Versions Compared

Old Version 6

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version Current

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You should see an output like {"href":"./","http://letswifi.app/api#2": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named letswifi-portal.conf.

...

In config.php you may need to change 'baseurlpath' from 'simplesaml/' to 'simplesamlphp/'. In /usr/share/letswifi-portal/etc/letswifi.conf.php the 'autoloadInclude' needs to be changed to point to the correct SimpleSAMLphp version. Please also comment out the 'idpList' value if present, it is not needed with federation metadata. Do a web server restartDo a web server restart.

Next, connect your SimpleSAMLphp to your federation. More extensive guidelines can be found here and here. In case you need certificates for signing and encryption, you can generate them with:

Code Block
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-geteduroam.crt -keyout saml-geteduroam.key

In /etc/simplesamlphp/authsources.php, under ’default-sp’, please insert the following

Code Block
'certificate' => '/PATH/TO/saml-geteduroam.crt',
'privatekey' => '/PATH/TO/saml-geteduroam.key',
'redirect.sign' => true,
'redirect.validate' => true,

You should see the changes in https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. If needed, enable automatic metadata refresh, extensive guidelines can be found here. In the module section of /SIMPLESAMLPHP/config/config.php you need

Code Block
'module.enable' => [
         'cron' => true,
         'metarefresh' => true,
         'core' => true,
         'saml' => true
 ],

instead of 'exampleauth'.

Please copy the necessary templates with

Code Block
cp modules/cron/config-templates/*.php /etc/simplesamlphp/
cp modules/metarefresh/config-templates/*.php /etc/simplesamlphp/

From /modules/metarefresh/bin you can test with 

Code Block
./metarefresh.php -s https://PATH/TO/your-metadata.xml

Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron.  Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/

Code Block
20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.

As a final remark, you can make the web server enforce HSTS with

Code Block
a2enmod headers
systemctl restart apache2

Then please add to letswifi-portal.conf

Code Block
Header always set Strict-Transport-Security "max-age=15768000"

and do another web server restart.

Connecting to a RADIUS server

In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with

Code Block
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem

In the eap file you define this cert as the ca_file and then you also need something like the following

Code Block
eap {
        default_eap_type = tls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = ${max_requests}

        tls-config tls-common {
                private_key_file = ${certdir}/radius.geteduroam.TLD.key
                certificate_file = ${certdir}/radius.geteduroam.TLD.crt
                ca_file = ${cadir}/geteduroam-ca.pem
                auto_chain = no
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                #check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"

                cipher_server_preference = no

                tls_min_version = "1.2"
                tls_max_version = "1.3"

        fragment_size = 1450

                ecdh_curve = "prime256v1"

                cache {
                        enable = no

                        store {
                                Tunnel-Private-Group-Id
                        }
                }

                verify {
                }

                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }


        tls {
                tls = tls-common
        		virtual_server = check-eap-tls
        }

        ttls {
                tls = tls-common
                virtual_server = "inner-tunnel"
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
        }
}

In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to

Code Block
server check-eap-tls {

  authorize {

    #if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
    if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
      if (&Realm == "%{1}") {
        update config {
          Auth-Type = Accept
        }
      }
      else {
        update config {
          Auth-Type = Reject
        }
      }
    }
  }
}

in order to accept anonymous outer IDs, if needed.

In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with

Code Block
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php

You can view the result with sqlite> select * from ca;

You also need to update the realm trust with

Code Block
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';

You can view the result with sqlite> select * from realm_trust;

Also check the server name and change it if needed

Code Block
sqlite> SELECT * FROM realm_server_name;

YOUR-REALM|radius.YOUR-REALM

sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM';

In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.