...
Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.
As a final remark, you can make the web server enforce HSTS with
| Code Block |
|---|
a2enmod headers
systemctl restart apache2 |
Then please add to letswifi-portal.conf
| Code Block |
|---|
Header always set Strict-Transport-Security "max-age=15768000" |
and do another web server restart.
Connecting to a RADIUS server
In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with
...
| Code Block |
|---|
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/radius.geteduroam.TLD.key
certificate_file = ${certdir}/radius.geteduroam.TLD.crt
ca_file = ${cadir}/geteduroam-ca.pem
auto_chain = no
dh_file = ${certdir}/dh
ca_path = ${cadir}
#check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
fragment_size = 1450
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
virtual_server = check-eap-tls
}
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
} |
In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to
...
| Code Block |
|---|
server check-eap-tls {
authorize {
#if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
if (&Realm == "%{1}") {
update config {
Auth-Type = Accept
}
}
else {
update config {
Auth-Type = Reject
}
}
}
}
} |
in order to accept anonymous outer IDs, if needed.
In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with
| Code Block |
|---|
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php |
You can view the result with sqlite> select * from ca;
You also need to update the realm trust with
| Code Block |
|---|
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';
|
You can view the result with sqlite> select * from realm_trust;
Also check the server name and change it if needed
| Code Block |
|---|
sqlite> SELECT * FROM realm_server_name;
YOUR-REALM|radius.YOUR-REALM
sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM'; |