...
FreeRADIUS
...
is
...
a
...
very
...
versatile
...
and
...
freely
...
available
...
RADIUS
...
server
...
under
...
the
...
GPL
...
license.
...
Setting
...
up
...
FreeRADIUS
...
as
...
an
...
SP
...
is
...
a
...
rather
...
straightforward
...
task,
...
since
...
it
...
merely
...
needs
...
to
...
forward
...
requests
...
from
...
NASes
...
to
...
other
...
RADIUS
...
servers.
...
In
...
particular,
...
it
...
does
...
not
...
need
...
to
...
authenticate
...
users.
...
The
...
following
...
configuration
...
enables
...
your
...
FreeRADIUS
...
server
...
to
...
be
...
an
...
eduroam
...
SP.
...
At
...
the
...
same
...
time,
...
it
...
is
...
the
...
baseline
...
from
...
which
...
to
...
establish
...
an
...
eduroam
...
IdP
...
configuration,
...
if
...
that
...
is
...
envisaged
...
for
...
a
...
later
...
stage.
...
Version
...
information
...
This
...
documentation
...
is
...
current
...
as
...
of
...
FreeRADIUS
...
2.1.10.
...
Even
...
though
...
2.1.11
...
has
...
been
...
released,
...
we
...
recommend
...
sticking
...
with
...
2.1.10,
...
because
...
2.1.11
...
is
...
known
...
to
...
have
...
several
...
service-affecting
...
bugs.
Installation
FreeRADIUS is written in C and can be compiled with the usual UNIX compilation sequence. After unpacking the source into a directory of your choice, do
| Code Block |
|---|
h4. Installation FreeRADIUS is written in C and can be compiled with the usual UNIX compilation sequence. After unpacking the source into a directory of your choice, do {code} ./configure --prefix=<your preferred install dir> --sysconfdir=<your preferred configuration base dir> make make install {code} |
In
...
the
...
examples
...
below,
...
we
...
assume
...
the
...
installation
...
is
...
done
...
for
...
--prefix=/usr/local/freeradius/
...
and
...
the
...
configuration
...
dir
...
is
...
--sysconfdir=/etc
...
Sample config directory
Base configuration / logging / F-Ticks
The main configuration file is /etc/raddb/radiusd.conf;
...
it
...
does
...
not
...
require
...
many
...
changes
...
from
...
the
...
shipped
...
default.
...
The
...
following
...
lines
...
are
...
important
...
for
...
eduroam
...
operation:
...
a
...
server
...
status
...
probing
...
mechanism
...
called
...
Status-Server
...
is
...
enabled
...
in
...
the
...
security
...
section.
...
Make
...
sure
...
the
...
config
...
file
...
contains
...
the
...
following
...
security
...
stanza
| Code Block |
|---|
} security { max_attributes = 200 reject_delay = 0 status_server = yes } proxy_requests = yes {code} |
FreeRADIUS
...
is
...
capable
...
of
...
both
...
IPv4
...
and
...
IPv6.
...
The
...
following
...
four
...
sections
...
enable
...
both
...
authentication
...
and
...
accounting
...
processing
...
with
...
IPv4
...
and
...
IPv6
...
(you
...
can
...
leave
...
out
...
the
...
IPv6
...
part
...
if
...
your
...
server
...
shouldn't
...
do
...
IPv6):
| Code Block |
|---|
} listen { type = auth ipaddr = * port = 1812 } listen { type = auth ipv6addr = :: port = 1812 } listen { type = acct ipaddr = * port = 1813 } listen { type = acct ipv6addr = :: port = 1813 } {code} |
The
...
logic
...
in
...
the
...
server
...
is
...
defined
...
by
...
activating
...
certain
...
modules
...
in
...
a
...
certain
...
order.
...
These
...
modules
...
are
...
separately
...
defined
...
and
...
configured
...
in
...
the
...
/etc/raddb/modules/
...
subdirectory.
...
