|
|
Line 1: |
Line 1: |
| | | <<the contents of this page is lost>> |
| <h2>Apply for a realm</h2> | | [[Category:Howto/Spacenet]][[Category:Lost]] |
| You can apply for a realm by [[Contact|contacting]] us. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld.
| |
| Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. <strong>Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.</strong>
| |
| | |
| | |
| | |
| If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.
| |
| | |
| <h2>Install Debian on a (virtual) machine</h2>
| |
| The specifics fall outside the scope of this document. If you need help with this, contact us about using a hosted SSO package, as the rest of this howto assumes this as a basic skill.
| |
| <h2>Setting up FreeRADIUS</h2>
| |
| <h3>The basics</h3>
| |
| FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.
| |
| | |
| | |
| <strong>It is always important to verify the certificate on the clients to prevent a man in the middle attack!</strong>
| |
| <h3>The conffiles</h3>
| |
| <h4>Overview</h4>
| |
| You need the following configuration files.
| |
| <ul>
| |
| <li>eap.conf
| |
| <li>sites-enabled/default
| |
| <li>sites-enabled/inner-tunnel
| |
| <li>proxy.conf
| |
| <li>clients.conf
| |
| <li>modules/ldap
| |
| </ul>
| |
| We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.
| |
| | |
| <h4>eap.conf</h4>
| |
| This file configures the <strong>local</strong> EAP types and certificates.
| |
| <pre>
| |
| # -*- text -*-
| |
| eap {
| |
| default_eap_type = ttls
| |
| timer_expire = 60
| |
| ignore_unknown_eap_types = no
| |
| cisco_accounting_username_bug = no
| |
| max_sessions = 4096
| |
| | |
| tls {
| |
| certdir = ${confdir}/certs
| |
| cadir = ${confdir}/certs
| |
| | |
| private_key_password =
| |
| private_key_file = ${certdir}/server.key
| |
| certificate_file = ${certdir}/server.pem
| |
| CA_file = ${cadir}/ca.pem
| |
| dh_file = ${certdir}/dh
| |
| random_file = /dev/urandom
| |
| CA_path = ${cadir}
| |
| }
| |
| ttls {
| |
| default_eap_type = mschapv2
| |
| copy_request_to_tunnel = no
| |
| use_tunneled_reply = no
| |
| virtual_server = "inner-tunnel"
| |
| }
| |
| peap {
| |
| default_eap_type = mschapv2
| |
| copy_request_to_tunnel = no
| |
| use_tunneled_reply = no
| |
| virtual_server = "inner-tunnel"
| |
| }
| |
| mschapv2 {
| |
| }
| |
| }
| |
| </pre>
| |
| <h4>sites-enabled/default</h4>
| |
| This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm.
| |
| <pre>
| |
| # -*- text -*-
| |
| authorize {
| |
| preprocess
| |
| | |
| suffix
| |
| if (Realm == NULL) {
| |
| update reply {
| |
| Reply-Message := "Please specify a realm to authenticate with."
