...
Setting
...
up
...
FreeRADIUS
...
This
...
section
...
describes
...
how
...
to
...
set
...
up
...
FreeRADIUS
...
for
...
an
...
IdP.
...
It
...
assumes
...
that
...
you
...
have
...
already
...
executed
...
the
...
configuration
...
steps
...
for
...
the
...
...
...
...
...
...
.
...
We
...
will
...
expand
...
that
...
configuration
...
to
...
turn
...
FreeRADIUS
...
into
...
a
...
simple
...
IdP.
...
N.B.:
...
even
...
if
...
you
...
are
...
going
...
to
...
have
...
an
...
IdP-only
...
installation,
...
the
...
eduroam
...
SP
...
configuration
...
for
...
FreeRADIUS
...
is
...
still
...
the
...
exact
...
same.
...
You
...
just
...
don't
...
define
...
any
...
own
...
Access
...
Point
...
clients
...
in
...
clients.conf.
...
Adding
...
IdP
...
support
...
in
...
FreeRADIUS
...
needs
...
several
...
steps
...
to
...
be
...
executed:
...
- a
...
- TLS
...
- server
...
- certificate
...
- needs
...
- to
...
- be
...
- created
...
- for
...
- EAP
...
- methods
...
- to
...
- work
...
- the
...
- desired
...
- EAP
...
- types
...
- need
...
- to
...
- be
...
- configured.
...
- the
...
- virtual
...
- server
...
- eduroam
...
- needs
...
- to
...
- be
...
- instructed
...
- to
...
- do
...
- tunneled
...
- EAP
...
- authentication
...
- a
...
- user
...
- database
...
- needs
...
- to
...
- be
...
- linked
...
- to
...
- the
...
- FreeRADIUS
...
- instance
...
- to
...
- authenticate
...
- the
...
- users
...
- a
...
- realm
...
- needs
...
- to
...
- be
...
- marked
...
- as
...
- to-be-authenticated-locally
...
- in
...
- the
...
- configuration
...
- the
...
- server
...
- needs
...
- to
...
- be
...
- prepared
...
- to
...
- process
...
- incoming
...
- requests
...
- *from
...
- *
...
- the
...
- upstream
...
- FLR
...
- server
...
These
...
steps
...
are
...
explained
...
in
...
detail
...
below.
...
For
...
the
...
user
...
database,
...
this
...
example
...
will
...
use
...
a
...
"flat
...
file"
...
with
...
usernames
...
and
...
passwords.
...
The
...
Goodies
...
section
...
contains
...
examples
...
for
...
MySQL
...
and
...
other
...
types
...
of
...
backend
...
databases.
...
TLS server certificate
...
While it is possible to buy and install a commercial TLS certificate, this is neither necessary (the trust settings of web-browser stores don't apply for EAP, so there are no "recognised" CAs) nor prudent (a commercial CA issues many certificates, and uncautious users might be tempted to accept other certificates from that same CA).
We suggest to create an own certificate. FreeRADIUS makes this very easy by providing an automatic script for that purpose. Execute the
| Code Block |
|---|
h6. TLS server certificate While it is possible to buy and install a commercial TLS certificate, this is neither necessary (the trust settings of web-browser stores don't apply for EAP, so there are no "recognised" CAs) nor prudent (a commercial CA issues many certificates, and uncautious users might be tempted to accept other certificates from that same CA). We suggest to create an own certificate. FreeRADIUS makes this very easy by providing an automatic script for that purpose. Execute the {code} /etc/raddb/certs/bootstrap {code} |
script.
...
It
...
will
...
generate
...
certificates
...
which
...
are
...
suited
...
for
...
EAP
...
authentication,
...
and
...
name
...
them
...
so
...
that
...
the
...
server
...
can
...
find
...
them
...
immediately
...
without
...
further
...
configuration.
...
Later,
...
for
...
the
...
supplicant
...
configuration,
...
you
...
will
...
need
...
to
...
include
...
the
...
generated
...
CA
...
certificate
...
into
...
your
...
supplicant
...
configurations.
...
EAP
...
type
...
configuration
...
The
...
file
...
/etc/raddb/eap.conf
...
defines
...
how
...