The
...
order
...
of
...
activation
...
of
...
these
...
modules
...
is
...
defined
...
in
...
so-called
...
virtual
...
servers,
...
which
...
are
...
defined
...
in
...
the
...
/etc/raddb/sites-enabled/
...
directory.
...
For
...
our
...
eduroam
...
SP
...
purposes,
...
we
...
only
...
need
...
one
...
virtual
...
server
...
"eduroam".
...
It
...
needs
...
to
...
contain
...
as
...
a
...
minimum:
| Code Block |
|---|
} server eduroam { authorize { auth_log suffix } authenticate { } preacct { suffix } accounting { } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } pre-proxy { pre_proxy_log if (Packet-Type != Accounting-Request) { attr_filter.pre-proxy } } post-proxy { post_proxy_log attr_filter.post-proxy } } {code} |
The
...
multitude
...
of
...
sections
...
in
...
this
...
above
...
configuration
...
is
...
often
...
confusing
...
to
...
new-comers.
...
The
...
order
...
of
...
execution
...
when
...
proxying
...
a
...
request
...
are:
| No Format |
|---|
} authorize → authenticate → pre-proxy {noformat} |
Then,
...
the
...
packet
...
is
...
proxied
...
to
...
an
...
upstream
...
server.
...
When
...
the
...
reply
...
comes
...
back,
...
the
...
execution
...
continues:
| No Format |
|---|
} post-proxy → post-auth {noformat} |
Every
...
stanza
...
contains
...
names
...
of
...
modules
...
to
...
be
...
executed.
...
Let's
...
revisit
...
them
...
one
...
after
...
another:
...
- auth_log:
...
- logs
...
- the
...
- incoming
...
- packet
...
- to
...
- the
...
- file
...
- system.
...
- This
...
- is
...
- needed
...
- to
...
- fulfill
...
- the
...
- eduroam
...
- SP
...
- logging
...
- requirements.
...
- suffix:
...
- inspects
...
- the
...
- packet
...
- to
...
- look
...
- for
...
- an
...
- eduroam
...
- style
...
- realm
...
- (separated
...
- by
...
- the
...
- @
...
- sign)
...
- pre_proxy_log:
...
- logs
...
- the
...
- packet
...
- to
...
- the
...
- file
...
- system
...
- again.
...
- Attributes
...
- that
...
- were
...
- added
...
- during
...
- the
...
- inspection
...
- process
...
- before
...
- are
...
- then
...
- visible
...
- to
...
- the
...
- administrator
...
- -
...
- great
...
- for
...
- debugging
...
- attr_filter.pre-proxy:
...
- strips
...
- unwanted
...
- attributes
...
- off
...
- of
...
- the
...
- request
...
- before
...
- sending
...
- the
...
- request
...
- to
...
- upstream
...
- post_proxy_log:
...
- logs
...
- the
...
- reply
...
- packet
...
- to
...
- the
...
- file
...
- system
...
- -
...
- as
...
- received
...
- by
...
- upstream
...
- attr_filter.post-proxy:
...
- strips
...
- unwanted
...
- attributes
...
- off
...
- of
...
- the
...
- reply,
...
- prior
...
- to
...
- sending
...
- it
...
- back
...
- to
...
- the
...
- Access
...
- Points
...
- (VLAN
...
- attributes
...
- in
...
- particular
...
- !)
...
- reply_log:
...
- logs
...
- the
...
- reply
...
- packet
...
- after
...
- attribute
...
- filtering
...
- to
...
- the
...
- file
...
- system
...
The
...
paths
...
where
...
the
...
logs
...
are
...
written
...
to,
...
and
...
the
...
files
...
with
...
the
...
list
...
of
...
permitted
...
attributes
...
for
...
filtering,
...
are
...
defined
...
in
...
the
...
corresponding
...
module
...
definitions
...
in
...
/etc/raddb/modules/<name-of-module>.
...
Since
...
the
...
eduroam
...
SP
...
with
...
this
...
configuration
...
will
...
statically
...
use
...