| |
| }
| |
| reject
| |
| }
| |
| | |
| eap
| |
| }
| |
| | |
| authenticate {
| |
| eap
| |
| }
| |
| | |
| | |
| preacct {
| |
| preprocess
| |
| acct_unique
| |
| suffix
| |
| | |
| }
| |
| | |
| accounting {
| |
| detail
| |
| radutmp
| |
| exec
| |
| attr_filter.accounting_response
| |
| }
| |
| | |
| | |
| session {
| |
| radutmp
| |
| }
| |
| post-proxy {
| |
| if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {
| |
| # Overwrite the VLAN tag and filter untrusted attributes
| |
| # "!* ANY" to remove the tag or ":=" to overwrite
| |
| update proxy-reply {
| |
| Tunnel-Type := VLAN
| |
| Tunnel-Medium-Type := IEEE-802
| |
| Tunnel-Private-Group-Id := "xx"
| |
| Session-Timeout !* ANY
| |
| Aruba-User-Role !* ANY
| |
| Aruba-User-VLAN !* ANY
| |
| }
| |
| | |
| # Add the realm if upstream does not provide it
| |
| # Also provides security if upstream fakes a realm
| |
| if ("%{request:User-Name}" =~ /@(.+)$/) {
| |
| if ("%{proxy-reply:User-Name}" != "" && "%{proxy-reply:User-Name}" !~ /@%{1}$/) {
| |
| update proxy-reply {
| |
| User-Name := "%{proxy-reply:User-Name}@%{1}"
| |
| }
| |
| }
| |
| }
| |
| }
| |
| eap
| |
| }
| |
| </pre>
| |
| | |
| <h4>sites-enabled/inner-tunnel</h4>
| |
| <pre>
| |
| # -*- text -*-
| |
| server inner-tunnel {
| |
| listen {
| |
| ipaddr = 127.0.0.1
| |
| port = 18120
| |
| type = auth
| |
| }
| |
| authorize {
| |
| suffix
| |
| if (Realm != "your-realm.tld") {
| |
| reject
| |
| }
| |
| pap
| |
| mschap
| |
| eap
| |
| ldap
| |
|
| |
| expiration
| |
| logintime
| |
| | |
| }
| |
| authenticate {
| |
| Auth-Type PAP {
| |
| pap
| |
| }
| |
| Auth-Type MS-CHAP {
| |
| mschap
| |
| }
| |
| eap
| |
| ldap
| |
| }
| |
| session {
| |
| radutmp
| |
| }
| |
| | |
| post-auth {
| |
| Post-Auth-Type REJECT {
| |
| attr_filter.access_reject
| |
| }
| |
| | |
| # Only leak our real usernames and VLAN tags to your own access points
| |
| if (NAS-IP-Address == "xxx.xxx.xxx.xxx") {
| |
|
| |
| # Make sure we always include '@your-realm.tld' in the reply
| |
| if ("%{request:User-Name}" !~ /@your-realm.tld$/) {
| |
| update reply {
| |
| User-Name := "%{request:User-Name}@your-realm.tld"
| |
| }
| |
| }
| |
| else {
| |
| update reply {
| |
| User-Name := "%{request:User-Name}"
| |
| }
| |
| }
| |
| }
| |
| else {
| |
| update reply {
| |
| User-Name := "anonymous@your-realm.tld"
| |
| }
| |
| }
| |
| }
| |
| pre-proxy {
| |
| }
| |
| post-proxy {
| |
| eap
| |
| }
| |
| }
| |
| </pre>
| |
| <h4>proxy.conf</h4>
| |
| <pre>
| |
| # -*- text -*-
| |
| | |
| proxy server {
| |
| default_fallback = no
| |
| | |
| }
| |
| | |
| home_server nlnode1.spacefed.net {
| |
| type = auth+acct
| |
| ipaddr = 194.171.96.99
| |
| port = 1812
| |
| secret = YOUR_SUPPLIED_SECRET
| |
| require_message_authenticator = yes
| |
| response_window = 5
| |
| zombie_period = 60
| |
| revive_interval = 120
| |
| status_check = status-server
| |
| check_interval = 30
| |
| num_answers_to_alive = 3
| |
| coa {
| |
| # Initial retransmit interval: 1..5
| |
| irt = 2
| |
| | |
| # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
| |
| mrt = 16
| |
| | |
| # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
| |
| mrc = 5
| |
| | |
| # Maximum Retransmit Duration: 5..60
| |
| mrd = 30
| |
| }
| |
| }
| |
| | |
| home_server_pool root_pool {
| |
| type = client-balance
| |
| | |
| # The members of the root delegation pool
| |
| home_server = nlnode1.spacefed.net
| |
| # home_server = ...