EAP
...
authentication
...
is
...
to
...
be
...
executed.
...
The
...
shipped
...
configuration
...
file
...
is
...
not
...
adequate
...
for
...
eduroam
...
use;
...
it
...
enabled
...
EAP-MD5
...
and
...
LEAP,
...
for
...
example;
...
which
...
are
...
not
...
suitable
...
as
...
eduroam
...
EAP
...
types.
...
Use
...
the
...
following
...
content
...
for
...
eap.conf
...
instead.
...
It
...
enables
...
PEAP
...
and
...
TTLS:
| Code Block |
|---|
{code} eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } } {code} |
A
...
common
...
question
...
regarding
...
this
...
definition
...
is:
...
"why
...
is
...
TLS
...
also
...
configured?
...
I
...
don't
...
want
...
it,
...
can
...
I
...
disable
...
it?"
...
The
...
answer
...
is:
...
the
...
TTLS
...
and
...
PEAP
...
sections
...
depend
...
on
...
the
...
tls
...
stanza
...
for
...
the
...
definition
...
of
...
which
...
server
...
certificates
...
to
...
use.
...
You
...
cannot
...
delete
...
the
...
stanza,
...
but
...
that
...
doesn't
...
mean
...
you
...
can't
...
effectively
...
disable
...
TLS:
...
the
...
tls
...
stanza
...
contains
...
the
...
ca_file
...
parameter.
...
Only
...
clients
...
with
...
a
...
TLS
...
client
...
certificate
...
from
...
this
...
CA
...
will
...
be
...
accepted.
...
We
...
have
...
just
...
created
...
a
...
brand-new
...
CA
...
with
...
the
...
"bootstrap"
...
script.
...
Simply
...
don't
...
issue
...
nor
...
distribute
...
any
...
client
...
certificates
...
from
...
this
...
CA,
...
then
...
nobody
...
will
...
be
...
able
...
to
...
log
...
in
...
with
...
EAP-TLS.
...
Another
...
question
...
is
...
regarding
...
the
...
mschapv2
...
section.
...
For
...
all
...
practical
...
purposes,
...
the
...
easy
...
answer
...
is
...
that
...
it
...
is
...
a
...
piece
...
of
...
magic
...
and
...
needs
...
to
...
be
...
there
...
for
...
PEAP
...
to
...
work.
...
If
...
you
...
are
...
curious
...
regarding
...
the
...
gory
...
details,
...
please
...
let
...
us
...
know.
...
Note
...
that
...
one
...
parameter
...
for
...
both
...
the
...
ttls
...
and
...
peap
...
stanza
...
is
...
"virtual_server
...
=
...
eduroam-inner-tunnel".
...
This
...
means
...
that
...
the
...
inner
...
EAP
...
authentication
...
will
...
be
...
carried
...
out
...
in
...
this
...
other
...
virtual
...
server,
...
which
...
we
...
will
...
define
...
later.
...
Virtual
...
server
...
eduroam:
...
enable
...
EAP
...
Compared
...
to
...
the
...
eduroam
...
SP
...
config,
...
you
...
simply
...
need
...
to
...
additionally
...
mention
...
the
...
"eap"
...
module
...
in
...
both
...
the
...
authorize
...
and
...
authenticate
...
stanza.
...
It
...
will
...
then
...
look
...
like
...
the
...
following:
| Code Block |
|---|
{code} authorize { auth_log suffix eap } authenticate { eap } {code} h6. Virtual server |
Virtual server eduroam-inner-tunnel
...
When
...
the
...
eap
...
module
...
has
...
started
...
with
...
an
...
authentication,
...
it
...
will
...
first
...
establish
...
a
...
TLS
...
tunnel;
...
this
...
is
...
done
...
by
...
enabling
...
the
...
module
...
in
...
the
...
previous
...
"eduroam"
...
virtual
...
server.
...
After
...
the
...
TLS
...
tunnel
...
is
...
established,
...
the
...
content
...
(i.e.
...
the
...
tunneled
...
authentication)
...
is
...
processed
...
separately
...
in
...
this
...
new
...
virtual
...
server.
...
Create
...
the
...
file
...
in
...
