https://spacefed.net/api.php?action=feedcontributions&feedformat=atom&user=XoprSpaceFED - User contributions [en]2026-04-10T15:20:17ZUser contributionsMediaWiki 1.37.1https://spacefed.net/index.php?title=Who/Spacenet/Spaces&diff=102Who/Spacenet/Spaces2024-03-09T07:40:06Z<p>Xopr: Updated status, URIs and typos</p>
<hr />
<div>{| class="wikitable"<br />
| align="center" style="background:#f0f0f0;"|'''Space name'''<br />
| align="center" style="background:#f0f0f0;"|'''Space type'''<br />
| align="center" style="background:#f0f0f0;"|'''Location'''<br />
| align="center" style="background:#f0f0f0;"|'''Using spacenet for'''<br />
| align="center" style="background:#f0f0f0;"|'''Equipment'''<br />
| align="center" style="background:#f0f0f0;"|'''Website'''<br />
|-<br />
| ACKspace||Hackerspace||NL, Heerlen||802.1X: WiFi||OpenWrt||[https://ackspace.nl ackspace.nl]<br />
|-<br />
| AwesomeSpace||Hackerspace||NL, Utrecht||802.1X: WiFi||6x Aruba Instant||[https://awesomespace.nl awesomespace.nl]<br />
|-<br />
| bhack||Hackerspace||NL, Zwolle||802.1X: WiFi|| ???||[https://www.meetup.com/Bhack-Hackerspace-Zwolle/?_cookie-check=JUezEnmHfIasuFy7 bhack]<br />
|-<br />
| Bitlair||Hackerspace||NL, Amersfoort||802.1X: WiFi||5x Aruba Instant||[https://bitlair.nl bitlair.nl]<br />
|-<br />
| Das Labor||Hackerspace||DE, Bochum||802.1X: WiFi||1x Ubiquiti Unifi AP AC||[https://das-labor.org das-labor.org]<br />
|-<br />
| Edinburgh Hacklab||Hackerspace||UK, Edinburgh||802.1X: WiFi||Ubiquiti UniFi||[https://edinburghhacklab.com edinburghhacklab.com]<br />
|-<br />
| Frack||Hackerspace||NL, Leeuwarden||802.1X: WiFi||2x Aruba Instant||[https://frack.nl frack.nl]<br />
|-<br />
| Hack42||Hackerspace||NL, Arnhem||802.1X: WiFi|| ???||[https://hack42.nl hack42.nl]<br />
|-<br />
| Hackalot||Hackerspace||NL, Eindhoven||802.1X: WiFi||Aruba||[https://hackalot.nl hackalot.nl]<br />
|-<br />
| IN-Berlin||Hackerspace and non-commercial ISP||DE, Berlin||802.1X: WiFi||OpenWRT||[https://in-berlin.de in-berlin.de]<br />
|-<br />
| LHC||Hackerspace||BR, Campinas||802.1X: WiFi||OpenWRT||[https://lhc.net.br lhc.net.br]<br />
|-<br />
| London Hackspace||Hackerspace||UK, London||802.1X: Wifi||Cisco 3502's (stand alone)||[https://london.hackspace.org.uk london.hackspace.org.uk]<br />
|-<br />
| Mononoke||Roaming Hackerspace||NL, Random locations||802.1X: WiFi||MikroTik, Apple||mononoke.nl (down)<br />
|-<br />
| Nifhack||Hackerspace||NL, Ground Zero||802.1X: WiFi||Aruba 3400 with AP-105s||[http://www.nifhack.nl/ nifhack.nl]<br />
|-<br />
| NottingHack||Hackerspace||UK, Nottingham||802.1X: Wifi|| ??||[https://nottinghack.org.uk nottinghack.org.uk]<br />
|-<br />
| NURDspace||Hackerspace||NL, Wageningen||802.1X: WiFi||OpenWRT||[https://nurdspace.nl/Main_Page NURDspace]<br />
|-<br />
| Pixelbar||hackerspace||NL, Rotterdam||802.1X: WiFi||Temporary no connectivity because of fire||[https://www.pixelbar.nl/ pixelbar]<br />
|-<br />
| Randomdata||Hackspace||NL, Utrecht||802.1X: WiFi||Aruba Instant 105||[https://randomdata.nl Randomdata.nl]<br />
|-<br />
| RevSpace||Hackerspace||NL, Den Haag||802.1X: WiFi||4x Aruba Instant||[https://revspace.nl Revspace.nl]<br />
|-<br />
| Sk1llz||Hackerspace||NL, Almere||802.1X: WiFi||DD-WRT||sk1llz.nl (down)<br />
|-<br />
| Sublab||Hackerspace||DE, Leipzig||802.1X: WiFi||ARtem / Colubris||[https://sublab.org/ sublab] (2017: end of life)<br />
|-<br />
| Syn2Cat||Hackerspace||LU, Luxembourg||802.1X: WiFi|| ??||[https://blog.syn2cat.lu/ blog.syn2cat.lu]<br />
|-<br />
| TechInc||Hackerspace||NL, Amsterdam||802.1X WiFi||Cisco WLC||[https://techinc.nl techinc.nl]<br />
|-<br />
| TkkrLab||Hackerspace||NL, Enschede||802.1X: WiFi||DD-WRT||[https://tkkrlab.nl tkkrlab.nl]<br />
|-<br />
| Unallocated Space||Hackerspace||US, Severn||802.1X: WiFi|| ??||[https://unallocatedspace.org/ unallocatedspace.org]<br />
|-<br />
| <br />
|}<br />
[[Category:Who/Spacenet]]</div>Xoprhttps://spacefed.net/index.php?title=SpaceFED:Terms_of_Service&diff=78SpaceFED:Terms of Service2023-09-30T12:04:39Z<p>Xopr: Bill & Ted ToS</p>
<hr />
<div>Be excellent to each other!<br />
No spam.</div>Xoprhttps://spacefed.net/index.php?title=Category:Lost&diff=77Category:Lost2023-09-30T07:20:54Z<p>Xopr: Created lost category</p>
<hr />
<div>Pages in this category were lost due to a spam attack on a previous installation, and archive.org has not indexed these pages.<br />
<br />
If you happen to have a hold of a missing page (and have the space time), feel free to add them again.</div>Xoprhttps://spacefed.net/index.php?title=Who/Spacenet/Countrynodes&diff=76Who/Spacenet/Countrynodes2023-09-30T07:19:21Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
<br />
[[Category:Who/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Who/Spacenet/Communities&diff=75Who/Spacenet/Communities2023-09-30T07:19:19Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
<br />
[[Category:Who/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Setup_Network_Policy_Server&diff=74Howto/Spacenet/Setup Network Policy Server2023-09-30T07:19:18Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Setup_Country_node&diff=73Howto/Spacenet/Setup Country node2023-09-30T07:19:18Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Ruckus_example&diff=72Howto/Spacenet/Ruckus example2023-09-30T07:19:17Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/OpenWRT_example&diff=71Howto/Spacenet/OpenWRT example2023-09-30T07:19:17Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/MikroTik_RouterOS_example&diff=70Howto/Spacenet/MikroTik RouterOS example2023-09-30T07:19:16Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Meru_example&diff=69Howto/Spacenet/Meru example2023-09-30T07:19:16Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Meraki_example&diff=68Howto/Spacenet/Meraki example2023-09-30T07:19:15Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Juniper_Trapeze_example&diff=67Howto/Spacenet/Juniper Trapeze example2023-09-30T07:19:14Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/HP_example&diff=66Howto/Spacenet/HP example2023-09-30T07:19:14Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/HP_WESM_example&diff=65Howto/Spacenet/HP WESM example2023-09-30T07:19:13Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/DD-WRT_example&diff=64Howto/Spacenet/DD-WRT