radsecproxy
This section describes how to set up radsecproxy to act as a federation-level RADIUS+RadSec server. It can then completely replace other RADIUS server products on the federation level.
More precisely, it will enable a server to:
- Accept requests from connected service providers via RADIUS and RadSec.
- Forward requests to connected identity providers via RADIUS and RadSec.
- Forward requests from international visitors to the European eduroam confederation root servers via RadSec.
- Accept requests from the root servers via RadSec for the own federation's users when they are roaming in another federation.
...
...
Version information
The prerequisites for this deployment are:
- radsecproxy version 1.4.2
...
- or
...
- higher
...
- A
...
- server
...
- certificate
...
- and
...
- a
...
- private
...
- key
...
- for
...
- that
...
- certificate
...
- to
...
- establish
...
- the
...
- RadSec
...
- connection
...
- which
...
- designates
...
- the
...
- server
...
- as
...
- an
...
- IdP+SP.
...
Installation
On UNIX-like systems, the installation is very simple:
- Download the code from http://software.uninett.no/radsecproxy/
...
- .
...
- Unpack
...
- the
...
- code.
...
- Navigate
...
- into
...
- the
...
- unpacked
...
- directory
...
- (the
...
- base
...
- directory)
...
- and
...
- type:
...
-
make
The code is ISO C and should compile cleanly. It usually does not require a ./configure.
4. After compiling, the executable
| Code Block |
|---|
radsecproxy
|
is in the base directory. Either run this executable here or copy it to a convenient location (e.g. /usr/local/bin)
...
and
...
run
...
it
...
there.
...
Execution
...
does
...
not
...
require
...
root
...
rights.
...
5.
...
Copy
...
the
...
template
...
configuration
...
file
...
below
...
into
| Code Block |
|---|
{code} /etc/radsecproxy.conf {code} 6. Create the directory _/ |
6. Create the directory /etc/radsecproxy.d/certs/ca/
...
.
...
The
...
template
...
configuration
...
file
...
requires
...
this
...
directory
...
to
...
contain
...
the
...
accredited
...
CA
...
root
...
certificates
...
and
...
the
...
corresponding
...
Certificate
...
Revocation
...
Lists
...
(CRLs)
...
in
...
their
...
OpenSSL
...
hash
...
form.
...
See
...
the
...
section
...
xyz
...
for
...
information
...
about
...
the
...
CA
...
download.
7. Fill the lines marked with _STUFF_ with the required information as explained below.
8. Start radsecproxy and enjoy (for first-time use, starting it with the --f option is recommended, it will start radsecproxy in the foreground and show some verbose startup messages).
Sample config file
Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.
Base configuration / logging / F-Ticks
This walk-through goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.
| Code Block |
|---|
|http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip]. A detailed explanation of this configuration file follows. However, the comments included in the file should make its action almost self\- explanatory. This means you can start and experiment with it right after installation. h3. Base configuration / logging / F-Ticks This walk-through goes through the template radsecproxy.conf line by line and explains the meaning of each stanza. {code} ListenUDP *:1812 ListenTCP *:2083 {code} |
radsecproxy
...
will
...
receive
...
requests
...
from
...
all
...
connected
...
Service
...
Providers
...
via
...
both
...
RADIUS
...
and
...
RadSec.
...
Therefore
...
it
...
has
...
to
...
listen
...
on
...
the
...
appropriate
...
ports
...
on
...
its
...
network
...
interfaces
...
(the
...
*
...
meaning:
...
all
...
interfaces).
...
If
...
you
...
want
...
radsecproxy
...
to
...
listen
...
only
...
on
...
specific
...
interfaces,
...
enter
...
the
...
interface
...
names
...
here.
...
Beware:
...
in
...
this
...
case
...
you
...
may
...
also
...
have
...
to
...
set
...
the
...
more
...
exotic
...
options
...
SourceUDP
...
and/or
...
SourceTCP
...
(see
...
the
...
man
...
page
...
of
...
radsecproxy
...
for
...
details).
| Code Block |
|---|
{code} LogLevel 3 LogDestination x-syslog:///LOG_LOCAL0 {code} A logging |
A logging level of 3 is the default and recommended log level. Radsecproxy will then log successful and failed authentications on one line each. The log destination is the local syslog destination.
| Code Block |
|---|
level of 3 is the default and recommended log level. Radsecproxy will then log successful and failed authentications on one line each. The log destination is the local syslog destination. {code} LoopPrevention On {code} |
This
...
enables
...
a
...
semi-automatic
...
prevention
...
of
...
routing
...
loops
...
for
...
RADIUS
...
connections.
...
If
...
you
...
define
...
a
...
client
...
and
...
server
...
block
...
