Eduroam Configuration
From NREN
freeRADIUS basic configuration for eduroam
Make sure you have a fresh Ubuntu 18.04 server ready. Update system before starting the config process.
Note: This configuration guide is based upon https://wiki.freeradius.org/guide/eduroam
Configuration
Add a test user to the freeradius authorize. We create bob@uni<YOURID>.edu.np user with a password "hello" for the lab test. Be sure to remove this user before moving to production.
Users
File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
## Users - user logins
#######################################################################
"bob@uni0.edu.np" Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Reload freeradius
# systemctl restart freeradius
Testing
# radtest bob@uni0.edu.np hello localhost 7 testing123
Try several times, with incorrect password as well. Make sure you understand each of the parameters clearly. If you get the expected results, basic setup of freeradius is complete. Now you can move on to setting up 802.1X related parts.
Clients (NAS)
File: /etc/freeradius/3.0/clients.conf
## clients.conf -- client configuration directives
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nas_type = other # localhost isn't usually a NAS...
}
client testing {
ipaddr = 192.168.10.101
secret = testing123
nas_type = other
}
client nepal-flr-1 {
ipaddr = 192.168.20.101
netmask = 32
secret = longSecretPasswordHere
require_message_authenticator = no
shortname = nepal-flr-1
nastype = other
virtual_server = eduroam
}
Sites - eduroam
File: /etc/freeradius/3.0/sites-available/eduroam -- radius configuration
## sites-available/eduroam -- radius configuration
#######################################################################
# The domain users will add to their username to have their credentials
# routed to your institution. You will also need to register this
# and your RADIUS server addresses with your NRO.
operator_name = "uni0.edu.np"
# The VLAN to assign eduroam visitors
eduroam_guest_vlan = "1"
# The VLAN to assign your students/staff
eduroam_local_vlan = "1"
server eduroam {
listen {
type = auth
ipaddr = *
port = 1812
}
authorize {
# Log requests before we change them
linelog_recv_request
# split_username_nai is a policy in the default distribution to
# split a username into username and domain. We reject user-name
# strings without domains, as they're not routable.
split_username_nai
if (noop || !&Stripped-User-Domain) {
reject
}
# Send the request to the NRO for your region.
# The details of the FLRs (Federation Level RADIUS servers)
# are in proxy.conf.
# You can make this condition as complex as you like, to
# include additional subdomains just concatenate the conditions
# with &&.
if (&Stripped-User-Domain != "${operator_name}") {
update {
control:Load-Balance-Key := &Calling-Station-ID
control:Proxy-To-Realm := 'eduroam_flr'
# Operator name (RFC 5580) identifies the network the
# request originated from. It's not absolutely necessary
# but it helps with debugging.
request:Operator-Name := "1${operator_name}"
}
return
}
# If the EAP module returns 'ok' or 'updated', it means it has handled
# the request and we don't need to call any other modules in this
# section.
eap {
ok = return
updated = return
}
}
pre-proxy {
attr_filter.pre-proxy
linelog_send_proxy_request
}
post-proxy {
attr_filter.post-proxy
linelog_recv_proxy_response
}
authenticate {
eap
}
post-auth {
# To implement eduroam you must:
# - Use wireless access points or a controller which supports
# dynamic VLAN assignments.
# - Have that feature enabled.
# - Have the guest_vlan/local_vlan available to the controller,
# or to all your access points.
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&control:Proxy-To-Realm) {
update reply {
Tunnel-Private-Group-ID := ${eduroam_guest_vlan}
}
}
else {
update reply {
Tunnel-Private-Group-ID := ${eduroam_local_vlan}
}
}
# We're sending a response to one of OUR network devices for one of
# OUR users so provide it with the real user-identity.
if (&session-state:Stripped-User-Name) {
update reply {
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
}
}
linelog_send_accept
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog_send_reject
}
}
}
Sites - eduroam-inner
File: sites-available/eduroam-inner
## sites-available/eduroam-inner -- radius configuration
#######################################################################
server eduroam-inner {
listen {
type = auth
ipaddr = *
port = 18120 # Used for testing only. Requests proxied internally.
