This section describes a trimmed-down installation of radsecproxy which enables it to augment any RADIUS server with RADIUS/TLS transport, in order to enhance security. More precisely, with this setup radsecproxy will:
The prerequisites for this deployment are:
Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows, but if you are unwilling to read it all, the comments should make the configuration file almost self-explanatory and you can start and experiment with it right after the initial installation, which is explained below.
This section goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.
ListenUDP localhost:11812 ListenTCP *:2083 |
Since there is a RADIUS server on the same host that occupies UDP/1812, radscproxy has to listen on a nonstandard port. It only needs to listen on the loopback device since it will only communicate with the RADIUS server on the same machine. The choice of 11812 is arbitrary and can be adapted if that port is in use. Since radsecproxy will also accept requests from an upstream RadSec-enabled server, it listens on the default TCP port for RadSec (2083) for requests from outside (the * meaning: all interfaces). If you want radsecproxy to listen only on specific interfaces, enter the interface names here. Beware: in this case you may also have to set the more exotic option SourceTCP (see the man page of radsecproxy for details).
To accept requests from the RADIUS server on localhost, this server needs to be listed as a client. That server may either use IPv4 or IPv6 for its communication, so both variants are defined. If your system is not IPv6-enabled, simply delete the stanza about client ::1. The _LOCAL_SECRET_ must match the secret which you configured in your RADIUS server for the server catering the DEFAULT realm.
client localhost {
host 127.0.0.1
type udp
secret __LOCAL_SECRET__
}
client ::1 {
type udp
secret __LOCAL_SECRET__
}
|
To accept requests from the upstream RADIUS/TLS-enabled server, this other server needs to be listed. Replace _RADSEC_PEER_ with the hostname of your upstream server. The traditional RADIUS shared secret has no meaning in RADIUS/TLS, and must instead be statically set to "radsec" throughout eduroam. This has no security implications.
client _RADSEC_PEER_ {
type TLS
secret radsec
}
|
To deliver requests to the local RADIUS server, this server needs to be configured. See above for the
parameter _LOCAL_SECRET_.
server localhost {
type UDP
port 1812
secret __LOCAL_SECRET__
}
|
This server needs to be configured to deliver requests to the upstream RadSec-enabled server. See above for
the configuration item _RADSEC_PEER_.
server _RADSEC_PEER_ {
type TLS
secret radsec
statusserver on
}
|
There are some known client-side misconfigurations. If they were not already caught by the local RADIUS
server, it does not make sense for the proxy to send these requests up to the eduroam infrastructure. These
requests are immediately rejected.
Note: if you need to blacklist an existing realm for some reason, you can follow the myabc.com example,
copying and replacing it with the realm to be blacklisted.
realm /myabc\.com$ {
replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant!"
}
realm /^$/ {
replymessage "Misconfigured client: empty realm!"
}
|
Requests that are coming in from upstream and are supposed to be handled by the own RADIUS server are
listed in _OWN_REALM_. Create multiples of these stanzas if your local server serves more than one realm.
realm /_OWN_REALM_$ {
server localhost
}
|
The configuration stanza above will terminate all requests that end in _OWN_REALM_ but which were not caught by previous realm definitions, which prevents a possible loop. This is achieved by having the client name = localhost and the server name = localhost, and LoopPrevention enabled, which checks for this condition.
Finally, all other realms which are not to be authenticated locally are sent to the upstream RADIUS/TLS peer:
realm * {
server __RADSEC_PEER__
}
|