example2023-09-30T07:19:13Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Client_iOS&diff=63Howto/Spacenet/Client iOS2023-09-30T07:19:12Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Client_Windows_7&diff=62Howto/Spacenet/Client Windows 72023-09-30T07:19:11Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Client_Linux&diff=61Howto/Spacenet/Client Linux2023-09-30T07:19:11Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Cisco_example&diff=60Howto/Spacenet/Cisco example2023-09-30T07:19:10Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Aruba_example&diff=59Howto/Spacenet/Aruba example2023-09-30T07:19:09Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Aruba_Instant_example&diff=58Howto/Spacenet/Aruba Instant example2023-09-30T07:19:08Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Aerohive_example&diff=57Howto/Spacenet/Aerohive example2023-09-30T07:16:11Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Accesspoint_config_general&diff=56Howto/Spacenet/Accesspoint config general2023-09-30T07:15:57Z<p>Xopr: Added "Lost" category</p>
<hr />
<div><<the contents of this page is lost>><br />
[[Category:Howto/Spacenet]][[Category:Lost]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Setup_freeradius&diff=55Howto/Spacenet/Setup freeradius2023-09-30T07:07:52Z<p>Xopr: created redirect (the old contents of this page were lost)</p>
<hr />
<div>#REDIRECT [[Setup_freeradius]]</div>Xoprhttps://spacefed.net/index.php?title=Howto/Spacenet/Setup_LDAP&diff=54Howto/Spacenet/Setup LDAP2023-09-30T06:59:17Z<p>Xopr: Recreated from https://wilco.baanhofman.nl/setup-ldap.html</p>
<hr />
<div><br />
<h2>Before we begin...</h2><br />
Before I start handing out configuration files.. I just remembered we're all hackerspaces here and we are in this thing to learn. You have arrived here because you have been offered the shortcut and chose to do it right. Well, you're going to hate me for this, but I am going to explain LDAP first.<br />
<br />
One thing about LDAP you should know is that it is really really simple and easy to understand, but all the used terms are unknown and therefore it can be quite overwhelming. So let's start with clearing that up.<br />
<br />
<h2>Basics</h2><br />
LDAP is just an indexed directory tree. Everything in it is an object. Every object has attributes. To keep the directory clean and not have happen what happens to the windows registry, not every attribute can go on every object. Attributes are assigned to object classes and you just add objectclasses to every object to define which attributes you wish to use.<br />
<br />
That's the easy part. This is what has been haunting you. Every object can be addressed by it's path in the directory, this path is unique. But of course, we do not call this the path, but we call this the <b>Distinguished Name</b> or <b>DN</b>. If you are asked to specify a DN, what they're really saying is "What object would you like to use".<br />
<br />
When setting up a connection you need to authenticate, this is done in the 'bind' stage of the connection. You can bind anonymously (not recommended for user databases) or as a user/security object in the database.<br />
<br />
The directory can be queried using searches, for this you specify where you want to look, this is called the <b>Base DN</b>. It basically means you'll be searching there, one level below, or the entire subtree, depending on the scope you specify. You can also specify a search filter, with a search filter you specify which attribute values you wish to see. Default search is 'objectclass=*', but you can do fancier filters like "(&(objectclass=posixAccount)(uid=wilco))".<br />
<br />
<h3>Terms</h3><br />
* DN/Distinguished Name: The path in the directory<br />
* DC/Domain Component: Domain Component, only really used in the root DN, every part between dots in your REALM name gets one (if you have one dot, that means two dc's)<br />
* Root DN: The root of your directory, usually this will be dc=YOUR,dc=REALM,dc=TLD<br />
* Binding: Binding means authenticating<br />
* Bind DN: The DN of the user object you wish to authenticate as. When starting you'll likely want to use cn=admin,dc=YOUR,dc=REALM,dc=TLD.<br />
* Bind password: Just the userPassword attribute you set for the object specified at Bind DN<br />
* Base DN: The path to the root of the subtree you wish to search<br />
* Search filter: A filter to look for objects in the directory.<br />
* Schema: The schema defines attributes and objectclasses and also the mappings between them.<br />
* CN/Common Name: Most common attribute in the directory, used for naming your objects<br />
<br />
<h2>Setting up a directory</h2><br />
You'll want a directory that can run your radius server for spacenet, but why not go the extra step. You're setting up a user directory, why not also support a samba file server, an SSH shell server and your wiki.. or like at revspace add attributes for your door contact ID-buttons.. all on the same user directory. To do this, you'll need to extend your schema. We'll get to that. Now first install slapd on a debian, you now know what you can fill in. Bear in mind that sometimes debian will not ask all the questions you need, try "DEBIAN_PRIORITY=low apt-get install slapd ldap-utils". Please dpkg-reconfigure --priority=low your slapd if you have made a previous attempt. Also, you'll want to install the ldap-utils package so you can test your directory.<br />
<br />
<h3>Step 1: Verify your directory</h3><br />
After install, you'll have a very basic directory containing two objects.<br />
<pre><br />
prompt:~# ldapsearch -x -b dc=spacefed,dc=net<br />
<br />
# spacefed.net<br />
dn: dc=spacefed,dc=net<br />
objectClass: top<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: SpaceFED<br />
dc: spacefed<br />
<br />
# admin, spacefed.net<br />
dn: cn=admin,dc=spacefed,dc=net<br />
objectClass: simpleSecurityObject<br />
objectClass: organizationalRole<br />
cn: admin<br />
description: LDAP administrator<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 3<br />
# numEntries: 2<br />
</pre><br />
As you'll see, one is the root DN, the second is the security object with which we can bind to the database. <br />
<br />
<h3>Step 2: Extend your schema </h3><br />
