Installation,

Configuration, Testing
EDUROAM WORKSHOP 2019
INTRODUCTION
INTRODUCTION

WHAT IS FREERADIUS

▸ Started in 1999 by Miquel Van Smoorenburg and Alan DeKok

▸ The world's most widely deployed Open Source RADIUS http://www.freeradius.org
server.

▸ Glues AAA services to backends e.g. 802.1X/EAP to Active

Directory.

▸ Routes AAA authentication sessions between members of

federations like Eduroam.

▸ Adds intelligence to dumb protocols, using flexible policies.

INTRODUCTION

WHO AM I?

▸ Arran Cudbard-Bell (@arr2036)

▸ Principal architect for the FreeRADIUS project
▸ Mercenary at Network RADIUS
▸ Director RM-RF LTD
▸ IETF Note Taker (RADEXT - Soon to be defunct, boo)
▸ Janet 802.1X SIG member
INTRODUCTION

WHAT DO I DO?

▸ I write lots of code. Mainly C. Now mainly async C.

▸ Core architecture
▸ API design/rework
▸ Lots of modules, eap methods, drivers
▸ I design highly scalable fault tolerant AAA solutions for Universities,
Enterprises, Telcos and Medium/Large ISPS.

▸ Community/social outreach for the FreeRADIUS project.

THIS SESSION
THIS SESSION

SERVERS FOR PRACTICAL WORK

▸ This session is a practical session. Many sessions will contain practical work.

▸ You should all have a virtual machine running Ubuntu 18.04 Bionic Beaver

▸ If you do not have a Ubuntu 18.04 virtual machine here, you should build one for
the sessions tomorrow and run through the steps in this slide deck to configure it.

▸ Your virtual machine's network interface MUST be in bridge mode.

▸ Assistants will come round to record the IP address of your virtual machine and
your institution's domain.

▸ This information will be added to our local test eduroam server.

THIS SESSION

WHAT WE'RE GOING TO COVER

▸ Installing FreeRADIUS.
▸ Basic eduroam configuration.
▸ Generating test certificates and configuring test credentials.
▸ Building testing tools.
▸ Testing.
INSTALLATION
 INSTALLATION

LINUX (DEBIAN/UBUNTU) - PRE-BUILT PACKAGES

▸ NetworkRADIUS pre-built packages [https://packages.networkradius.com/]

▸ Available for stable v3.0.x releases
▸ Config directory:
- /etc/freeradius

▸ Debugging command:
- /usr/sbin/freeradius -X

sudo -s
apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
apt-get update
# Format is deb http://packages.networkradius.com/(ubuntu|debian)-<version> <version> main
# Change the line below if you're not using bionic.
echo 'deb http://packages.networkradius.com/continuous/ubuntu-bionic bionic main' > /etc/apt/sources.list.d/freeradius.list
exit
 INSTALLATION

LINUX (RHEL/CENTOS) - 1/2 PRE-BUILT PACKAGES

▸ NetworkRADIUS pre-built packages [https://packages.networkradius.com/]
▸ Available for stable v3.0.x releases
▸ Config directory:
- /etc/raddb

▸ Debugging command:
- /usr/sbin/radiusd -X

sudo -s
gpg --keyserver keys.gnupg.net --recv-key 0x41382202
gpg --armor --export packages@networkradius.com > /etc/pki/rpm-gpg/packages.networkradius.com.gpg
echo '[networkradius]
name=NetworkRADIUS-$releasever
baseurl=http://packages.networkradius.com/centos/$releasever/repo/
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/packages.networkradius.com.gpg' > /etc/yum.repos.d/networkradius.repo
exit
 INSTALLATION

LINUX (RHEL/CENTOS) - 2/2 OPENLDAP LTB

▸ OpenLDAP LTB repo must also be available.

▸ NetworkRADIUS packages have a hard dependency.
▸ Fixes crypto library conflicts (OpenSSL vs NSS).

sudo -s
rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
echo '[ltb-project]
name=LTB project packages
baseurl=https://ltb-project.org/rpm/$releasever/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project' > /etc/yum.repos.d/ltb-project.repo
exit
 INSTALLATION

MACOS - HOMEBREW

▸ Homebrew for MacOS [https://brew.sh]

▸ Available for stable v3.0.x releases
▸ Config directory:
- /usr/local/etc/raddb

▸ Debugging command:
- /usr/local/bin/radiusd -X

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

brew install freeradius-server
brew link freeradius-server || brew link --overwrite freeradius-server
 INSTALLATION

PACKAGES WE'RE USING TODAY

▸ Main package - 'freeradius'. Contains the main binary (radiusd) and common
modules.

▸ ...a few extras.

▸ freeradius-utils - Utilities like radclient (for testing), radsniff (for debugging).
▸ freeradius-ldap - LDAP interface module.

sudo -s
apt-get install -y freeradius freeradius-utils freeradius-ldap make
# Setup symlinks to mask debian specific changes
rm /etc/raddb 2>&1 > /dev/null
test -e /etc/freeradius/3.0 && ln -s /etc/freeradius/3.0 /etc/raddb || ln -s /etc/freeradius /etc/raddb
test -e /usr/sbin/radiusd || ln -s /usr/sbin/freeradius /usr/sbin/radiusd
exit
CONFIGURATION
CONFIGURATION

DEPLOYING THE STOCK EDUROAM CONFIGURATION

▸ A basic eduroam configuration is available at [https://wiki.freeradius.org/

guide/eduroam].

