Setup freeradius

From SpaceFED
Jump to navigation Jump to search

Apply for a realm

You can apply for a realm by contacting us. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld. Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.


If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.

Install Debian on a (virtual) machine

The specifics fall outside the scope of this document. If you need help with this, contact us about using a hosted SSO package, as the rest of this howto assumes this as a basic skill.

Setting up FreeRADIUS

The basics

FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.


It is always important to verify the certificate on the clients to prevent a man in the middle attack!

The conffiles

Overview

You need the following configuration files.

  • eap.conf
  • sites-enabled/default
  • sites-enabled/inner-tunnel
  • proxy.conf
  • clients.conf
  • modules/ldap

We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.

eap.conf

This file configures the local EAP types and certificates.

# -*- text -*-
eap {
        default_eap_type = ttls
        timer_expire     = 60    
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096

        tls {   
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs

                private_key_password = 
                private_key_file = ${certdir}/server.key
                certificate_file = ${certdir}/server.pem
                CA_file = ${cadir}/ca.pem
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                CA_path = ${cadir}
        }       
        ttls {  
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }       
        peap {  
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
}

sites-enabled/default

This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm.

# -*- text -*-
authorize {
        preprocess

        suffix
        if (Realm == NULL) {
                update reply {
                      Reply-Message := "Please specify a realm to authenticate with."
                }
                reject
        }

        eap
}

authenticate {
        eap
}


preacct {
        preprocess
        acct_unique
        suffix

}

accounting {
        detail
        radutmp
        exec
        attr_filter.accounting_response
}


session {
        radutmp
}
post-proxy {
	if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {
		# Overwrite the VLAN tag and filter untrusted attributes
		# "!* ANY" to remove the tag or ":=" to overwrite
		update proxy-reply {
			Tunnel-Type := VLAN
			Tunnel-Medium-Type := IEEE-802
			Tunnel-Private-Group-Id := "xx"
			Session-Timeout !* ANY
			Aruba-User-Role !* ANY
			Aruba-User-VLAN !* ANY
		}

		# Add the realm if upstream does not provide it
		# Also provides security if upstream fakes a realm
		if ("%{request:User-Name}" =~ /@(.+)$/) {
			if ("%{proxy-reply:User-Name}" != "" && "%{proxy-reply:User-Name}" !~ /@%{1}$/) {
				update proxy-reply {
					User-Name := "%{proxy-reply:User-Name}@%{1}"
				}
			}
		}
	}
	eap
}

sites-enabled/inner-tunnel

# -*- text -*-
server inner-tunnel {
        listen {
               ipaddr = 127.0.0.1
               port = 18120
               type = auth
        }
        authorize {
                suffix
                if (Realm != "your-realm.tld") {
                        reject
                }
		pap
		mschap
                eap 
                ldap
 
                expiration
                logintime

        }
        authenticate {
                Auth-Type PAP {
                        pap
                }
                Auth-Type MS-CHAP {
                        mschap
                }
                eap
		ldap
        }
        session {
                radutmp
        }

        post-auth {
                Post-Auth-Type REJECT {
                        attr_filter.access_reject
                }

		# Only leak our real usernames and VLAN tags to your own access points
		if (NAS-IP-Address == "xxx.xxx.xxx.xxx") {
			
			# Make sure we always include '@your-realm.tld' in the reply
			if ("%{request:User-Name}" !~ /@your-realm.tld$/) {
				update reply {
					User-Name := "%{request:User-Name}@your-realm.tld"
				}
			}
			else {
				update reply {
					User-Name := "%{request:User-Name}"
				}
			}
		}
		else {
			update reply {
				User-Name := "anonymous@your-realm.tld"
			}
		}
        }
        pre-proxy {
        }
        post-proxy {
                eap
        }
} 

proxy.conf

# -*- text -*-

proxy server {
        default_fallback = no

}

home_server nlnode1.spacefed.net {
        type = auth+acct
        ipaddr = 194.171.96.99
        port = 1812
        secret = YOUR_SUPPLIED_SECRET
        require_message_authenticator = yes
        response_window = 5
        zombie_period = 60
        revive_interval = 120
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        coa {
                # Initial retransmit interval: 1..5
                irt = 2

                # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
                mrt = 16

                # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
                mrc = 5

                # Maximum Retransmit Duration: 5..60
                mrd = 30
        }
}

home_server_pool root_pool {
        type = client-balance

        # The members of the root delegation pool
        home_server = nlnode1.spacefed.net
        # home_server = ...


}

# Your realm should be local
realm your-realm.tld {
}

# These realms should always be handled locally
realm LOCAL {
}
realm NULL {
}

realm DEFAULT {
        nostrip
        auth_pool       = root_pool
}

clients.conf

This file configures all inbound connections, including those to the root nodes.

# -*- text -*-
client localhost {
        ipaddr = 127.0.0.1
        secret          = CHOOSE_YOUR_OWN
        require_message_authenticator = no
        nastype     = other
}
client 194.171.96.99 {
        secret          = YOUR_SUPPLIED_SECRET
        shortname       = nlnode1
}
client 1.2.3.4 {
        secret          = CHOOSE_YOUR_OWN
        shortname       = my_access_point
}

modules/ldap

This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost.

# -*- text -*-
ldap {
        server = "127.0.0.1"
        identity = "cn=user_with_read_access,dc=your-realm,dc=tld"
        password = YOUR_SECRET
        basedn = "dc=your-realm,dc=tld"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        #base_filter = "(objectclass=radiusprofile)"
        ldap_connections_number = 5 
        timeout = 4 
        timelimit = 3 
        net_timeout = 1 
        tls {
                start_tls = no
                # cacertfile = /path/to/cacert.pem
                # cacertdir  = /path/to/ca/dir/
                # certfile   = /path/to/radius.crt
                # keyfile    = /path/to/radius.key
                # randfile   = /dev/urandom
        }   
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
}

Server certificate

For the server certificate you can use a SSL certificate. The certificate should not be a wildcard certificate, but a domain or subdomain certificate (for example: CN = radius.bitlair.nl).

It is preferable that you use a certificate that is signed by a well-known Certificate Authority, this will make the client configuration a bit more easy.

You can use a free certificate from StartCom, but you will need to append the "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem) to your server.pem file otherwise the clients won't be able to verify the certificate properly.

Opening up the radius to the internet

Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.

Testing authentications

It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.

You can use it like:
./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN


The auth.conf should contain something like:

network={
	ssid="spacenet"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="username@your-realm.tld"
        anonymous_identity="anonymous@your-realm.tld"
        password="MY_SUPER_SECRET_PASSWORD"
        phase2="auth=EAP-MSCHAPv2"
}

Configure your access points

Set up your access points to use WPA2 enterprise and point it to the IP of the radius server.

Also checkout Accesspoint config general.

Instruct your users

Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules:

  • Always configure an anonymous identity as anonymous@your-realm.tld, this prevents others from seeing the real username and thus tracking.
  • Always install the server certificate as CA on the clients or specify your server name and the CA that signed the certificate.

Also see