You can already use your directory, but not yet for freeradius, for this, we need an extra schema, the samba schema. It is common practise to use schema's from other people if the data is the same, so you can share data between your applications. You only create new objectclasses for attributes that you cannot already sanely store in the database. But debian does not supply the samba schema by default (only the old schema which we shall not use in samba-doc).<br />
<br />
Add the following to tmpsamba.ldif, then type <b>ldapadd -Y EXTERNAL -H ldapi:// < tmpsamba.ldif</b><br />
<pre><br />
dn: cn=samba,cn=schema,cn=config<br />
objectclass: olcSchemaConfig<br />
cn: samba<br />
olcattributetypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC <br />
'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6<br />
.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )<br />
olcattributetypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC '<br />
Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.<br />
1.26{16} SINGLE-VALUE )<br />
olcattributetypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC <br />
'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.<br />
1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DES<br />
C 'Timestamp of when the user is allowed to update the password' EQUALITY i<br />
ntegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DE<br />
SC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTA<br />
X 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC '<br />
Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.<br />
121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC <br />
'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11<br />
5.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC<br />
'Timestamp of when the user will be logged off automatically' EQUALITY int<br />
egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'<br />
DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1<br />
.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'<br />
DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX <br />
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC<br />
'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.<br />
1.26{42} SINGLE-VALUE )<br />
olcattributetypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC <br />
'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTA<br />
X 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )<br />
olcattributetypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DES<br />
C 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.<br />
121.1.15{255} SINGLE-VALUE )<br />
olcattributetypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DES<br />
C 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.1<br />
15.121.1.15{255} SINGLE-VALUE )<br />
olcattributetypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations<br />
' DESC 'List of user workstations the user is allowed to logon to' EQUALITY<br />
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )<br />
olcattributetypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC '<br />
Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.1<br />
15.121.1.15{128} )<br />
olcattributetypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC<br />
'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYN<br />
TAX 1.3.6.1.4.1.1466.115.121.1.15{128} )<br />
olcattributetypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC<br />
'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.<br />
6.1.4.1.1466.115.121.1.15{1050} )<br />
olcattributetypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'<br />
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this acco<br />
unt' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )<br />
olcattributetypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Secur<br />
ity ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNT<br />
AX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )<br />
olcattributetypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'<br />
DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.<br />
1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )<br />
olcattributetypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'S<br />
ecurity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12<br />
1.1.26{64} )<br />
olcattributetypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC <br />
'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 <br />
SINGLE-VALUE )<br />
olcattributetypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DES<br />
C 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.<br />
4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DE<br />
SC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.<br />
1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'N<br />
ext NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4<br />
.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBa<br />
se' DESC 'Base at which the samba RID generation algorithm should operate' <br />
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC <br />
'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 <br />
SINGLE-VALUE )<br />
olcattributetypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC<br />
'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY<br />
NTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )<br />
olcattributetypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC<br />
'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1<br />
.7 SINGLE-VALUE )<br />
olcattributetypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' D<br />
ESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1<br />
21.1.27 SINGLE-VALUE )<br />
olcattributetypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DE<br />
SC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115<br />
.121.1.26 SINGLE-VALUE )<br />
olcattributetypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption<br />
' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1<br />
466.115.121.1.15 )<br />
olcattributetypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC<br />
'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466<br />
.115.121.1.26 )<br />
olcattributetypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DE<br />
SC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.<br />
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength<br />
' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY in<br />
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' D<br />
ESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'<br />
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC <br />
'Maximum password age, in seconds (default: -1 => never expire passwords)' <br />
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC <br />
'Minimum password age, in seconds (default: 0 => allow immediate password c<br />
hange)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V<br />
ALUE )<br />
olcattributetypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'<br />
DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY i<br />
ntegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservati<br />
onWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY<br />
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold<br />
' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALIT<br />
Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DES<br />
C 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUA<br />
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwd<br />
Change' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY <br />
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<br />
olcattributetypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPasswor<br />
d' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY <br />
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )<br />
olcattributetypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTex<br />
tPassword' DESC 'Previous clear text password (used for trusted domain pass<br />
words)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )<br />
olcobjectclasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'S<br />
amba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MA<br />
Y ( cn $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTi<br />
me $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustC<br />
hange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sam<br />
baLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sa<br />
mbaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCo<br />
unt $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )<br />
olcobjectclasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC <br />
'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ samba<br />
GroupType ) MAY ( displayName $ description $ sambaSIDList ) )<br />
olcobjectclasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DES<br />
C 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaN<br />
TPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )<br />
olcobjectclasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassw<br />
ord' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDo<br />
mainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaP<br />
reviousClearTextPassword )<br />
olcobjectclasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba<br />
Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID )<br />
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithm<br />
icRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd <br />
$ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObse<br />
rvationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachi<br />
nePwdChange ) )<br />
olcobjectclasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'P<br />
ool for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gid<br />
Number ) )<br />
olcobjectclasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'M<br />
apping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber<br />
$ gidNumber ) )<br />
olcobjectclasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Str<br />
uctural Class for a SID' SUP top STRUCTURAL MUST sambaSID )<br />
olcobjectclasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samb<br />
a Configuration Section' SUP top AUXILIARY MAY description )<br />
olcobjectclasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba<br />
Share Section' SUP top STRUCTURAL MUST sambaShareName MAY description )<br />
olcobjectclasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DES<br />
C 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY <br />
( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringLis<br />
toption $ description ) )<br />
</pre><br />
<br />
<h3>Step 3: Secure your directory</h3><br />
Make sure that you secure your directory, here's a nice checklist for you :)<br />
<br />
<h4>Run on port 636, allow only LDAPS</h4><br />
Make sure the /etc/default/slapd file has the following SLAPD_SERVICES defined;<br />
<pre>SLAPD_SERVICES="ldapi:/// ldap://localhost:389/ ldaps:///"</pre><br />
In order to enable LDAPS and restrict plaintext LDAP to localhost.<br />
<br />
<h4>Install a certificate</h4><br />
Save below to file, adjust the paths and run ldapmodify -Y EXTERNAL -H ldapi:// < file.ldif<br />
<pre><br />
dn: cn=config<br />
add: olcTLSCACertificateFile<br />
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem<br />
-<br />
add: olcTLSCertificateKeyFile<br />
olcTLSCertificateKeyFile: /etc/ssl/private/server-key.pem<br />
-<br />
add: olcTLSCertificateFile<br />
olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem<br />
</pre><br />
<br />
<h5>Letsencrypt</h5><br />
For Letsencrypt certificates please remember to change the filerights accordingly in order to be able to read the certificates. This can be done with the command:<br />
<pre><br />
useradd letsencrypt<br />
chown openldap:letsencrypt /etc/letsencrypt/ -R<br />
usermod -a -G letsencrypt openldap<br />
</pre><br />
Furthermore we need to insert the certificates into the configuration. This can be done with the following ldif file:<br />
<br />
<pre><br />
dn: cn=config<br />
add: olcTLSCACertificateFile<br />
olcTLSCACertificateFile: /etc/letsencrypt/live/$servername$/fullchain.pem<br />
-<br />
add: olcTLSCertificateKeyFile<br />
olcTLSCertificateKeyFile: /etc/letsencrypt/live/$servername$/privkey.pem<br />
-<br />
add: olcTLSCertificateFile<br />
olcTLSCertificateFile: /etc/letsencrypt/live/$servername$/cert.pem<br />
