It is thus also safe to use version 1.36 (and commenting out the configuration lines regarding TLS_PolicyOID). You should upgrade to 1.37 as soon as it is publicly released and re-enable the parameter in the configuration.
Sample config file
This is the complete sample config. The contents are explained below.
Base configuration / logging / F-Ticks
Here, you need to adapt LogHost to the eduroam F-Ticks logging server (whose address you'll receive from eduroam operations), and the attribute marked with read. Its contents will become clearer later in the configuration file. Note: on some versions of Sys::Syslog and Radiator, you may need to reply replace "udp" with "inet".
If you monitor your national infrastructure, you will probably have automatic authentications happening which are triggered by your monitoring. F-Ticks can automatically separate these from real-world traffic and keep it out of the statistics. For that to work, you will have to use a value for Calling-Station-ID in your monitoring requests which begins with 22-44-66.
Finally, to enable RADIUS/TLS clients to communicate with your server, you need an additional section for RADIUS/TLS like the following. Replace your server's IP address(es) and paths to the certificate files as necessary - please refer to the "Certificates" section for details on how to obtain and manage RADIUS/TLS certificates.
Replace your paths to the certificate files as necessary - please refer to the "Certificates" section for details on how to obtain and manage RADIUS/TLS certificates.
- FreeRADIUS version 3.0.0 or higher
- A server certificate and a private key for that certificate to establish the RadSec connection which designates the server as an IdP+SP.
Sample config file
All of the RADSEC configuration for FreeRADIUS 3.x can be in a single virtual server file. A detailed explanation of this configuration file is not yet provided. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.
Currently (10th June 2011) there are some bugs with handling unreachable remote proxies which causes the daemon to die. A few of these have already been dealt with via bug reports but some still lurk. Also, the certificate checking/verification code does not currently work - we hope to be able to verify the certificate issuer and OID as we do with RADIATOR and RadSecProxy. Note that this software only does RADSEC/TLS with TCP - DTLS over UDP is not yet an option. Clients are 'radsec' only and the standard naslist or naslist imported from SQL won't operate with radsec.
To set up a federation-level RADIUS proxy server for VitalAAA you must change the following configuration files:
You must also download the following files from http://www.eduroam.org/downloads/docs/eduroam-cookbookscripts.zip:
Radius-Acct-Address = "*:1813" Radius-Auth-Address = "*:1812" Database-Address = "0" Radius-CharSet = UTF8 Delimiter-Precedence = "@" Suffix-Delimiters = "@"
radius Auth 1 prepare setWorkingVars radius acct 4 aaa dropRadiusAcct
Add the lines with the eduroam proxy server and the local RADIUS servers to the clients file:
220.127.116.11 <eduroam_secret> 18.104.22.168 <eduroam_secret> <192.168.1.10> <local_server_secret> <192.168.1.20> <local_server_secret>
Gauging your federation's performance
When you set up a federation-level RADIUS server, the OT will start monitoring your server availability and will send out email alerts in case of failure. This is done by the OT sending authentication requests for the special realm @eduroam.<TLD> from their monitoring server to your server, and your server is expected to mirror these back to the OT monitoring infrastructure. The technical set-up of this is described in the corresponding HOWTOs configuration guidelines for federation-level RADIUS servers.
On that web page, you can find historical evolution of roaming service usage in federations, as well as an overview which realms were most active, and from which countries visitors come from. In the future, detailed views per SP and per IdP can be made available if your federation opts to send the data in the extended detail level. Please contact your federation operator to find out which level of statistics your federation provides.