
port = 1812
}
authorize {
# Log requests before we change them
linelog_recv_request
# split_username_nai is a policy in the default distribution to
# split a username into username and domain. We reject user-name
# strings without domains, as they're not routable.
split_username_nai
if (noop || !&Stripped-User-Domain) {
reject
}
# Send the request to the NRO for your region.
# The details of the FLRs (Federation Level RADIUS servers)
# are in proxy.conf.
# You can make this condition as complex as you like, to
# include additional subdomains just concatenate the conditions
# with &&.
if (&Stripped-User-Domain != "${operator_name}") {
update {
control:Load-Balance-Key := &Calling-Station-ID
control:Proxy-To-Realm := 'eduroam_flr'
# Operator name (RFC 5580) identifies the network the
# request originated from. It's not absolutely necessary
# but it helps with debugging.
request:Operator-Name := "1${operator_name}"
}
return
}
# If the EAP module returns 'ok' or 'updated', it means it has handled
# the request and we don't need to call any other modules in this
# section.
eap {
ok = return
updated = return
}
}
pre-proxy {
attr_filter.pre-proxy
linelog_send_proxy_request
}
post-proxy {
attr_filter.post-proxy
linelog_recv_proxy_response
}
authenticate {
eap
}
post-auth {
# To implement eduroam you must:
# - Use wireless access points or a controller which supports
# dynamic VLAN assignments.
# - Have that feature enabled.
# - Have the guest_vlan/local_vlan available to the controller,
# or to all your access points.
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&control:Proxy-To-Realm) {
update reply {
Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
}
}
else {
update reply {
Tunnel-Private-Group-ID := ${eduroam_local_vlan}
}
}
# We're sending a response to one of OUR network devices for one of
# OUR users so provide it with the real user-identity.
if (&session-state:Stripped-User-Name) {
update reply {
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
}
}
linelog_send_accept
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog_send_reject
}
}
}
File: sites-available/eduroam-inner-tunnel
## sites-available/eduroam-inner-tunnel -- radius configuration
#######################################################################
server eduroam-inner-tunnel {
authorize {
auth_log
eap
mschap
#sql
files
}
authenticate {
eap
mschap
Auth-Type MS-CHAP {
mschap
}
}
post-auth {
reply_log
}
}
File: proxy.conf
## proxy.conf
#######################################################################
proxy server {
default_fallback = no
}
home_server npflr1 {
type = auth+acct
ipaddr = 202.52.0.18
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server npflr2 {
type = auth+acct
ipaddr = 202.52.0.4
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = npflr1
home_server = npflr2
}
realm NULL {
nostrip
}
realm "^uni0\.edu\.np" {
nostrip
}
realm "~.+$" {
pool = EDUROAM
nostrip
}
File: mods-available/eap.conf
## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