RADIUS
...
to
...
its
...
upstream
...
federation-level
...
server,
...
activation
...
of
...
F-Ticks
...
reporting
...
is
...
not
...
strictly
...
necessary.
...
It
...
is
...
thus
...
described
...
only
...
in
...
the
...
"Goodies"
...
section
...
below.
...
Client definition
FreeRADIUS defines the connected RADIUS clients in the file /etc/raddb/clients.conf.
...
This
...
file
...
needs
...
to
...
hold
...
all
...
your
...
connected
...
Access
...
Points
...
and/or
...
wired
...
eduroam-enabled
...
switches.
...
You
...
set
...
a
...
shared
...
secret
...
for
...
each
...
client
...
and
...
define
...
these
...
in
...
the
...
config
...
file
...
as
...
follows:
| Code Block |
|---|
} client antarctica-access-point-1 { ipaddr = 172.25.1.55 netmask = 32 secret = yoursecret12345 shortname = southpole-11g virtual_server = eduroam } {code} There are more |
There are more (optional)
...
settings
...
for
...
clients;
...
please
...
consult
...
the
...
comments
...
in
...
clients.conf
...
for
...
more
...
detail.
...
One
...
option,
...
the
...
"virtual_server"
...
one,
...
enables
...
your
...
RADIUS
...
server
...
to
...
serve
...
more
...
purposes
...
than
...
only
...
eduroam:
...
you
...
can
...
define
...
several
...
other
...
virtual
...
servers
...
for
...
other
...
RADIUS
...
purposes,
...
and
...
link
...
clients
...
to
...
these.
...
That
...
is
...
beyond
...
the
...
scope
...
of
...
this
...
documentation,
...
though.
...
If
...
you
...
want
...
to
...
connect
...
your
...
clients
...
over
...
IPv6,
...
the
...
syntax
...
is
...
only
...
slightly
...
different:
| Code Block |
|---|
} client antarctica-access-point-2 { ipv6addr = 2001:db8:1:789::56 netmask = 128 secret = yoursecretABCDE shortname = southpole-11n virtual_server = eduroam } {code} h4. Request forwarding FreeRADIUS contains a wealth of options to define how requests are forwarded. These options are defined in the file |
Request forwarding
FreeRADIUS contains a wealth of options to define how requests are forwarded. These options are defined in the file /etc/raddb/proxy.conf.
...
For
...
a
...
single
...
eduroam
...
SP,
...
these
...
may
...
seem
...
overkill,
...
but
...
the
...
required
...
definitions
...
for
...
that
...
purpose
...
are
...
rather
...
static.
...
Assuming
...
you
...
have
...
two
...
upstream
...
servers
...
to
...
forward
...
requests
...
to,
...
the
...
following
...
configuration
...
will
...
set
...
these
...
up
...
-
...
you
...
only
...
need
...
to
...
change
...
the
...
IP
...
addresses
...
and
...
shared
...
secrets
...
in
...
home_server
...
stanzas.
| Code Block |
|---|
} proxy server { default_fallback = yes } home_server antarctica-flr-1 { type = auth+acct ipaddr = 172.20.1.2 port = 1812 secret = secretstuff status_check = status-server } home_server antarctica-flr-2 { type = auth+acct ipv6addr = 172.25.9.3 port = 1812 secret = secretstuff status_check = status-server } home_server_pool EDUROAM { type = fail-over home_server = antarctica-flr-1 home_server = antarctica-flr-2 } realm DEFAULT { pool = EDUROAM nostrip } {code} h4. Goodies h5. Running FreeRADIUS as |
Goodies
Running FreeRADIUS as non-root
...
user
...
The
...
RADIUS
...
protocol
...
runs
...
on
...
ports
...
>1023,
...
which
...
means
...
it
...
can
...
be
...
started
...
entirely
...
in
...
unprivileged
...
mode
...
on
...
UNIX-like
...
systems.
...