(see
...
below)
...
and
...
give
...
them
...
the
...
same
...
descriptive
...
name,
...
the
...
proxy
...
will
...
prevent
...
proxying
...
from
...
the
...
client
...
to
...
that
...
same
...
server.
| Code Block |
|---|
} tls defaultClient { CACertificatePath /etc/radsecproxy/certs/ca/ CertificateFile /etc/radsecproxy/certs/CERT_PEM__ CertificateKeyFile /etc/radsecproxy/certs/CERT_KEY__ CertificateKeyPassword __CERT_PASS__ policyOID .1.3.6.1.4.1.25178.3.1.1 # CRLCheck On } { |
| Code Block |
|---|
} {code} tls defaultServer { CACertificatePath /etc/radsecproxy/certs/ca/ CertificateFile /etc/radsecproxy/certs/CERT_PEM__ CertificateKeyFile /etc/radsecproxy/certs/CERT_KEY__ CertificateKeyPassword __CERT_PASS__ policyOID .1.3.6.1.4.1.25178.3.1.2 # CRLCheck On } {code} |
This
...
section
...
defines
...
which
...
TLS
...
certificates
...
should
...
be
...
used
...
by
...
default.
...
This
...
installation
...
of
...
radsecproxy
...
always
...
uses
...
the
...
same
...
certificates,
...
so
...
this
...
is
...
the
...
only
...
TLS
...
section.
...
CACertificatePath
...
contains
...
the
...
eduroam-accredited
...
CA
...
certificates
...
with
...
filenames
...
in
...
the
...
OpenSSL
...
hash
...
form.
...
The
...
parameters
...
below
...
need
...
to
...
be
...
adapted
...
to
...
point
...
to
...
your
...
server
...
certificate
...
in
...
PEM
...
format,
...
the
...
private
...
key
...
for
...
this
...
certificate
...
and
...
the
...
password
...
for
...
this
...
private
...
key
...
if
...
needed,
...
respectively.
...
If
...
no
...
password
...
is
...
needed
...
for
...
the
...
private
...
key,
...
you
...
can
...
comment
...
this
...
line
...
(precede
...
it
...
with
...
a
...
#
...
sign).
...
The
...
option
...
CRLCheck
...
validates
...
certificates
...
against
...
the
...
Certificate
...
Revocation
...
List
...
(CRL)
...
of
...
the
...
CAs.
...
It
...
requires
...
a
...
valid
...
CRL
...
in
...
place,
...
or
...
else
...
the
...
certificate
...
validation
...
will
...
fail.
...
Therefore,
...
it
...
is
...
important
...
to
...
regularly
...
update
...
the
...
CRLs
...
by
...
re-downloading
...
them
...
as
...
described
...
above.
...
Right
...
now,
...
checking
...
CRLs
...
is
...
discouraged
...
due
...
to
...
a
...
pending
...
bug
...
in
...
OpenSSL
...
regarding
...
CRL
...
reloading.
| Code Block |
|---|
} rewrite defaultClient { removeAttribute 64 removeAttribute 65 removeAttribute 81 } {code} |
This
...
section
...
deletes
...
attributes
...
from
...
RADIUS
...
requests
...
that
...
convey
...
VLAN
...
assignment
...
information.
...
If
...
VLAN
...
information
...
is
...
sent
...
inadvertently,
...
it
...
can
...
cause
...
a
...
degraded
...
or
...
non-existent
...
service
...
for
...
the
...
end
...
user
...
because
...
he
...
might
...
be
...
put
...
into
...
the
...
wrong
...
VLAN.
...
Connected
...
service
...
providers
...
should
...
filter
...
this
...
attribute
...
on
...
their
...
own.
...
Connected
...
Identity
...
Providers
...
should
...
not
...
send
...
this
...
attribute
...
at
...
all.
...
Checking
...
for
...
the
...
existence
...
of
...
these
...
attributes
...
on
...
the
...
federation
...
server
...
is
...
just
...
an
...
optional
...
additional
...
safety
...
layer.
...
If
...
you
...
do
...
have
...
a
...
roaming
...
use
...
for
...
cross-institution
...
VLAN
...
assignment,
...
you
...
may
...
want
...
to
...
delete
...
this
...
stanza.
...
Client
...
definition
| Code Block |
|---|
} client 127.0.0.1 { type udp secret testing123 } client ::1 { type udp secret testing123 } {code} |
There
...
is
...
no
...
other
...
RADIUS
...
server
...
running
...
on
...
localhost,
...
which
...
makes
...
these
...
client
...
definitions
...
almost
...
superfluous.
...
