Versions Compared

Old Version 8

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version Current

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron.  Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/

Code Block
20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.

As a final remark, you can make the web server enforce HSTS with

Code Block
a2enmod headers
systemctl restart apache2

Then please add to letswifi-portal.conf

Code Block
Header always set Strict-Transport-Security "max-age=15768000"

and do another web server restart.

Connecting to a RADIUS server

In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with

Code Block
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem

In the eap file you define this cert as the ca_file and then you also need something like the following

Code Block
eap {
        default_eap_type = tls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = ${max_requests}

        tls-config tls-common {
                private_key_file = ${certdir}/radius.geteduroam.TLD.key
                certificate_file = ${certdir}/radius.geteduroam.TLD.crt
                ca_file = ${cadir}/geteduroam-ca.pem
                auto_chain = no
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                #check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"

                cipher_server_preference = no

                tls_min_version = "1.2"
                tls_max_version = "1.3"

        fragment_size = 1450

                ecdh_curve = "prime256v1"

                cache {
                        enable = no

                        store {
                                Tunnel-Private-Group-Id
                        }
                }

                verify {
                }

                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }


        tls {
                tls = tls-common
        		virtual_server = check-eap-tls
        }

        ttls {
                tls = tls-common
                virtual_server = "inner-tunnel"
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
        }
}

In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to

Code Block
server check-eap-tls {

  authorize {

    #if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
    if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
      if (&Realm == "%{1}") {
        update config {
          Auth-Type = Accept
        }
      }
      else {
        update config {
          Auth-Type = Reject
        }
      }
    }
  }
}

in order to accept anonymous outer IDs, if needed.

In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with

Code Block
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php

You can view the result with sqlite> select * from ca;

You also need to update the realm trust with

Code Block
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';

You can view the result with sqlite> select * from realm_trust;

Also check the server name and change it if needed

Code Block
sqlite> SELECT * FROM realm_server_name;

YOUR-REALM|radius.YOUR-REALM

sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM';

In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.