</pre><br />
<br />
Please also remember to restart Openldap on certificate renew to start using the renewed certificates.<br />
<br />
<br />
<h4>Disallow LDAP v2</h4><br />
This was a dpkg configure question. You should have said no to the question "Allow v2 binds". Anyway, how to fix will be provided here. <b>FIXME</b><br />
<br />
<h4>Disable anonymous binds</h4><br />
Add the following attributes to your configuration object (ldapmodify -Y EXTERNAL -H ldapi:// < file.ldif):<br />
<pre><br />
dn: cn=config<br />
changetype: modify<br />
add: olcDisallows<br />
olcDisallows: bind_anon<br />
<br />
dn: olcDatabase={-1}frontend,cn=config<br />
changetype: modify<br />
add: olcRequires<br />
olcRequires: authc<br />
</pre><br />
<br />
<h4>Protect the sambaNTPassword attribute from being read</h4><br />
Add the following ACL attribute to your database (ldapmodify -Y EXTERNAL -H ldapi:// < file.ldif):<br />
<pre><br />
dn: olcDatabase={1}hdb,cn=config<br />
changetype: modify<br />
add: olcAccess<br />
olcAccess: {1}to attrs=sambaNTPassword<br />
by dn="cn=admin,dc=YOUR,dc=REALM,dc=TLD" write<br />
by dn="cn=read,dc=YOUR,dc=REALM,dc=TLD" read<br />
by self write<br />
by * none<br />
</pre><br />
<br />
<h3>Step 4: Add a samba domain Unix ID pool</h3><br />
You need a Unix ID pool from which to allocate uidNumbers and gidNumbers... and for the samba users you need a samba SID pool to allocate SIDs.<br />
Add the following 2 objects to your realm (adjust first, use ldapadd -x -D cn=admin,dc=YOUR,dc=REALM,dc=TLD -W < file.ldif)<br />
<pre><br />
dn: sambaDomainName=YOURORGANISATION,dc=YOUR,dc=REALM,dc=TLD<br />
sambaDomainName: YOURORGANISATION<br />
sambaSID: S-1-5-21-2919752157-891696647-4172528126 (please change a few numbers in the last 3 groups)<br />
sambaAlgorithmicRidBase: 1000<br />
objectClass: sambaDomain<br />
sambaMinPwdAge: 0<br />
sambaMinPwdLength: 5<br />
sambaLogonToChgPwd: 0<br />
sambaForceLogoff: -1<br />
sambaRefuseMachinePwdChange: 0<br />
sambaLockoutThreshold: 0<br />
sambaMaxPwdAge: -1<br />
sambaNextRid: 20100<br />
sambaPwdHistoryLength: 0<br />
<br />
dn: cn=NextFreeUnixId,dc=YOUR,dc=REALM,dc=TLD<br />
objectClass: inetOrgPerson<br />
objectClass: sambaUnixIdPool<br />
cn: NextFreeUnixId<br />
sn: NextFreeUnixId<br />
gidNumber: 10000<br />
uidNumber: 10000<br />
</pre><br />
<br />
<h3>Step 5: Install phpldapadmin and start filling it up</h3><br />
This one is optional, but it is a graphical representation, so it may help you understand what you are doing. Just install phpldapadmin, point it to the directory and you're done (this can be done in "/etc/phpldapadmin/config.php"). Make sure that you create "Samba accounts" and do not *EVER* use the sambaLMPassword (I removed it from the schema above to prevent this). <br />
<br />
phpldapadmin version 1.2.2.4 has a bug with making a "Samba: Group Mapping", this is needed for making "Samba accounts". If you install version 1.2.0.5 you won't have that problem. (The 1.2.0.5 version can be found in the "debian squeeze repository")<br />
<br />
You might also want to check out JXplorer and Luma is also looking very promising. You may also want to manage your users using smbldap-tools, so you can add users with smbldap-useradd, etc. <b>FIXME: Add links</b><br />
<br />
<h3>Step 6: Make sure it makes sense</h3><br />
You can create (objectclass=)OrganizationalUnits objects, under which you can create your users. I suggest your create a unit for your users (OU=Users) and a unit for your groups (OU=Groups).<br />
<br />
<h3>Step 7: Create a group</h3><br />
<b>FIXME</b>.. but you can do this in phpldapadmin already<br />
<br />
<h3>Step 8: Create your users</h3><br />
A user will kind of look like this, use SSHA hashes:<br />
<pre><br />
dn: uid=wilco,ou=People,dc=YOUR,dc=REALM,dc=TLD<br />
uid: wilco<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: inetOrgPerson<br />
objectClass: posixAccount<br />
objectClass: shadowAccount<br />
objectClass: sambaSamAccount<br />
uidNumber: 12581<br />
gidNumber: 10407<br />
sambaSID: S-1-5-21-2969752157-892696647-4271518216-101187<br />
cn: Wilco Baan Hofman<br />
displayName: Wilco Baan Hofman<br />
gecos: Wilco Baan Hofman,,,<br />
givenName: Wilco<br />
sn: Baan Hofman<br />
mail: wilco@your.realm.tld<br />
description: Some random guy<br />
loginShell: /bin/bash<br />
homeDirectory: /home/wilco<br />
sambaPwdLastSet: 1262705210<br />
sambaNTPassword: NTHASHHERE<br />
userPassword: {SSHA}HashOfThePasswordHere<br />
sambaPrimaryGroupSID: S-1-5-21-2969752157-892696647-4271518216-513<br />
sambaAcctFlags: [U ]<br />
</pre><br />
<br />
<h2>Finally: Connect everything to your directory</h2><br />
You can now connect Freeradius to your LDAP directory. But you can now also connect NSS and PAM to add SSH accounts or mail accounts, etc. And you can now also connect your wiki, a samba file server and whatever else you can think of. Just point it to the directory, supply bind DN, bind password and base DN and it will likely just work. Be sure to check out the AllowGroup directive for your SSH server.<br />
<br />
<br />
<br />
[[Category:Howto/Spacenet]]</div>Xoprhttps://spacefed.net/index.php?title=Setup_freeradius&diff=53Setup freeradius2023-09-30T06:57:28Z<p>Xopr: added reference links</p>
<hr />
<div><br />
<h2>Apply for a realm</h2><br />
You can apply for a realm by [[Contact|contacting]] us. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld.<br />
Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. <strong>Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.</strong><br />
<br />
<br />
<br />
If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.<br />
<br />
<h2>Install Debian on a (virtual) machine</h2><br />
The specifics fall outside the scope of this document. If you need help with this, contact us about using a hosted SSO package, as the rest of this howto assumes this as a basic skill.<br />
<h2>Setting up FreeRADIUS</h2><br />
<h3>The basics</h3><br />
FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.<br />
<br />
<br />
<strong>It is always important to verify the certificate on the clients to prevent a man in the middle attack!</strong><br />
<h3>The conffiles</h3><br />
<h4>Overview</h4><br />
