Child pages
  • freeradius3-flr
Skip to end of metadata
Go to start of metadata

FreeRADIUS 3 - RADSEC

This section describes how to set up FreeRADIUS to handle RADSEC as a federation-level RADIUS and RADIUS/TLS server. It can then completely replace other RADSEC proxy products on the federation level (i.e. if you already have FreeRADIUS you can simply activate this virtual server and you'll be able to handle RADSEC - RADIUS/TLS over TCP).

More precisely, it will enable a server to:

  • Accept requests from connected service providers via RADIUS/TLS over TCP.
  • Forward requests to connected identity providers via RADIUS/TLS over TCP.
  • Forward requests from international visitors to the European eduroam confederation root servers via RADIUS/TLS over TCP.
  • Accept requests from the root servers via RADIUS/TLS over TCP for the own federation's users when they are roaming in another federation.

Version information

The prerequisites for this deployment are:

  • FreeRADIUS version 3.0.0 or higher
  • A server certificate and a private key for that certificate to establish the RadSec connection which designates the server as an IdP+SP.

Sample config file

All of the RADSEC configuration for FreeRADIUS 3.x can be in a single virtual server file. A detailed explanation of this configuration file is not yet provided. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.

Installation

Simply copy and paste this code into a new virtual server e.g. eduroam-radsec and place into your $RADDB/sites-enabled directory

listen {
	ipaddr = *
	port = 2083
	type = auth

	# For now, only TCP transport is allowed.
	proto = tcp

	clients = radsec

	#  This is *exactly* the same configuration as used by the EAP-TLS
	#  module.  It's OK for testing, but for production use it's a good
	#  idea to use different server certificates for EAP and for RADIUS
	#  transport.
	tls {
		#  These are used to simplify later configurations.
		certdir = ${confdir}/radsec
		cadir = ${confdir}/radsec

		private_key_password = whatever
		private_key_file = ${certdir}/server.realm.tld-key.pem

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#
		#  If CA_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = ${certdir}/server.realm.tld-eduPKI.pem

		#  Trusted Root CA list
		#
		#  ALL of the CA's in this list will be trusted
		#  to issue client certificates for authentication.
		#
		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.
		#
		#  This parameter is used only for EAP-TLS,
		#  when you issue client certificates.  If you do
		#  not use client certificates, and you do not want
		#  to permit EAP-TLS authentication, then delete
		#  this configuration item.
		CA_file = ${cadir}/eduPKI-CA.crt

		#
		#  For DH cipher suites to work, you have to
		#  run OpenSSL to create the DH file first:
		#
		#  	openssl dhparam -out certs/dh 1024
		#
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random

		#
		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accomodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
		fragment_size = 1024

		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
		include_length = yes

		#  Check the Certificate Revocation List
		#
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#    'c_rehash' is OpenSSL's command.
		#  3) uncomment the line below.
		#  5) Restart radiusd
	        #	check_crl = yes
	        #	CA_path = ${cadir}

	       #
	       #  If check_cert_issuer is set, the value will
	       #  be checked against the DN of the issuer in
	       #  the client certificate.  If the values do not
	       #  match, the cerficate verification will fail,
	       #  rejecting the user.
	       #
	       #  In 2.1.10 and later, this check can be done
	       #  more generally by checking the value of the
	       #  TLS-Client-Cert-Issuer attribute.  This check
	       #  can be done via any mechanism you choose.
	       #
               # this doesnt work yet
	       # check_cert_issuer = "/DC=org/DC=edupki/CN=eduPKI"

	       #
	       #  If check_cert_cn is set, the value will
	       #  be xlat'ed and checked against the CN
	       #  in the client certificate.  If the values
	       #  do not match, the certificate verification
	       #  will fail rejecting the user.
	       #
	       #  This check is done only if the previous
	       #  "check_cert_issuer" is not set, or if
	       #  the check succeeds.
	       #
	       #  In 2.1.10 and later, this check can be done
	       #  more generally by checking the value of the
	       #  TLS-Client-Cert-CN attribute.  This check
	       #  can be done via any mechanism you choose.
	       #
	       #	check_cert_cn = %{User-Name}
	       #
               # Set this option to specify the allowed
		# TLS cipher suites.  The format is listed
		# in "man 1 ciphers".
		cipher_list = "DEFAULT"

		#

		#  This configuration entry should be deleted
		#  once the server is running in a normal
		#  configuration.  It is here ONLY to make
		#  initial deployments easier.
		#
		#
		#  This is enabled in eap.conf, so we don't need it here.
		#
#		make_cert_command = "${certdir}/bootstrap"