| |
| | |
| | |
| }
| |
| | |
| # Your realm should be local
| |
| realm your-realm.tld {
| |
| }
| |
| | |
| # These realms should always be handled locally
| |
| realm LOCAL {
| |
| }
| |
| realm NULL {
| |
| }
| |
| | |
| realm DEFAULT {
| |
| nostrip
| |
| auth_pool = root_pool
| |
| }
| |
| </pre>
| |
| | |
| <h4>clients.conf</h4>
| |
| This file configures all inbound connections, including those to the root nodes.
| |
| <pre>
| |
| # -*- text -*-
| |
| client localhost {
| |
| ipaddr = 127.0.0.1
| |
| secret = CHOOSE_YOUR_OWN
| |
| require_message_authenticator = no
| |
| nastype = other
| |
| }
| |
| client 194.171.96.99 {
| |
| secret = YOUR_SUPPLIED_SECRET
| |
| shortname = nlnode1
| |
| }
| |
| client 1.2.3.4 {
| |
| secret = CHOOSE_YOUR_OWN
| |
| shortname = my_access_point
| |
| }
| |
| </pre>
| |
| <h4>modules/ldap</h4>
| |
| This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost.
| |
| <pre>
| |
| # -*- text -*-
| |
| ldap {
| |
| server = "127.0.0.1"
| |
| identity = "cn=user_with_read_access,dc=your-realm,dc=tld"
| |
| password = YOUR_SECRET
| |
| basedn = "dc=your-realm,dc=tld"
| |
| filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
| |
| #base_filter = "(objectclass=radiusprofile)"
| |
| ldap_connections_number = 5
| |
| timeout = 4
| |
| timelimit = 3
| |
| net_timeout = 1
| |
| tls {
| |
| start_tls = no
| |
| # cacertfile = /path/to/cacert.pem
| |
| # cacertdir = /path/to/ca/dir/
| |
| # certfile = /path/to/radius.crt
| |
| # keyfile = /path/to/radius.key
| |
| # randfile = /dev/urandom
| |
| }
| |
| dictionary_mapping = ${confdir}/ldap.attrmap
| |
| edir_account_policy_check = no
| |
| }
| |
| </pre>
| |
| <h2>Server certificate</h2>
| |
| For the server certificate you can use a SSL certificate. The certificate should not be a wildcard certificate, but a domain or subdomain certificate (for example: CN = radius.bitlair.nl).
| |
| | |
| It is preferable that you use a certificate that is signed by a well-known Certificate Authority, this will make the client configuration a bit more easy.
| |
| | |
| You can use a free certificate from StartCom, but you will need to append the "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem) to your server.pem file otherwise the clients won't be able to verify the certificate properly.
| |
| | |
| <h2>Opening up the radius to the internet</h2>
| |
| Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.
| |
| <h2>Testing authentications</h2>
| |
| It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.
| |
| | |
| You can use it like:<br>
| |
| <code>./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN</code>
| |
| | |
| | |
| The auth.conf should contain something like:
| |
| <pre>
| |
| network={
| |
| ssid="spacenet"
| |
| key_mgmt=WPA-EAP
| |
| eap=PEAP
| |
| identity="username@your-realm.tld"
| |
| anonymous_identity="anonymous@your-realm.tld"
| |
| password="MY_SUPER_SECRET_PASSWORD"
| |
| phase2="auth=EAP-MSCHAPv2"
| |
| }
| |
| </pre>
| |
| | |
| <h2>Configure your access points</h2>
| |
| Set up your access points to use WPA2 enterprise and point it to the IP of the radius server.
| |
| | |
| Also checkout [[Howto/Spacenet/Accesspoint config general|Accesspoint config general]].
| |
| | |
| <h2>Instruct your users</h2>
| |
| Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules:
| |
| <ul>
| |
| <li>Always configure an anonymous identity as anonymous@your-realm.tld, this prevents others from seeing the real username and thus tracking.
| |
| <li>Always install the server certificate as CA on the clients or specify your server name and the CA that signed the certificate.
| |
| </ul>
| |
| | |
| [[Category:Howto/Spacenet]] | |