You need the following configuration files.<br />
<ul><br />
<li>eap.conf<br />
<li>sites-enabled/default<br />
<li>sites-enabled/inner-tunnel<br />
<li>proxy.conf<br />
<li>clients.conf<br />
<li>modules/ldap<br />
</ul><br />
We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.<br />
<br />
<h4>eap.conf</h4><br />
This file configures the <strong>local</strong> EAP types and certificates.<br />
<pre><br />
# -*- text -*-<br />
eap {<br />
default_eap_type = ttls<br />
timer_expire = 60 <br />
ignore_unknown_eap_types = no<br />
cisco_accounting_username_bug = no<br />
max_sessions = 4096<br />
<br />
tls { <br />
certdir = ${confdir}/certs<br />
cadir = ${confdir}/certs<br />
<br />
private_key_password = <br />
private_key_file = ${certdir}/server.key<br />
certificate_file = ${certdir}/server.pem<br />
CA_file = ${cadir}/ca.pem<br />
dh_file = ${certdir}/dh<br />
random_file = /dev/urandom<br />
CA_path = ${cadir}<br />
} <br />
ttls { <br />
default_eap_type = mschapv2<br />
copy_request_to_tunnel = no<br />
use_tunneled_reply = no<br />
virtual_server = "inner-tunnel"<br />
} <br />
peap { <br />
default_eap_type = mschapv2<br />
copy_request_to_tunnel = no<br />
use_tunneled_reply = no<br />
virtual_server = "inner-tunnel"<br />
}<br />
mschapv2 {<br />
}<br />
}<br />
</pre><br />
<h4>sites-enabled/default</h4><br />
This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm.<br />
<pre><br />
# -*- text -*-<br />
authorize {<br />
preprocess<br />
<br />
suffix<br />
if (Realm == NULL) {<br />
update reply {<br />
Reply-Message := "Please specify a realm to authenticate with."<br />
}<br />
reject<br />
}<br />
<br />
eap<br />
}<br />
<br />
authenticate {<br />
eap<br />
}<br />
<br />
<br />
preacct {<br />
preprocess<br />
acct_unique<br />
suffix<br />
<br />
}<br />
<br />
accounting {<br />
detail<br />
radutmp<br />
exec<br />
attr_filter.accounting_response<br />
}<br />
<br />
<br />
session {<br />
radutmp<br />
}<br />
post-proxy {<br />
if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {<br />
# Overwrite the VLAN tag and filter untrusted attributes<br />
# "!* ANY" to remove the tag or ":=" to overwrite<br />
update proxy-reply {<br />
Tunnel-Type := VLAN<br />
Tunnel-Medium-Type := IEEE-802<br />
Tunnel-Private-Group-Id := "xx"<br />
Session-Timeout !* ANY<br />
Aruba-User-Role !* ANY<br />
Aruba-User-VLAN !* ANY<br />
}<br />
<br />
# Add the realm if upstream does not provide it<br />
# Also provides security if upstream fakes a realm<br />
if ("%{request:User-Name}" =~ /@(.+)$/) {<br />
if ("%{proxy-reply:User-Name}" != "" && "%{proxy-reply:User-Name}" !~ /@%{1}$/) {<br />
update proxy-reply {<br />
User-Name := "%{proxy-reply:User-Name}@%{1}"<br />
}<br />
}<br />
}<br />
}<br />
eap<br />
}<br />
</pre><br />
<br />
<h4>sites-enabled/inner-tunnel</h4><br />
<pre><br />
# -*- text -*-<br />
server inner-tunnel {<br />
listen {<br />
ipaddr = 127.0.0.1<br />
port = 18120<br />
type = auth<br />
}<br />
authorize {<br />
suffix<br />
if (Realm != "your-realm.tld") {<br />
reject<br />
}<br />
pap<br />
mschap<br />
eap <br />
ldap<br />
<br />
expiration<br />
logintime<br />
<br />
}<br />
authenticate {<br />
Auth-Type PAP {<br />
pap<br />
}<br />
Auth-Type MS-CHAP {<br />
mschap<br />
}<br />
eap<br />
ldap<br />
}<br />
session {<br />
radutmp<br />
}<br />
<br />
post-auth {<br />
Post-Auth-Type REJECT {<br />
attr_filter.access_reject<br />
}<br />
<br />
# Only leak our real usernames and VLAN tags to your own access points<br />
if (NAS-IP-Address == "xxx.xxx.xxx.xxx") {<br />
<br />
# Make sure we always include '@your-realm.tld' in the reply<br />
if ("%{request:User-Name}" !~ /@your-realm.tld$/) {<br />
update reply {<br />
User-Name := "%{request:User-Name}@your-realm.tld"<br />
}<br />
}<br />
else {<br />
update reply {<br />
User-Name := "%{request:User-Name}"<br />
}<br />
}<br />
}<br />
else {<br />
update reply {<br />
User-Name := "anonymous@your-realm.tld"<br />
}<br />
}<br />
}<br />
pre-proxy {<br />
}<br />
post-proxy {<br />
eap<br />
}<br />
} <br />
</pre><br />
<h4>proxy.conf</h4><br />
<pre><br />
# -*- text -*-<br />
<br />
proxy server {<br />
default_fallback = no<br />
<br />
}<br />
<br />
home_server nlnode1.spacefed.net {<br />
type = auth+acct<br />
ipaddr = 194.171.96.99<br />
port = 1812<br />
secret = YOUR_SUPPLIED_SECRET<br />
require_message_authenticator = yes<br />
response_window = 5<br />
zombie_period = 60<br />
revive_interval = 120<br />
status_check = status-server<br />
check_interval = 30<br />
num_answers_to_alive = 3<br />
coa {<br />
# Initial retransmit interval: 1..5<br />
irt = 2<br />
<br />
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)<br />
mrt = 16<br />
<br />
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)<br />
mrc = 5<br />
<br />
# Maximum Retransmit Duration: 5..60<br />
mrd = 30<br />
}<br />
}<br />
<br />
home_server_pool root_pool {<br />
type = client-balance<br />
<br />
# The members of the root delegation pool<br />
home_server = nlnode1.spacefed.net<br />
# home_server = ...<br />
<br />
<br />
}<br />
<br />
# Your realm should be local<br />
realm your-realm.tld {<br />
}<br />
<br />
# These realms should always be handled locally<br />
realm LOCAL {<br />
}<br />
realm NULL {<br />
}<br />
<br />
realm DEFAULT {<br />
nostrip<br />
auth_pool = root_pool<br />
}<br />
</pre><br />
<br />
<h4>clients.conf</h4><br />
This file configures all inbound connections, including those to the root nodes.<br />
<pre><br />
# -*- text -*-<br />
client localhost {<br />
ipaddr = 127.0.0.1<br />
secret = CHOOSE_YOUR_OWN<br />
require_message_authenticator = no<br />
nastype = other<br />
}<br />
client 194.171.96.99 {<br />
secret = YOUR_SUPPLIED_SECRET<br />
shortname = nlnode1<br />
}<br />
client 1.2.3.4 {<br />
secret = CHOOSE_YOUR_OWN<br />
shortname = my_access_point<br />
}<br />
</pre><br />
<h4>modules/ldap</h4><br />
This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost.<br />
<pre><br />
# -*- text -*-<br />
ldap {<br />
server = "127.0.0.1"<br />
identity = "cn=user_with_read_access,dc=your-realm,dc=tld"<br />
password = YOUR_SECRET<br />
basedn = "dc=your-realm,dc=tld"<br />
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br />
