Professional Documents
Culture Documents
Configuration, Testing
EDUROAM WORKSHOP 2019
INTRODUCTION
INTRODUCTION
WHAT IS FREERADIUS
WHO AM I?
WHAT DO I DO?
▸ This session is a practical session. Many sessions will contain practical work.
▸ You should all have a virtual machine running Ubuntu 18.04 Bionic Beaver
▸ If you do not have a Ubuntu 18.04 virtual machine here, you should build one for
the sessions tomorrow and run through the steps in this slide deck to configure it.
▸ Assistants will come round to record the IP address of your virtual machine and
your institution's domain.
▸ Installing FreeRADIUS.
▸ Basic eduroam configuration.
▸ Generating test certificates and configuring test credentials.
▸ Building testing tools.
▸ Testing.
INSTALLATION
INSTALLATION
▸ Debugging command:
- /usr/sbin/freeradius -X
sudo -s
apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
apt-get update
# Format is deb http://packages.networkradius.com/(ubuntu|debian)-<version> <version> main
# Change the line below if you're not using bionic.
echo 'deb http://packages.networkradius.com/continuous/ubuntu-bionic bionic main' > /etc/apt/sources.list.d/freeradius.list
exit
INSTALLATION
▸ Debugging command:
- /usr/sbin/radiusd -X
sudo -s
gpg --keyserver keys.gnupg.net --recv-key 0x41382202
gpg --armor --export packages@networkradius.com > /etc/pki/rpm-gpg/packages.networkradius.com.gpg
echo '[networkradius]
name=NetworkRADIUS-$releasever
baseurl=http://packages.networkradius.com/centos/$releasever/repo/
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/packages.networkradius.com.gpg' > /etc/yum.repos.d/networkradius.repo
exit
INSTALLATION
sudo -s
rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
echo '[ltb-project]
name=LTB project packages
baseurl=https://ltb-project.org/rpm/$releasever/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project' > /etc/yum.repos.d/ltb-project.repo
exit
INSTALLATION
MACOS - HOMEBREW
▸ Debugging command:
- /usr/local/bin/radiusd -X
▸ Main package - 'freeradius'. Contains the main binary (radiusd) and common
modules.
sudo -s
apt-get install -y freeradius freeradius-utils freeradius-ldap make
# Setup symlinks to mask debian specific changes
rm /etc/raddb 2>&1 > /dev/null
test -e /etc/freeradius/3.0 && ln -s /etc/freeradius/3.0 /etc/raddb || ln -s /etc/freeradius /etc/raddb
test -e /usr/sbin/radiusd || ln -s /usr/sbin/freeradius /usr/sbin/radiusd
exit
CONFIGURATION
CONFIGURATION
▸ We're going to modify the stock FreeRADIUS configuration to match the one
in the guide.
▸ Note: When editing configuration files, if you're using a local, graphical, text
editor, you should access your cloud server using SFTP, and save to it directly.
Saving files to the server directly, makes it much easier to test changes.
CONFIGURATION
VIRTUAL SERVERS
▸ For eduroam we use two virtual servers. Virtual servers perform specific
tasks.
▸ We have a default virtual server, which handles routing RADIUS packets, and
acts as the SP.
▸ We have an ' inner-tunnel' virtual server, which processes EAP packets, and
acts as the IdP.
CONFIGURATION
▸ At the top of the default virtual server, replace <your-instiutions-domain> with your institutions,
public web or email domain e.g. uii.ac.id. DON'T JUST USE uii.ac.id (Unless you're Andri).
▸ Replace <guest-vid> with the VLAN you'll use for foreign eduroam users coming to your site. Or '100'
if you don't have one.
▸ Replace <local-vid> with the VLAN you'll use for local students/staff, or '200' if you don't have one.
sudo -s
cp /dev/null /etc/raddb/sites-available/default
nano /etc/raddb/sites-available/default
CONFIGURATION
https://wiki.freeradius.org/guide/eduroam#configuration_the-inner-virtual-
server_sites-available-inner-tunnel
cp /dev/null /etc/raddb/sites-available/inner-tunnel
nano /etc/raddb/sites-available/inner-tunnel
test -e /etc/raddb/sites-available/inner-tunnel || ln -r -s /etc/raddb/sites-available/inner-tunnel /etc/raddb/sites-enabled/
inner-tunnel
CONFIGURATION
https://wiki.freeradius.org/guide/eduroam#configuration_the-inner-
virtual-server_mods-available-inner-eap
cp /dev/null /etc/raddb/mods-available/inner-eap
nano /etc/raddb/mods-available/inner-eap
test -e /etc/raddb/mods-enabled/inner-eap || ln -r -s /etc/raddb/mods-available/inner-eap /etc/raddb/mods-enabled/inner-eap
exit
CONFIGURATION
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
virtual-server_mods-available-eap
cp /dev/null /etc/raddb/mods-available/eap
nano /etc/raddb/mods-available/eap
CONFIGURATION
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
virtual-server_mods-available-linelog
cp /dev/null /etc/raddb/mods-available/linelog
nano /etc/raddb/mods-available/linelog
CONFIGURATION
cp /dev/null /etc/raddb/proxy.conf
nano /etc/raddb/proxy.conf
CONFIGURATION
▸ Comment out "client wireless_access_points_mgmt" and the next five lines. We'll set this later to
be the IP of the Cisco access points.
cp /dev/null /etc/raddb/clients.conf
nano /etc/raddb/clients.conf
TEST DATA
CONFIGURATION
DIGITAL CERTIFICATES
▸ It's important for the supplicant to check the certificate, otherwise attackers
can steal student/staff passwords.
CONFIGURATION
▸ For your deployment you should get 'real' digital certificates from a
commercial certificate vendor.
sudo -s
# Generate the certificates for debian packages and fixup some certs permissions
cd /etc/raddb/certs && make
chown -R root:freerad /etc/raddb/certs/*
exit
CONFIGURATION
TEST CREDENTIALS
CHECK IT WORKS!
▸ For testing we can send RADIUS packets to port 18120 (bound to the inner-
tunnel server).
RADTEST
CHECK IT WORKS!
BUILDING EAPOL_TEST
▸ If radtest fails then the problem is with the user directory, or the inner-
tunnel virtual server.
EAPOL_TEST
EAP
EAP-TLS
Diameter
PAP/EAP-GTC
LDAP
EAPOL RADIUS
▸ Copy one of the default config files from the FreeRADIUS source dir (src/tests/
eapol_test/ttls-pap.conf ) to your home directory.
cp ~/freeradius-server/src/tests/eapol_test/ttls-pap.conf ~/ttls-pap.conf
nano ~/ttls-pap.conf
EAPOL_TEST
CHECK IT WORKS!