...
Base configuration / logging / F-Ticks
The main configuration file is /etc/radiusd.conf; it does not require many changes from the shipped default. That's because the logic in the server is done by activating certain modules in a certain order. These modules are separately defined and configured in the /etc/modules/ subdirectory. The order of activation of these modules is defined in so-called virtual servers, which are defined in the /etc/sites-enabled/ directory. For our eduroam SP purposes, we only need one virtual server "eduroam". It needs to contain as a minimum:
| Code Block |
|---|
server eduroam {
authorize {
auth_log
suffix
}
authenticate {
}
preacct {
suffix
}
accounting {
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
pre-proxy {
pre_proxy_log
if (Packet-Type != Accounting-Request) {
attr_filter.pre-proxy
}
}
post-proxy {
post_proxy_log
attr_filter.post-proxy }
}
|
The multitude of sections in this above configuration is often confusing to new-comers. The order of execution when proxying a request are:
| No Format |
|---|
authorize → authenticate → pre-proxy
|
Then, the packet is proxied to an upstream server. When the reply comes back, the execution continues:
| No Format |
|---|
post-proxy → post-auth
|
Every stanza contains names of modules to be executed. Let's revisit them one after another:
- auth_log: logs the incoming packet to the file system. This is needed to fulfull the eduroam SP logging requirements.
- suffix: inspects the packet to look for an eduroam style realm (separated by the @ sign)
- pre_proxy_log: logs the packet to the file system again. Attributes that were added during the inspection process before are then visible to the administrator - great for debugging
- attr_filter.pre-proxy: strips unwanted attributes off of the request before sending the request to upstream
- post_proxy_log: logs the reply packet to the file system - as received by upstream
- attr_filter.post-proxy: strips unwanted attributes off of the reply, prior to sending it back to the Access Points (VLAN attributes in particular!)
- reply_log: logs the reply packet after attribute filtering to the file system
The paths where the logs are written to, and the files with the list of permitted attributes for filtering, are defined in the corresponding module definitions in /etc/modules/<name-of-module>.
Client definition
FreeRADIUS defines the connected RADIUS clients in the file /etc/raddb/clients.conf. This file needs to hold all your connected Access Points and/or wired eduroam-enabled switches. You set a shared secret for each client and define these in the config file as follows:
...
| Code Block |
|---|
proxy server {
default_fallback = yes
}
home_server antarctica-flr-1 {
type = auth+acct
ipaddr = 172.20.1.2
port = 1812
secret = secretstuff
status_check = status-server
}
home_server antarctica-flr-2 {
type = auth+acct
ipv6addr = 172.25.9.3
port = 1812
secret = secretstuff
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = antarctica-flr-1
home_server = antarctica-flr-2
}
realm DEFAULT {
pool = EDUROAM
nostrip
}
|
...