You
...
can
...
easily
...
achieve
...
that
...
by
...
- creating
...
- a
...
- user
...
- "radiusd"
...
- and
...
- group
...
- "radiusd"
...
- giving
...
- all
...
- configuration
...
- files
...
- in
...
- /etc/raddb
...
- ownerships
...
- for
...
- that
...
- user
...
- radiusd
...
- +
...
- group
...
- radiusd
...
- changing
...
- these
...
- two
...
- parameters
...
- in
...
- /etc/raddb/radiusd.conf:
| Code Block |
|---|
} user = radiusd group = radiusd {code} h5. |
F-Ticks
...
F-Ticks
...
is
...
using
...
syslog
...
to
...
deliver
...
user
...
login
...
statistics.
...
You
...
can
...
enable
...
syslog
...
logging
...
for
...
login
...
events
...
by
...
defining
...
a
...
linelog
...
module.
...
In
...
the
...
/etc/raddb/modules/
...
subdirectory,
...
create
...
a
...
new
...
file
...
"f_ticks":
| Code Block |
|---|
} linelog f_ticks { filename = syslog format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" f_ticks { Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=LU#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=OK#" Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=LU#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=FAIL#" } } {code} |
Note
...
that
...
you
...
have
...
to
...
adapt
...
VISCOUNTRY
...
to
...
the
...
country
...
you
...
are
...
in,
...
and
...
VISINST
...
to
...
an
...
identifier
...
for
...
your
...
hotspot
...
!
...
You
...
need
...
to
...
enable
...
this
...
new
...
module
...
in
...
the
...
post-auth
...
section
...
of
...
your
...
virtual
...
server
...
eduroam:
| Code Block |
|---|
} post-auth { reply_log f_ticks Post-Auth-Type REJECT { reply_log f_ticks } } {code} |
This
...
way,
...
appropriate
...
loglines
...
will
...
be
...
logged
...
into
...
your
...
local
...
syslog
...
instance.
...
If
...
you
...
want
...
to
...
forward
...
your
...
ticks
...
to
...
the
...
statistics
...
system,
...
please
...
get
...
in
...
touch
...
with
...
your
...
NRO
...
to
...
get
...
to
...
know
...
the
...
syslog
...
destination
...
and
...
configure
...
your
...
syslog
...
daemon
...
to
...
forward
...
the
...
log
...
line
...
correspondingly.
...
Please
...
note
...
that
...
the
...
file
...
proxy.conf
...
may
...
need
...
your
...
attention:
...
FreeRADIUS'
...
handling
...
of
...
the
...
"DEFAULT"
...
realm
...
changed
...
slightly
...
between
...
2.1.9
...
and
...
2.1.10:
...
previously,
...
it
...
would
...
fill
...
%{Realm}
...
with the
...
actual
...
realm
...
(e.g.
...
"education.lu"),
...
but
...
after
...
the
...
change,
...
it
...
would
...
use
...
the
...
literal
...
"DEFAULT".
...
It
...
is
...
not
...
helpful
...
to
...
generate
...
ticks
...
with
...
REALM=DEFAULT.
...
If
...
you
...
were
...
using
...
DEFAULT
...
before,
...
and
...
now
...
notice
...
that
...
ticks
...
are
...
sent
...
incorrectly,
...
the
...
mitigation
...
is
...
to
...
use
...
a
...
regular
...
expression
...
instead
...
of
...
DEFAULT
...
-
...
because
...
for
...
realm
...
statements
...
with
...
regular
...
expressions,
...
also the
...
most
...
recent
...
versions
...
still
...
substitute
...
with
...
the
...
actual
...
realm.
...
You
...
would
...
need
...
to
...
delete
...
the
...
DEFAULT
...
realm
...
and
...
replace
...
it
...
with
...
the
...
following
...
regular
...
expression
...
realm
...
statement
...
*at
...
the
...
end
...
of
...
your
...
proxy.conf*:
...
realm
...
/.*/
...
{
...
...
...
}