Versions Compared

Old Version 24

changes.mady.by.user Unknown User (swinter)

Saved on

compared with

New Version Current

changes.mady.by.user Guy Halse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: AQ is a real place that might (eventually) get eduroam. XZ is XZ is reserved for user assignment in ISO3166-1 alpha-2

...

The prerequisites for this deployment are:

  • radsecproxy version 1.4.2 6 or higher
  • A server certificate and a private key for that certificate to establish the RadSec RADIUS/TLS connection which designates the server as an IdP+SP.

...

Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.

Base configuration / logging / F-Ticks

This walk-through goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.

...

Code Block
client __SP_IP_ADDR__ {
        type     udp
        secret   __SP_SECRET__
        FTicksVISCOUNTRY XZ 		# will generate F-Ticks for a non-existant visited country
 }

Stanzas like this one are used for each connected service provider that is connected via RADIUS. You need to know the IP address of every SP's RADIUS server and negotiate a shared secret with the SP

Please note that the client and server stanza for the GEANT Monitoring (SA3-T2 activity) have the same host address, but different stanza names. This is important: it disables the LoopDetection for this host, and the SA3 monitoring deliberate uses loops to do its tests. The following stanza is the eduroam Service Activity's monitoring client. Negotiate the IP address and shared secret for European monitoring with the operators in SA3-T2 (eduroam Operational Team) and enter it here.

Code Block
client SA3-monitoring-incoming {
         host            x.y.z.a
         type            UDP
         secret          __MONITORING_SECRET__
}

.

Code Block
client incoming {
        host                           			   0.0.0.0/0
        host            			                  [::]/0
        type                              TLS
        tls                               defaultClient
        secret                            radsec
}

All incoming RadSec connections can be handled with this stanzaAfter all specific clients in the configuration, you can the above stanza as a "catch-all" for incoming RADIUS/TLS connections.It does not need to be modified (if you do not support IPv6, you can delete the second "host" line though). In particular, the string "radsec" for secret is fixed by the RADIUS/TLS protocol and is required to remain unchanged. It also has no effect; RADIUS/TLS depends on TLS security rather than the shared RADIUS secret.

...

  • A X.509 certificate from an eduroam-accredited CA
  • which carries a Policy OID as configured above to prove authorisation as a eduroam Service Provider

Please note that the client and server stanza for the GEANT Monitoring (SA3-T2 activity) have the same host address, but different stanza names. This is important: it disables the LoopDetection for this host, and the SA3 monitoring deliberate uses loops to do its tests. The following stanza is the eduroam Service Activity's monitoring client. Negotiate the IP address and shared secret for European monitoring with the operators in SA3-T2 (eduroam Operational Team) and enter it here.

...

These checks were defined via "tls defaultClient", above.

Request forwarding

To deliver requests to your connected IdPs, their servers need to be configured. This stanza is for IdP servers using RADIUS.

...

Code Block
realm /myabc\.com$/ {
          replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by <TLD>."
          accountingresponse on
}

realm /@.*3gppnetwork\.org$/ {
		  replymessage "Misconfigured client: Unsupported 3G EAP-SIM client!"
		  accountingresponse on
}

realm /^$/ {
          replymessage "Misconfigured client: empty realm! Rejected by <TLD>."
          accountingresponse on
}

...

Code Block
realm /IDP_REALM$/ {
              server         __FROM_SERVER_STANZAS_ABOVE__
              server         __BACKUP_NAME__
}

...

Code Block
realm /eduroam\.YOUR_TLD/ {
              server         SA3-monitoring-outgoing
}

...

Code Block
realm /\.YOUR_TLD$/ {
              replymessage "Misconfigured supplicant or downstream server: uses known-bad realm in <TLD> federation!"
}

Finally, all realms that do not belong to the own federation are forwarded to the European eduroam Confederation root servers. However, we limit this to 'sane' realms: these must include a tld of at least 2 characters. Anything else is dropped.

Code Block
realm    */@.+\..{2,}$/ {
              server           etlr1.eduroam.org
              server           etlr2.eduroam.org
}

realm * {
			  replymessage "Misconfigured client: username does not contain a valid realm!"
}

Goodies

This section contains some optional configuration parameters that can do good in many cases.

...