This section describes how to set up FreeRADIUS to handle RADSEC as a federation-level RADIUS and RADIUS/TLS server. It can then completely replace other RADSEC proxy products on the federation level (i.e. if you already have FreeRADIUS you can simply activate this virtual server and you'll be able to handle RADSEC - RADIUS/TLS over TCP).
More precisely, it will enable a server to:
The prerequisites for this deployment are:
All of the RADSEC configuration for FreeRADIUS 3.x can be in a single virtual server file. A detailed explanation of this configuration file is not yet provided. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.
Simply copy and paste this code into a new virtual server e.g. eduroam-radsec and place into your $RADDB/sites-enabled directory
listen {
ipaddr = *
port = 2083
type = auth
# For now, only TCP transport is allowed.
proto = tcp
clients = radsec
# This is *exactly* the same configuration as used by the EAP-TLS
# module. It's OK for testing, but for production use it's a good
# idea to use different server certificates for EAP and for RADIUS
# transport.
tls {
# These are used to simplify later configurations.
certdir = ${confdir}/radsec
cadir = ${confdir}/radsec
private_key_password = whatever
private_key_file = ${certdir}/server.realm.tld-key.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/eduPKI-CA.crt
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Issuer attribute. This check
# can be done via any mechanism you choose.
#
# this doesnt work yet
# check_cert_issuer = "/DC=org/DC=edupki/CN=eduPKI"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
#
#
# This is enabled in eap.conf, so we don't need it here.
#
# make_cert_command = "${certdir}/bootstrap"
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables caching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = yes
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 255
}
#
# Require a client certificate.
#
require_client_cert = yes
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
verify {
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
tmpdir = /etc/raddb/temporary
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..CA_path} text is a reference to
# the CA_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# this doesnt work yet either
#client = "/usr/bin/openssl verify -CAfile /etc/raddb/radsec/eduPKI-CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}"
}
}
}
# IPv6 listener - config comments cleared for brevity
listen {
ipv6addr = ::
port = 2083
type = auth
proto = tcp
clients = radsec
tls {
certdir = ${confdir}/radsec
cadir = ${confdir}/radsec
private_key_password = whatever
private_key_file = ${certdir}/server.realm.tld-key.pem
certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
CA_file = ${cadir}/eduPKI-CA.crt
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
# this doesnt work yet
# check_cert_issuer = "/DC=org/DC=edupki/CN=eduPKI"
cipher_list = "DEFAULT"
cache {
enable = yes
max_entries = 255
}
require_client_cert = yes
verify {
tmpdir = /etc/raddb/temporary
# doesnt work yet
#client = "/usr/bin/openssl verify -CAfile /etc/raddb/radsec/eduPKI-CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}"
}
}
}
clients radsec {
client 127.0.0.1 {
ipaddr = 127.0.0.1
proto = tcp
secret = testing123
}
client etlr1.eduroam.org {
ipaddr = 192.87.106.34
proto = tcp
secret = radsec
}
client etlr2.eduroam.org {
ipaddr = 130.225.242.109
proto = tcp
secret = radsec
# IPv6 for ETRL too - unfamiliar with details, so commented out
# client etlr1-v6.eduroam.org {
# ipv6addr = ?????????????????????????????
# proto = tcp
# secret = radsec
# }
# client etlr2-v6.eduroam.org {
# ipv6addr = ?????????????????????????????
# proto = tcp
# secret = radsec
# }
}
# local test listener for debug (present by default)
listen {
ipaddr = 127.0.0.1
port = 4000
type = auth
}
home_server etlr1 {
ipaddr etlr1.eduroam.org
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = status-server
tls {
#
# These are used to simplify later configurations.
#
certdir = ${confdir}/radsec
cadir = ${confdir}/radsec
private_key_password = whatever
private_key_file = ${certdir}/server.realm.tld-key.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/eduPKI-CA.crt
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Issuer attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
}
}
#second home server config cleared to the values required for brevity
home_server etlr2 {
ipaddr etlr2.eduroam.org
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = status-server
tls {
certdir = ${confdir}/radsec
cadir = ${confdir}/radsec
private_key_password = whatever
private_key_file = ${certdir}/server.realm.tld-key.pem
certificate_file = ${certdir}/server.realm.tld-eduPKI.pem
CA_file = ${cadir}/eduPKI-CA.crt
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
}
}
home_server_pool ETLR {
type = load-balance
home_server = etlr1
home_server = etlr2
}
realm eduroam {
auth_pool = ETLR
}
|
Currently (10th June 2011) there are some bugs with handling unreachable remote proxies which causes the daemon to die. A few of these have already been dealt with via bug reports but some still lurk. Also, the certificate checking/verification code does not currently work - we hope to be able to verify the certificate issuer and OID as we do with RADIATOR and RadSecProxy. Note that this software only does RADSEC/TLS with TCP - DTLS over UDP is not yet an option. Clients are 'radsec' only and the standard naslist or naslist imported from SQL won't operate with radsec.