They
...
may
...
be
...
of
...
some
...
use
...
however
...
to
...
initiate
...
debugging
...
requests
...
and
...
tests
...
from
...
the
...
server
...
itself,
...
so
...
it
...
is
...
considered
...
good
...
practice
...
to
...
list
...
localhost
...
as
...
a
...
client.
...
If
...
your
...
system
...
is
...
not
...
IPv6-enabled,
...
simply
...
delete
...
the
...
second
...
stanza.
| Code Block |
|---|
{code} client __SP_IP_ADDR__ { type udp secret __SP_SECRET__ } {code} |
Stanzas
...
like
...
this
...
one
...
are
...
used
...
for
...
each
...
connected
...
service
...
provider
...
that
...
is
...
connected
...
via
...
RADIUS.
...
You
...
need
...
to
...
know
...
the
...
IP
...
address
...
of
...
every
...
SP's
...
RADIUS
...
server
...
and
...
negotiate
...
a
...
shared
...
secret
...
with
...
the
...
SP.
| Code Block |
|---|
} client incoming { host * type TLS secret radsec } {code} |
All
...
incoming
...
RadSec
...
connections
...
can
...
be
...
handled
...
with
...
this
...
stanza.
...
It
...
does
...
not
...
need
...
to
...
be
...
modified.
...
In
...
particular,
...
the
...
string
...
"radsec"
...
for
...
secret
...
is
...
fixed
...
by
...
the
...
RADIUS/TLS
...
protocol
...
and
...
is
...
required
...
to
...
remain
...
unchanged.
...
It
...
also
...
has
...
no
...
effect;
...
RADIUS/TLS
...
depends
...
on
...
TLS
...
security
...
rather
...
than
...
the
...
shared
...
RADIUS
...
secret.
...
The
...
eduroam
...
trust
...
model
...
requires
...
that
...
a
...
SP
...
that
...
tries
...
to
...
connect
...
has:
...
- A
...
- X.509
...
- certificate
...
- from
...
- an
...
- eduroam-accredited
...
- CA
...
- which
...
- carries
...
- a
...
- Policy
...
- OID
...
- as
...
- configured
...
- above
...
- to
...
- prove
...
- authorisation
...
- as
...
- a
...
- eduroam
...
- Service
...
- Provider
...
Please
...
note
...
that
...
the
...
client
...
and
...
server
...
stanza
...
for
...
the
...
GEANT
...
Monitoring
...
(SA3-T2
...
activity)
...
have
...
the
...
same
...
host
...
address,
...
but
...
different
...
stanza
...
names.
...
This
...
is
...
important:
...
it
...
disables
...
the
...
LoopDetection
...
for
...
this
...
host,
...
and
...
the
...
SA3
...
monitoring
...
deliberate
...
uses
...
loops
...
to
...
do
...
its
...
tests.
...
The
...
following
...
stanza
...
is
...
the
...
eduroam
...
Service
...
Activity's
...
monitoring
...
client.
...
Negotiate
...
the
...
IP
...
address
...
and
...
shared
...
secret
...
for
...
European
...
monitoring
...
with
...
the
...
operators
...
in
...
SA3-T2
...
(eduroam
...
Operational
...
Team)
...
and
...
enter
...
it
...
here.
| Code Block |
|---|
} client SA3-monitoring-incoming { host x.y.z.a type UDP secret __MONITORING_SECRET__ } {code} h3. Request forwarding To deliver requests to your connected IdPs, their servers need to be configured. This stanza is for IdP servers using RADIUS. {code} |
Request forwarding
To deliver requests to your connected IdPs, their servers need to be configured. This stanza is for IdP servers using RADIUS.
| Code Block |
|---|
server __DESCRIPTIVE_NAME_ {
host __IP_ADDR__
type UDP
secret __SERVER_SECRET__
}
{code}
This is the equivalent stanza for IdP servers using |
This is the equivalent stanza for IdP servers using RADIUS/TLS.
| Code Block |
|---|
} server __RADSEC_PEER_DNS_NAME_ { type TLS secret radsec statusserver on } {code} |
The
...
two
...
following
...
stanzas
...
define
...
the
...
uplink
...
to
...
the
...
European
...
eduroam
...
Confederation
...
root
...
servers.
...
This
...
entry
...
can
...
be
...
kept
...
as
...
it
...
stands
...
and
...
doesn't
...
need
...
any
...
further
...
configuration.
| Code Block |
|---|
} server etlr1.eduroam.org { type TLS secret radsec statusserver on } server etlr2.eduroam.org { type TLS secret radsec statusserver on } {code} |
European
...
monitoring
...
works
...
both
...
ways.
...
The
...
client
...
entry
...
near
...
the
...
beginning
...
of
...
the
...
configuration
...
file
...
was
...
needed
...
for
...
incoming
...
requests
...
from
...
the
...
monitoring
...
servers.