#base_filter = "(objectclass=radiusprofile)"<br />
ldap_connections_number = 5 <br />
timeout = 4 <br />
timelimit = 3 <br />
net_timeout = 1 <br />
tls {<br />
start_tls = no<br />
# cacertfile = /path/to/cacert.pem<br />
# cacertdir = /path/to/ca/dir/<br />
# certfile = /path/to/radius.crt<br />
# keyfile = /path/to/radius.key<br />
# randfile = /dev/urandom<br />
} <br />
dictionary_mapping = ${confdir}/ldap.attrmap<br />
edir_account_policy_check = no<br />
}<br />
</pre><br />
<h2>Server certificate</h2><br />
For the server certificate you can use a SSL certificate. The certificate should not be a wildcard certificate, but a domain or subdomain certificate (for example: CN = radius.bitlair.nl).<br />
<br />
It is preferable that you use a certificate that is signed by a well-known Certificate Authority, this will make the client configuration a bit more easy.<br />
<br />
You can use a free certificate from StartCom, but you will need to append the "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem) to your server.pem file otherwise the clients won't be able to verify the certificate properly.<br />
<br />
<h2>Opening up the radius to the internet</h2><br />
Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.<br />
<h2>Testing authentications</h2><br />
It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.<br />
<br />
You can use it like:<br><br />
<code>./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN</code><br />
<br />
<br />
The auth.conf should contain something like:<br />
<pre><br />
network={<br />
ssid="spacenet"<br />
key_mgmt=WPA-EAP<br />
eap=PEAP<br />
identity="username@your-realm.tld"<br />
anonymous_identity="anonymous@your-realm.tld"<br />
password="MY_SUPER_SECRET_PASSWORD"<br />
phase2="auth=EAP-MSCHAPv2"<br />
}<br />
</pre><br />
<br />
<h2>Configure your access points</h2><br />
Set up your access points to use WPA2 enterprise and point it to the IP of the radius server.<br />
<br />
Also checkout [[Howto/Spacenet/Accesspoint config general|Accesspoint config general]].<br />
<br />
<h2>Instruct your users</h2><br />
Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules:<br />
<ul><br />
<li>Always configure an anonymous identity as anonymous@your-realm.tld, this prevents others from seeing the real username and thus tracking.<br />
<li>Always install the server certificate as CA on the clients or specify your server name and the CA that signed the certificate.<br />
</ul><br />
<br />
[[Category:Howto/Spacenet]]<br />
<br />
== Also see ==<br />
* https://wilco.baanhofman.nl/setup-freeradius2.x.html<br />
* https://moeilijklastig.nl/spacefed.htm</div>Xoprhttps://spacefed.net/index.php?title=Setup_freeradius&diff=52Setup freeradius2023-09-30T06:55:17Z<p>Xopr: Recreated from https://wilco.baanhofman.nl/setup-freeradius2.x.html</p>
<hr />
<div><br />
<h2>Apply for a realm</h2><br />
You can apply for a realm by [[Contact|contacting]] us. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld.<br />
Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. <strong>Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.</strong><br />
<br />
<br />
<br />
If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.<br />
<br />
<h2>Install Debian on a (virtual) machine</h2><br />
The specifics fall outside the scope of this document. If you need help with this, contact us about using a hosted SSO package, as the rest of this howto assumes this as a basic skill.<br />
<h2>Setting up FreeRADIUS</h2><br />
<h3>The basics</h3><br />
FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.<br />
<br />
<br />
<strong>It is always important to verify the certificate on the clients to prevent a man in the middle attack!</strong><br />
<h3>The conffiles</h3><br />
<h4>Overview</h4><br />
You need the following configuration files.<br />
<ul><br />
<li>eap.conf<br />
<li>sites-enabled/default<br />
<li>sites-enabled/inner-tunnel<br />
<li>proxy.conf<br />
<li>clients.conf<br />
<li>modules/ldap<br />
</ul><br />
We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.<br />
<br />
<h4>eap.conf</h4><br />
This file configures the <strong>local</strong> EAP types and certificates.<br />
<pre><br />
# -*- text -*-<br />
eap {<br />
default_eap_type = ttls<br />
timer_expire = 60 <br />
ignore_unknown_eap_types = no<br />
cisco_accounting_username_bug = no<br />
max_sessions = 4096<br />
<br />
tls { <br />
certdir = ${confdir}/certs<br />
cadir = ${confdir}/certs<br />
<br />
private_key_password = <br />
private_key_file = ${certdir}/server.key<br />
certificate_file = ${certdir}/server.pem<br />
CA_file = ${cadir}/ca.pem<br />
dh_file = ${certdir}/dh<br />
random_file = /dev/urandom<br />
CA_path = ${cadir}<br />
} <br />
ttls { <br />
default_eap_type = mschapv2<br />
copy_request_to_tunnel = no<br />
use_tunneled_reply = no<br />
virtual_server = "inner-tunnel"<br />
} <br />
peap { <br />
default_eap_type = mschapv2<br />
copy_request_to_tunnel = no<br />
use_tunneled_reply = no<br />
virtual_server = "inner-tunnel"<br />
}<br />
mschapv2 {<br />
}<br />
}<br />
</pre><br />
<h4>sites-enabled/default</h4><br />
This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm.<br />
<pre><br />
# -*- text -*-<br />
authorize {<br />
preprocess<br />
<br />
suffix<br />
if (Realm == NULL) {<br />
update reply {<br />
Reply-Message := "Please specify a realm to authenticate with."<br />
}<br />
reject<br />
}<br />
<br />
eap<br />
}<br />
<br />
authenticate {<br />
eap<br />
}<br />
<br />
<br />
preacct {<br />
preprocess<br />
acct_unique<br />
suffix<br />
<br />
}<br />
<br />
accounting {<br />
detail<br />
radutmp<br />
exec<br />
attr_filter.accounting_response<br />
}<br />
<br />
<br />
session {<br />
radutmp<br />
}<br />
post-proxy {<br />
if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {<br />
# Overwrite the VLAN tag and filter untrusted attributes<br />
# "!* ANY" to remove the tag or ":=" to overwrite<br />
update proxy-reply {<br />
Tunnel-Type := VLAN<br />
Tunnel-Medium-Type := IEEE-802<br />
Tunnel-Private-Group-Id := "xx"<br />
Session-Timeout !* ANY<br />
Aruba-User-Role !* ANY<br />
Aruba-User-VLAN !* ANY<br />
}<br />
<br />
# Add the realm if upstream does not provide it<br />
# Also provides security if upstream fakes a realm<br />
if ("%{request:User-Name}" =~ /@(.+)$/) {<br />