/etc/raddb/sites-enabled/eduroam-inner-tunnel
...
and
...
give
...
it
...
the
...
following
...
content:
| Code Block |
|---|
} server eduroam-inner-tunnel { authorize { auth_log eap files mschap pap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } } {code} |
Let's
...
revisit
...
the
...
modules
...
which
...
this
...
virtual
...
server
...
executes
...
one
...
after
...
another:
...
- auth_log:
...
- logs
...
- the
...
- incoming
...
- packet
...
- to
...
- the
...
- file
...
- system.
...
- This
...
- is
...
- needed
...
- to
...
- fulfill
...
- the
...
- eduroam
...
- SP
...
- logging
...
- requirements.
...
- Note
...
- that
...
- this
...
- log
...
- *may
...
- *
...
- contain
...
- the
...
- user's
...
- cleartext
...
- password
...
- if
...
- TTLS-PAP
...
- is
...
- used.
...
- You
...
- can
...
- log
...
- the
...
- packet
...
- with
...
- omitted
...
- User-Password
...
- attribute
...
- if
...
- you
...
- prefer;
...
- see
...
- the
...
- "Goodies"
...
- section
...
- for
...
- more
...
- details).
...
- eap:
...
- if
...
- the
...
- EAP
...
- authentication
...
- contains
...
- another
...
- EAP
...
- instance
...
- inside,
...
- the
...
- module
...
- will
...
- decode
...
- it.
...
- This
...
- is
...
- the
...
- case
...
- for
...
- PEAP.
...
- files:
...
- this
...
- module
...
- tries
...
- to
...
- find
...
- out
...
- the
...
- authoritative
...
- password
...
- for
...
- the
...
- user
...
- by
...
- looking
...
- up
...
- the
...
- username
...
- in
...
- the
...
- file
...
- mschap:
...
- this
...
- module
...
- is
...
- in
...
- effect
...
- only
...
- if
...
- PEAP-MSCHAPv2
...
- or
...
- TTLS-MSCHAPv2
...
- is
...
- used.
...
- It
...
- will
...
- mark
...
- the
...
- packet
...
- as
...
- to
...
- be
...
- authenticated
...
- with
...
- MS-CHAP
...
- algorithms
...
- later.
...
- pap:
...
- this
...
- module
...
- is
...
- in
...
- effect
...
- only
...
- if
...
- TTLS-PAP
...
- is
...
- used.
...
- It
...
- will
...
- mark
...
- the
...
- packet
...
- as
...
- to
...
- be
...
- authenticated
...
- with
...
- PAP
...
- alogrithms
...
- later.
...
- reply_log:
...
- logs
...
- the
...
- reply
...
- packet
...
- to
...
- the
...
- file
...
- system
...
User
...
database:
...
flat
...
file
...
By
...
default,
...
the
...
"files"
...
module
...
will
...
use
...
information
...
in
...
the
...
file
| Code Block |
|---|
} /etc/raddb/users {code} |
for
...
authenticating
...
users.
...
This
...
file
...
has
...
a
...
straightforward
...
format
| Code Block |
|---|
} icecold@group1.aq Cleartext-Password := "snowwhite" otheruser@group1.aq Cleartext-Password := "swordfish" {code} h6. Local authentication for your realm In the SP configuration, all requests were unconditionally forwarded to upstream. We will need to revisit the file |
...
Local authentication for your realm
...
In the SP configuration, all requests were unconditionally forwarded to upstream. We will need to revisit the file "proxy.conf"
...
and
...
mark
...
one
...
realm
...
to
...
NOT
...
proxy.
...
In
...
this
...
example,
...
we
...
will
...
use
...
"@group1.aq"
...
as
...
the
...
local
...
authentication
...
realm.
...
Simply
...
add
...
the
...
following
...
stanza
...
immediately
...
preceeding
...
the
...
"DEFAULT"
...
realm:
| Code Block |
|---|
} realm group1.aq { nostrip } {code} |
Since
...
the
...
stanza
...
doesn't
...
contain
...
a
...
server
...
pool
...
to
...
proxy
...
to,
...
this
...
realm
...
won't
...
be
...
proxied
...
and
...
instead
...
authenticated
...
locally.
...