...
The
...
entry
...
below
...
specifies
...
the
...
outgoing
...
connections
...
to
...
the
...
monitoring
...
server.
...
Outgoing
...
connections
...
are
...
currently
...
monitored
...
with
...
RADIUS
...
only.
...
Use
...
the
...
negotiated
...
IP
...
address
...
and
...
shared
...
secret
...
with
...
SA3-T2
...
Monitoring
...
in
...
the
...
following
...
stanza:
| Code Block |
|---|
\\ {code} server SA3-monitoring-outgoing { host a.b.c.d type UDP secret __MONITORING_SECRET__ } {code} Finally, the IdP realms need to be defined. This is done in the remainder of the configuration file: _ |
After defining the server configurations, we need to define which RADIUS realms are going to be forwarded to which server(s). This is done in the remainder of the configuration file.
First, there are (very few) known-bad realms which are not forwarded at all. They should ideally never reach the FLR server, and be caught by the SP local RADIUS server, but as an extra safety measure they are filtered (i.e. immediately rejected) here:
| Code Block |
|---|
realm /myabc\.com$ {_ _ replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant\! Rejected by <TLD>."_ _}_ \_realm /^\[radsecproxy-flr^@\]*$ { accountingresponse on } realm /^$/ { replymessage "Misconfigured client: empty realm! Rejected by <TLD>."__}_ There are some known client-side misconfigurations. If they were not already caught by the SP local RADIUS server, it does not make sense for the proxy to send these requests up to the eduroam infrastructure. These requests are immediately rejected. *Note:* if you need to blacklist an existing realm for some reason, you can follow the myabc.com example, copying and replacing it with the realm to be blacklisted. _realm /_{_}IDP_REALM{_}_$ {_ _ server \__FROM_SERVER_STANZAS_ABOVE_\_\_ _ server \__BACKUP_NAME_\_\_ _}_ Requests that are coming in from upstream and are supposed to be handled by an identity provider are listed in stanzas like this. __IDP_REALM__ contains the realm of the connected IdP. Create one such stanza for each IdP realm. If an IdP has multiple servers for a failover configuration, you can list all servers in a row, as in the example above. _realm /eduroam\._{_}YOUR_TLD__ {\__ server SA5-monitoring-outgoing{_}_ server TODO:SRCE RadSec server{_}_}_ The configuration stanza above is for outgoing SA5 monitoring connections. You can select your preference for RADIUS or RadSec for the outgoing connections by changing the order of the server stanzas. _realm /\._{_}YOUR_TLD{_}_$ {_ _ replymessage "Misconfigured supplicant or downstream server: uses known\- bad realm in <TLD> federation\!"_ _}_ All the valid realms were listed earlier in the configuration file, and this server is authoritative for the own TLD. If a supplicant or downstream servers sends a realm with the own TLD, but also with a realm name that is not registered, this request is unauthorised and bound to fail. It will be rejected immediately to prevent routing loops. _realm \* {_ _ server etlr1.eduroam.org_ _ server etlr2.eduroam.org_ _}_ Finally, all realms that do not belong to the own federation are forwarded to the European eduroam Confederation root servers.accountingresponse on } |
Note: if you need to blacklist an existing realm for some reason, you can follow the myabc.com example, copying and replacing it with the realm to be blacklisted.
Requests for proper realms that are coming in from upstream and are supposed to be handled by an identity provider are listed in stanzas like the below. _IDP_REALM_ contains the realm of the connected IdP. Create one such stanza for each IdP realm. If an IdP has multiple servers for a failover configuration, you can list all servers in a row, as in the example below.
| Code Block |
|---|
realm /IDP_REALM$ {
server __FROM_SERVER_STANZAS_ABOVE__
server __BACKUP_NAME__
}
|
The configuration stanza below is for outgoing European monitoring connections.
| Code Block |
|---|
realm /eduroam\.YOUR_TLD {
server SA3-monitoring-outgoing
}
|
All the valid realms were listed earlier in the configuration file, and this server is authoritative for the own TLD. If a supplicant or downstream servers sends a realm with the own TLD, but also with a realm name that is not registered, this request is unauthorised and bound to fail. It will be rejected immediately to prevent routing loops.
| Code Block |
|---|
realm /\.YOUR_TLD$ {
replymessage "Misconfigured supplicant or downstream server: uses known-bad realm in <TLD> federation!"
}
|
Finally, all realms that do not belong to the own federation are forwarded to the European eduroam Confederation root servers.
| Code Block |
|---|
realm * {
server etlr1.eduroam.org
server etlr2.eduroam.org
}
|