if ("%{proxy-reply:User-Name}" != "" && "%{proxy-reply:User-Name}" !~ /@%{1}$/) {<br />
update proxy-reply {<br />
User-Name := "%{proxy-reply:User-Name}@%{1}"<br />
}<br />
}<br />
}<br />
}<br />
eap<br />
}<br />
</pre><br />
<br />
<h4>sites-enabled/inner-tunnel</h4><br />
<pre><br />
# -*- text -*-<br />
server inner-tunnel {<br />
listen {<br />
ipaddr = 127.0.0.1<br />
port = 18120<br />
type = auth<br />
}<br />
authorize {<br />
suffix<br />
if (Realm != "your-realm.tld") {<br />
reject<br />
}<br />
pap<br />
mschap<br />
eap <br />
ldap<br />
<br />
expiration<br />
logintime<br />
<br />
}<br />
authenticate {<br />
Auth-Type PAP {<br />
pap<br />
}<br />
Auth-Type MS-CHAP {<br />
mschap<br />
}<br />
eap<br />
ldap<br />
}<br />
session {<br />
radutmp<br />
}<br />
<br />
post-auth {<br />
Post-Auth-Type REJECT {<br />
attr_filter.access_reject<br />
}<br />
<br />
# Only leak our real usernames and VLAN tags to your own access points<br />
if (NAS-IP-Address == "xxx.xxx.xxx.xxx") {<br />
<br />
# Make sure we always include '@your-realm.tld' in the reply<br />
if ("%{request:User-Name}" !~ /@your-realm.tld$/) {<br />
update reply {<br />
User-Name := "%{request:User-Name}@your-realm.tld"<br />
}<br />
}<br />
else {<br />
update reply {<br />
User-Name := "%{request:User-Name}"<br />
}<br />
}<br />
}<br />
else {<br />
update reply {<br />
User-Name := "anonymous@your-realm.tld"<br />
}<br />
}<br />
}<br />
pre-proxy {<br />
}<br />
post-proxy {<br />
eap<br />
}<br />
} <br />
</pre><br />
<h4>proxy.conf</h4><br />
<pre><br />
# -*- text -*-<br />
<br />
proxy server {<br />
default_fallback = no<br />
<br />
}<br />
<br />
home_server nlnode1.spacefed.net {<br />
type = auth+acct<br />
ipaddr = 194.171.96.99<br />
port = 1812<br />
secret = YOUR_SUPPLIED_SECRET<br />
require_message_authenticator = yes<br />
response_window = 5<br />
zombie_period = 60<br />
revive_interval = 120<br />
status_check = status-server<br />
check_interval = 30<br />
num_answers_to_alive = 3<br />
coa {<br />
# Initial retransmit interval: 1..5<br />
irt = 2<br />
<br />
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)<br />
mrt = 16<br />
<br />
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)<br />
mrc = 5<br />
<br />
# Maximum Retransmit Duration: 5..60<br />
mrd = 30<br />
}<br />
}<br />
<br />
home_server_pool root_pool {<br />
type = client-balance<br />
<br />
# The members of the root delegation pool<br />
home_server = nlnode1.spacefed.net<br />
# home_server = ...<br />
<br />
<br />
}<br />
<br />
# Your realm should be local<br />
realm your-realm.tld {<br />
}<br />
<br />
# These realms should always be handled locally<br />
realm LOCAL {<br />
}<br />
realm NULL {<br />
}<br />
<br />
realm DEFAULT {<br />
nostrip<br />
auth_pool = root_pool<br />
}<br />
</pre><br />
<br />
<h4>clients.conf</h4><br />
This file configures all inbound connections, including those to the root nodes.<br />
<pre><br />
# -*- text -*-<br />
client localhost {<br />
ipaddr = 127.0.0.1<br />
secret = CHOOSE_YOUR_OWN<br />
require_message_authenticator = no<br />
nastype = other<br />
}<br />
client 194.171.96.99 {<br />
secret = YOUR_SUPPLIED_SECRET<br />
shortname = nlnode1<br />
}<br />
client 1.2.3.4 {<br />
secret = CHOOSE_YOUR_OWN<br />
shortname = my_access_point<br />
}<br />
</pre><br />
<h4>modules/ldap</h4><br />
This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost.<br />
<pre><br />
# -*- text -*-<br />
ldap {<br />
server = "127.0.0.1"<br />
identity = "cn=user_with_read_access,dc=your-realm,dc=tld"<br />
password = YOUR_SECRET<br />
basedn = "dc=your-realm,dc=tld"<br />
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br />
#base_filter = "(objectclass=radiusprofile)"<br />
ldap_connections_number = 5 <br />
timeout = 4 <br />
timelimit = 3 <br />
net_timeout = 1 <br />
tls {<br />
start_tls = no<br />
# cacertfile = /path/to/cacert.pem<br />
# cacertdir = /path/to/ca/dir/<br />
# certfile = /path/to/radius.crt<br />
# keyfile = /path/to/radius.key<br />
# randfile = /dev/urandom<br />
} <br />
dictionary_mapping = ${confdir}/ldap.attrmap<br />
edir_account_policy_check = no<br />
}<br />
</pre><br />
<h2>Server certificate</h2><br />
For the server certificate you can use a SSL certificate. The certificate should not be a wildcard certificate, but a domain or subdomain certificate (for example: CN = radius.bitlair.nl).<br />
<br />
It is preferable that you use a certificate that is signed by a well-known Certificate Authority, this will make the client configuration a bit more easy.<br />
<br />
You can use a free certificate from StartCom, but you will need to append the "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem) to your server.pem file otherwise the clients won't be able to verify the certificate properly.<br />
<br />
<h2>Opening up the radius to the internet</h2><br />
Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.<br />
<h2>Testing authentications</h2><br />
It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.<br />
<br />
You can use it like:<br><br />
<code>./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN</code><br />
<br />
<br />
The auth.conf should contain something like:<br />
<pre><br />
network={<br />
ssid="spacenet"<br />
key_mgmt=WPA-EAP<br />
eap=PEAP<br />
identity="username@your-realm.tld"<br />
anonymous_identity="anonymous@your-realm.tld"<br />
password="MY_SUPER_SECRET_PASSWORD"<br />
phase2="auth=EAP-MSCHAPv2"<br />
}<br />
</pre><br />
<br />
<h2>Configure your access points</h2><br />
Set up your access points to use WPA2 enterprise and point it to the IP of the radius server.<br />
<br />
Also checkout [[Howto/Spacenet/Accesspoint config general|Accesspoint config general]].<br />
<br />
<h2>Instruct your users</h2><br />
Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules:<br />
<ul><br />
<li>Always configure an anonymous identity as anonymous@your-realm.tld, this prevents others from seeing the real username and thus tracking.<br />
<li>Always install the server certificate as CA on the clients or specify your server name and the CA that signed the certificate.<br />
</ul><br />
<br />
[[Category:Howto/Spacenet]]</div>Xopr