This
...
stanza
...
works
...
only
...
for
...
users
...
who
...
correctly
...
use
...
the
...
full
...
username
...
format
...
"user123@group1.aq"
...
for
...
their
...
eduroam
...
login.
...
If
...
the
...
IdP
...
and
...
SP
...
are
...
colocated,
...
it
...
is
...
possible
...
to
...
*locally
...
*
...
also
...
accept
...
users
...
who
...
erronuously
...
omitted
...
their
...
realm
...
(just
...
"user123").
...
This
...
requires
...
further
...
configuration,
...
but
...
it
...
is
...
strongly
...
discouraged,
...
because
...
it
...
will
...
give
...
such
...
users
...
a
...
"halfways-working"
...
experience:
...
they
...
will
...
be
...
able
...
to
...
use
...
eduroam
...
when
...
on
...
their
...
own
...
IdP's
...
campus,
...
because
...
no
...
routing
...
information
...
needs
...
to
...
be
...
evaluated,
...
but
...
their
...
account
...
will
...
fail
...
at
...
all
...
other
...
locations.
...
Therefore,
...
this
...
guide
...
does
...
not
...
include
...
instructions
...
for
...
that
...
kind
...
of
...
setup.
...
Processing incoming requests
...
As an eduroam IdP, your users can go to other eduroam hotspots around the globe. They will still be authenticated at your server. In these roaming cases, your upstream FLR servers will send Access-Requests to your server. Surprisingly, it is very simple to configure that: these upstream servers are simply clients - just like an Access Point. So, simply add client stanzas for your FLR servers into clients.conf:
| Code Block |
|---|
h6. Processing incoming requests As an eduroam IdP, your users can go to other eduroam hotspots around the globe. They will still be authenticated at your server. In these roaming cases, your upstream FLR servers will send Access-Requests to your server. Surprisingly, it is very simple to configure that: these upstream servers are simply clients - just like an Access Point. So, simply add client stanzas for your FLR servers into clients.conf: {code} client antarctica-flr-1 { ipaddr = 172.20.1.2 netmask = 32 secret = secretstuff require_message_authenticator = no shortname = antarctica-flr-1 nastype = other virtual_server = eduroam } {code} |
That's
...
it
...
!
...
Now
...
your
...
server
...
is
...
prepared
...
for
...
eduroam
...
IdP
...
operation
...
!
...
You
...
can
...
add
...
users
...
to
...
your
...
"database"
...
by
...
amending
...
the
...
"users"
...
file;
...
if
...
you
...
do,
...
you
...
will
...
unfortunately
...
have
...
to
...
restart
...
FreeRADIUS
...
so
...
that
...
it
...
picks
...
up
...
the
...
change.
...
...
Goodies
...
Omitting User-Password
...
in
...
inner
...
authentication
...
logs
...
adding
...
VLAN
...
assignment
...
attributes
...
Using
...
MySQL
...
as
...
user
...
database
...
backend
- Optionally: forcing outer identity to anonymous@domain.tld.
- A loopback client is useful for running testing scripts and even mandatory for tunnelled authentication methods like TTLS and PEAP, so we make sure it is set correctly. The localhost's secret does not need to be shared with anyone, it is just there proforma and can even be left at the default „testing123" An example can be downloaded from http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip
...
- .
- As of version 2, FreeRADIUS is capable of both IPv4 and IPv6. The following four sections enable both
authentication and accounting processing with IPv4 and IPv6:
| Code Block |
|---|
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = auth
ipv6addr = ::
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
listen {
type = acct
ipv6addr = ::
port = 1813
}
|
- The following lines are important for eduroam operation: the aforementioned possibility to use Status-
Server requests is enabled in the security section, and all the defined client definitions, proxy server
definitions and the virtual servers are read in. The small subset of modules used in the virtual server
eduroam are also defined here:
| Code Block |
|---|
security {
max_attributes = 200
reject_delay = 0
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
$INCLUDE sites-enabled/
|
- The remaining parts in the virtual server, like
| Code Block |
|---|
if (...) {
update request {
}
}
|
are not separate modules but a configuration language. Details about usage of this configuration language are available on its man page ("man unlang").
More information
Eduroam-in-a-box web configuration tool:http://eduroam.sourceforge.net
...