		#
		#  Session resumption / fast reauthentication
		#  cache.
		#
		#  The cache contains the following information:
		#
		#  session Id - unique identifier, managed by SSL
		#  User-Name  - from the Access-Accept
		#  Stripped-User-Name - from the Access-Request
		#  Cached-Session-Policy - from the Access-Accept
		#
		#  The "Cached-Session-Policy" is the name of a
		#  policy which should be applied to the cached
		#  session.  This policy can be used to assign
		#  VLANs, IP addresses, etc.  It serves as a useful
		#  way to re-apply the policy from the original
		#  Access-Accept to the subsequent Access-Accept
		#  for the cached session.
		#
		#  On session resumption, these attributes are
		#  copied from the cache, and placed into the
		#  reply list.
		#
		#  You probably also want "use_tunneled_reply = yes"
		#  when using fast session resumption.
		#
		cache {
		      #
		      #  Enable it.  The default is "no".
		      #  Deleting the entire "cache" subsection
		      #  Also disables caching.
		      #
		      #  You can disallow resumption for a
		      #  particular user by adding the following
		      #  attribute to the control item list:
		      #
		      #		Allow-Session-Resumption = No
		      #
		      #  If "enable = no" below, you CANNOT
		      #  enable resumption for just one user
		      #  by setting the above attribute to "yes".
		      #
		      enable = yes

		      #
		      #  Lifetime of the cached entries, in hours.
		      #  The sessions will be deleted after this
		      #  time.
		      #
		      lifetime = 24 # hours

		      #
		      #  The maximum number of entries in the
		      #  cache.  Set to "0" for "infinite".
		      #
		      #  This could be set to the number of users
		      #  who are logged in... which can be a LOT.
		      #
		      max_entries = 255
		}

		#
		#  Require a client certificate.
		#
		require_client_cert = yes

		#
		#  As of version 2.1.10, client certificates can be
		#  validated via an external command.  This allows
		#  dynamic CRLs or OCSP to be used.
		#
		#  This configuration is commented out in the
		#  default configuration.  Uncomment it, and configure
		#  the correct paths below to enable it.
		#
		verify {
			#  A temporary directory where the client
			#  certificates are stored.  This directory
			#  MUST be owned by the UID of the server,
			#  and MUST not be accessible by any other
			#  users.  When the server starts, it will do
			#  "chmod go-rwx" on the directory, for
			#  security reasons.  The directory MUST
			#  exist when the server starts.
			#
			#  You should also delete all of the files
			#  in the directory when the server starts.
	     		tmpdir = /etc/raddb/temporary

			#  The command used to verify the client cert.
			#  We recommend using the OpenSSL command-line
			#  tool.
			#
			#  The ${..CA_path} text is a reference to
			#  the CA_path variable defined above.
			#
			#  The %{TLS-Client-Cert-Filename} is the name
			#  of the temporary file containing the cert
			#  in PEM format.  This file is automatically
			#  deleted by the server when the command
			#  returns.

			# this doesnt work yet either
	    		#client = "/usr/bin/openssl verify -CAfile /etc/raddb/radsec/eduPKI-CA.crt -purpose crlsign  %{TLS-Client-Cert-Filename}"
		}
	}
}

# IPv6 listener - config comments cleared for brevity

listen {
	ipv6addr = ::
	port = 2083
	type = auth
	proto = tcp
	clients = radsec

	tls {
		certdir = ${confdir}/radsec
		cadir = ${confdir}/radsec
		private_key_password = whatever
		private_key_file = ${certdir}/server.realm.tld-key.pem
		certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
		CA_file = ${cadir}/eduPKI-CA.crt
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random
		fragment_size = 1024
		include_length = yes
                # this doesnt work yet
                # check_cert_issuer = "/DC=org/DC=edupki/CN=eduPKI"

		cipher_list = "DEFAULT"
		cache {
		      enable = yes
		      max_entries = 255
		}
		require_client_cert = yes
		verify {
			tmpdir = /etc/raddb/temporary
			# doesnt work yet
			#client = "/usr/bin/openssl verify -CAfile /etc/raddb/radsec/eduPKI-CA.crt -purpose crlsign  %{TLS-Client-Cert-Filename}"
		}
	}
}

clients radsec {
	client 127.0.0.1 {
		ipaddr = 127.0.0.1
		proto = tcp
		secret = testing123
	}
	client etlr1.eduroam.org {
		ipaddr = 192.87.106.34
		proto = tcp
		secret = radsec
	}
        client etlr2.eduroam.org {
		ipaddr = 130.225.242.109
		proto = tcp
		secret = radsec
# IPv6 for ETRL too - unfamiliar with details, so commented out
#	client etlr1-v6.eduroam.org {
#		ipv6addr = ?????????????????????????????
#		proto = tcp
#		secret = radsec
#	}
#       client etlr2-v6.eduroam.org {
#               ipv6addr = ?????????????????????????????
#               proto = tcp
#               secret = radsec
#       }

