Setup freeradius
Apply for a realm
You can apply for a realm by contacting us. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld. Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.
If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.
Install Debian on a (virtual) machine
The specifics fall outside the scope of this document. If you need help with this, contact us about using a hosted SSO package, as the rest of this howto assumes this as a basic skill.
Setting up FreeRADIUS
The basics
FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.
It is always important to verify the certificate on the clients to prevent a man in the middle attack!
The conffiles
Overview
You need the following configuration files.
- eap.conf
- sites-enabled/default
- sites-enabled/inner-tunnel
- proxy.conf
- clients.conf
- modules/ldap
We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.
eap.conf
This file configures the local EAP types and certificates.
# -*- text -*-
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password =
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
sites-enabled/default
This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm.
# -*- text -*-
authorize {
preprocess
suffix
if (Realm == NULL) {
update reply {
Reply-Message := "Please specify a realm to authenticate with."
}
reject
}
eap
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-proxy {
if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {
# Overwrite the VLAN tag and filter untrusted attributes
# "!* ANY" to remove the tag or ":=" to overwrite
update proxy-reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "xx"
Session-Timeout !* ANY
Aruba-User-Role !* ANY
Aruba-User-VLAN !* ANY
}
# Add the realm if upstream does not provide it
# Also provides security if upstream fakes a realm
if ("%{request:User-Name}" =~ /@(.+)$/) {
if ("%{proxy-reply:User-Name}" != "" && "%{proxy-reply:User-Name}" !~ /@%{1}$/) {
update proxy-reply {
User-Name := "%{proxy-reply:User-Name}@%{1}"
}
}
}
}
eap
}
sites-enabled/inner-tunnel
# -*- text -*-
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
suffix
if (Realm != "your-realm.tld") {
reject
}
pap
mschap
eap
ldap
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
ldap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
# Only leak our real usernames and VLAN tags to your own access points
if (NAS-IP-Address == "xxx.xxx.xxx.xxx") {
# Make sure we always include '@your-realm.tld' in the reply
if ("%{request:User-Name}" !~ /@your-realm.tld$/) {
update reply {
User-Name := "%{request:User-Name}@your-realm.tld"
}
}
else {
update reply {
User-Name := "%{request:User-Name}"
}
}
}
else {
update reply {
User-Name := "anonymous@your-realm.tld"
}
}
}
pre-proxy {
}
post-proxy {
eap
}
}
proxy.conf
# -*- text -*-
proxy server {
default_fallback = no
}
home_server nlnode1.spacefed.net {
type = auth+acct
ipaddr = 194.171.96.99
port = 1812
secret = YOUR_SUPPLIED_SECRET
require_message_authenticator = yes
response_window = 5
zombie_period = 60
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
coa {
# Initial retransmit interval: 1..5
irt = 2
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
mrc = 5
# Maximum Retransmit Duration: 5..60
mrd = 30
}
}
home_server_pool root_pool {
type = client-balance
# The members of the root delegation pool
home_server = nlnode1.spacefed.net
# home_server = ...
}
# Your realm should be local
realm your-realm.tld {
}
# These realms should always be handled locally
realm LOCAL {
}
realm NULL {
}
realm DEFAULT {
nostrip
auth_pool = root_pool
}
clients.conf
This file configures all inbound connections, including those to the root nodes.
# -*- text -*-
client localhost {
ipaddr = 127.0.0.1
secret = CHOOSE_YOUR_OWN
require_message_authenticator = no
nastype = other
}
client 194.171.96.99 {
secret = YOUR_SUPPLIED_SECRET
shortname = nlnode1
}
client 1.2.3.4 {
secret = CHOOSE_YOUR_OWN
shortname = my_access_point
}
modules/ldap
This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost.
# -*- text -*-
ldap {
server = "127.0.0.1"
identity = "cn=user_with_read_access,dc=your-realm,dc=tld"
password = YOUR_SECRET
basedn = "dc=your-realm,dc=tld"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /dev/urandom
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
Server certificate
For the server certificate you can use a SSL certificate. The certificate should not be a wildcard certificate, but a domain or subdomain certificate (for example: CN = radius.bitlair.nl).
It is preferable that you use a certificate that is signed by a well-known Certificate Authority, this will make the client configuration a bit more easy.
You can use a free certificate from StartCom, but you will need to append the "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem) to your server.pem file otherwise the clients won't be able to verify the certificate properly.
Opening up the radius to the internet
Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.
Testing authentications
It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.
You can use it like:
./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN
The auth.conf should contain something like:
network={
ssid="spacenet"
key_mgmt=WPA-EAP
eap=PEAP
identity="username@your-realm.tld"
anonymous_identity="anonymous@your-realm.tld"
password="MY_SUPER_SECRET_PASSWORD"
phase2="auth=EAP-MSCHAPv2"
}
Configure your access points
Set up your access points to use WPA2 enterprise and point it to the IP of the radius server.
Also checkout Accesspoint config general.
Instruct your users
Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules:
- Always configure an anonymous identity as anonymous@your-realm.tld, this prevents others from seeing the real username and thus tracking.
- Always install the server certificate as CA on the clients or specify your server name and the CA that signed the certificate.