}
authorize {
# The outer username is considered garabage for autz purposes, but
# the domain portion of the outer and inner identities must match.
split_username_nai
if (noop || (&Stripped-User-Domain && \
(&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
reject
}
# Make the user's real identity available to anything that needs
# it in the outer server.
update {
&outer.session-state:Stripped-User-Name := &Stripped-User-Name
}
# EAP for PEAPv0 (EAP-MSCHAPv2)
inner-eap {
ok = return
}
# THIS IS SITE SPECIFIC
#
# The files module is *ONLY* used for testing. It lets you define
# credentials in a flat file, IT WILL NOT SCALE.
#
# - If you use OpenLDAP with salted password hashes you should
# call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use OpenLDAP with cleartext passwords you should
# call the 'ldap' module here and use EAP-TTLS or PEAPv0.
# - If you use an SQL DB with salted password hashes you should call
# the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use an SQL DB with cleartext passwords you should call
# the 'sql' module here and use EAP-TTLS or PEAPv0.
# - If you use Novell you should call the 'ldap' module here and
# set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
# PEAPv0.
# - If you use Active Directory, you don't need anything here (remove
# the call to files) but you'll need to follow this
# [guide](freeradius-active-directory-integration-howto) and use
# EAP-TTLS-PAP or PEAPv0.
# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
#
# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
# supplicant is configured. PEAPv0 has a slight edge in that you need to
# crack MSCHAPv2 to get the user's password (but this is not hard).
files
pap
mschap
}
authenticate {
inner-eap
mschap
pap
# Comment pap above and uncomment the stanza below if you're using
# Active Directory; this will allow it to work with EAP-TTLS/PAP.
#Auth-Type pap {
# ntlm_auth
#}
}
}
Proxy
File: /etc/freeradius/3.0/proxy.conf
## proxy.conf
#######################################################################
## proxy.conf
#######################################################################
proxy server {
default_fallback = no
}
home_server npflr1 {
type = auth+acct
ipaddr = 192.168.30.12
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server npflr2 {
type = auth+acct
ipaddr = 192.168.30.15
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = npflr1
home_server = npflr2
}
realm NULL {
nostrip
}
realm "~^uni0\.edu\.np" {
nostrip
}
realm "~.+$" {
auth_pool = EDUROAM
nostrip
}
mods - eap
File: /etc/freeradius/3.0/mods-available/eap.conf
## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap {
# The initial EAP type requested. Change this to peap if you're
# using peap, or tls if you're using EAP-TLS.
default_eap_type = ttls
# The maximum time an EAP-Session can continue for
timer_expire = 60
# The maximum number of ongoing EAP sessions
max_sessions = ${max_requests}
tls-config tls-common {
# The public certificate that your server will present
certificate_file = ${certdir}/server.pem
# The private key for the public certificate
private_key_file = ${certdir}/server.key
# The password to decrypt 'private_key_file'
private_key_password = whatever
# The certificate of the authority that issued 'certificate_file'
ca_file = ${cadir}/ca.pem
# If your AP drops packets towards the client, try reducing this.
fragment_size = 1024
# When issuing client certificates embed the OCSP URL in the
# certificate if you want to be able to revoke them later.
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = mschapv2
virtual_server = "eduroam-inner"
}
peap {
tls = tls-common
default_eap_type = mschapv2
virtual_server = "eduroam-inner"
}
}
You will need to setup the certificates or copy the snakeoil-certs to the proper path.
Inner EAP
File: /etc/freeradius/3.0/mods-available/inner-eap.conf
## mods-available/inner-eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap inner-eap {
default_eap_type = mschapv2
timer_expire = 60
max_sessions = ${max_requests}
mschapv2 {
send_error = yes
}
}
Logging
File: /etc/freeradius/3.0/mods-available/linelog
## mods-available/linelog
#######################################################################
linelog linelog_recv_request {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Recv-Request, %{pairs:request:}"
}
linelog linelog_send_accept {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Accept, %{pairs:request:}"
}
linelog linelog_send_reject {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Reject, %{pairs:request:}"
}
linelog linelog_send_proxy_request {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
}
linelog linelog_recv_proxy_response {
filename = ${logdir}/linelog
syslog_facility = local0
syslog_severity = debug
format = "action = Recv-Proxy-Response, %{pairs:proxy-reply:}"
}
Enable Configs
Then enable configurations as necessary. Remove unnecessary configs.
cd /etc/freeradius/3.0/mods-enabled/ ln -s ../mods-available/inner-eap . ln -s ../mods-available/linelog . cd /etc/freeradius/3.0/sites-enabled/ ln -s ../sites-available/eduroam ln -s ../sites-available/eduroam-inner rm default rm inner
At each step, understand what you are doing and why. Please consult with the trainer if in doubt.
Complete
You should now have a working config.
Tests
Perform Test following the guide Eduroam_Basics#Testing_tools