}


# local test listener for debug (present by default)
listen {
       ipaddr = 127.0.0.1
       port = 4000
       type = auth
}

home_server etlr1 {
	ipaddr etlr1.eduroam.org
	port = 2083
	type = auth
	secret = radsec
	proto = tcp
	status_check = status-server

	tls {
		#
		#  These are used to simplify later configurations.
		#
		certdir = ${confdir}/radsec
		cadir = ${confdir}/radsec

		private_key_password = whatever
		private_key_file = ${certdir}/server.realm.tld-key.pem

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#
		#  If CA_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = ${certdir}/server.realm.tld-eduPKI.pem

		#  Trusted Root CA list
		#
		#  ALL of the CA's in this list will be trusted
		#  to issue client certificates for authentication.
		#
		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.
		#
		#  This parameter is used only for EAP-TLS,
		#  when you issue client certificates.  If you do
		#  not use client certificates, and you do not want
		#  to permit EAP-TLS authentication, then delete
		#  this configuration item.
		CA_file = ${cadir}/eduPKI-CA.crt

		#
		#  For DH cipher suites to work, you have to
		#  run OpenSSL to create the DH file first:
		#
		#  	openssl dhparam -out certs/dh 1024
		#
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random

		#
		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accomodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
		fragment_size = 1024

		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
		include_length = yes

		#  Check the Certificate Revocation List
		#
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#    'c_rehash' is OpenSSL's command.
		#  3) uncomment the line below.
		#  5) Restart radiusd
	#	check_crl = yes
#		CA_path = ${cadir}

	       #
	       #  If check_cert_issuer is set, the value will
	       #  be checked against the DN of the issuer in
	       #  the client certificate.  If the values do not
	       #  match, the cerficate verification will fail,
	       #  rejecting the user.
	       #
	       #  In 2.1.10 and later, this check can be done
	       #  more generally by checking the value of the
	       #  TLS-Client-Cert-Issuer attribute.  This check
	       #  can be done via any mechanism you choose.
	       #
	#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

	       #
	       #  If check_cert_cn is set, the value will
	       #  be xlat'ed and checked against the CN
	       #  in the client certificate.  If the values
	       #  do not match, the certificate verification
	       #  will fail rejecting the user.
	       #
	       #  This check is done only if the previous
	       #  "check_cert_issuer" is not set, or if
	       #  the check succeeds.
	       #
	       #  In 2.1.10 and later, this check can be done
	       #  more generally by checking the value of the
	       #  TLS-Client-Cert-CN attribute.  This check
	       #  can be done via any mechanism you choose.
	       #
	#	check_cert_cn = %{User-Name}
	#
		# Set this option to specify the allowed
		# TLS cipher suites.  The format is listed
		# in "man 1 ciphers".
		cipher_list = "DEFAULT"
	}

}

#second home server config cleared to the values required for brevity

home_server etlr2 {
        ipaddr etlr2.eduroam.org
        port = 2083
        type = auth
        secret = radsec
        proto = tcp
        status_check = status-server

        tls {
                certdir = ${confdir}/radsec
                cadir = ${confdir}/radsec
                private_key_password = whatever
                private_key_file = ${certdir}/server.realm.tld-key.pem
                certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
                CA_file = ${cadir}/eduPKI-CA.crt
                dh_file = ${certdir}/dh
                random_file = ${certdir}/random
                fragment_size = 1024
                include_length = yes
                cipher_list = "DEFAULT"
        }

}


home_server_pool ETLR {
		 type = load-balance
		 home_server = etlr1
		 home_server = etlr2
}

realm eduroam {
      auth_pool = ETLR
}


Caveats

Currently (10th June 2011) there are some bugs with handling unreachable remote proxies which causes the daemon to die. A few of these have already been dealt with via bug reports but some still lurk. Also, the certificate checking/verification code does not currently work - we hope to be able to verify the certificate issuer and OID as we do with RADIATOR and RadSecProxy. Note that this software only does RADSEC/TLS with TCP - DTLS over UDP is not yet an option. Clients are 'radsec' only and the standard naslist or naslist imported from SQL won't operate with radsec.

  • No labels

1 Comment

  1. fragment_size = 1024

    for radsec connections, this should be set to the default tls fragment size, which is 16384.
    Otherwise the connection will break if any radius packet longer than 1024 is forwarded over this radsec connection.