▸ We're going to modify the stock FreeRADIUS configuration to match the one
in the guide.

▸ Note: When editing configuration files, if you're using a local, graphical, text
editor, you should access your cloud server using SFTP, and save to it directly.
Saving files to the server directly, makes it much easier to test changes.
CONFIGURATION

VIRTUAL SERVERS

▸ For eduroam we use two virtual servers. Virtual servers perform specific
tasks.

▸ We have a default virtual server, which handles routing RADIUS packets, and
acts as the SP.

▸ We have an ' inner-tunnel' virtual server, which processes EAP packets, and
acts as the IdP.
 CONFIGURATION

PREPARING THE 'DEFAULT' VIRTUAL SERVER

▸ Clear the existing '/etc/raddb/sites-available/default' file

▸ Copy the contents of the text box at the link below into '/etc/raddb/sites-available/default'
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-server_sites-available-
default

▸ At the top of the default virtual server, replace <your-instiutions-domain> with your institutions,
public web or email domain e.g. uii.ac.id. DON'T JUST USE uii.ac.id (Unless you're Andri).

▸ Replace <guest-vid> with the VLAN you'll use for foreign eduroam users coming to your site. Or '100'
if you don't have one.

▸ Replace <local-vid> with the VLAN you'll use for local students/staff, or '200' if you don't have one.

sudo -s
cp /dev/null /etc/raddb/sites-available/default
nano /etc/raddb/sites-available/default
 CONFIGURATION

PREPARING THE 'INNER-TUNNEL' VIRTUAL SERVER

▸ Clear the existing '/etc/raddb/sites-available/inner-tunnel' file.

▸ Copy the contents of the text box at the link below into '/etc/raddb/sites-
available/inner-tunnel'

https://wiki.freeradius.org/guide/eduroam#configuration_the-inner-virtual-
server_sites-available-inner-tunnel

▸ Make a symlink from '/etc/raddb/sites-available/inner-tunnel' to '/etc/raddb/

sites-enabled/inner-tunnel' (if it doesn't already exist).

cp /dev/null /etc/raddb/sites-available/inner-tunnel
nano /etc/raddb/sites-available/inner-tunnel
test -e /etc/raddb/sites-available/inner-tunnel || ln -r -s /etc/raddb/sites-available/inner-tunnel /etc/raddb/sites-enabled/
inner-tunnel
 CONFIGURATION

PREPARING THE 'INNER' EAP MODULE CONFIG

▸ Clear the existing '/etc/raddb/mods-available/inner-eap' file.

▸ Copy the contents of the text box at the link below into '/etc/raddb/mods-
available/inner-eap'

https://wiki.freeradius.org/guide/eduroam#configuration_the-inner-
virtual-server_mods-available-inner-eap

cp /dev/null /etc/raddb/mods-available/inner-eap
nano /etc/raddb/mods-available/inner-eap
test -e /etc/raddb/mods-enabled/inner-eap || ln -r -s /etc/raddb/mods-available/inner-eap /etc/raddb/mods-enabled/inner-eap
exit
 CONFIGURATION

PREPARING THE 'OUTER' EAP MODULE CONFIG

▸ Clear the existing '/etc/raddb/mods-available/eap' file.

▸ Copy the contents of the text box at the link below into '/etc/raddb/mods-
available/eap'

https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
virtual-server_mods-available-eap

cp /dev/null /etc/raddb/mods-available/eap
nano /etc/raddb/mods-available/eap
 CONFIGURATION

PREPARING THE LOGGING MODULE CONFIG

▸ Clear the existing '/etc/raddb/mods-available/linelog' file.

▸ Copy the contents of the text box at the link below into '/etc/raddb/mods-
available/linelog'

https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
virtual-server_mods-available-linelog

cp /dev/null /etc/raddb/mods-available/linelog
nano /etc/raddb/mods-available/linelog
 CONFIGURATION

PREPARING THE PROXY CONFIGURATION FILE

▸ Clear the existing '/etc/raddb/proxy.conf'

▸ Copy the contents of the text box at the link below into '/etc/raddb/proxy.conf'
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-
server_proxy-conf

▸ Replace <ip-address> with our local eduroam test server '36.66.7.251'

▸ Replace <secret> with 'jangantanyasaya'

cp /dev/null /etc/raddb/proxy.conf
nano /etc/raddb/proxy.conf
 CONFIGURATION

PREPARING THE CLIENTS.CONF CONFIGURATION FILE

▸ Clear the existing '/etc/raddb/clients.conf'

▸ Copy the contents of the text box at the link below into '/etc/raddb/clients.conf'
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-server_clients-conf

▸ Replace <ip-address> with our local eduroam test server '36.66.7.251'

▸ Replace <secret> with 'jangantanyasaya'

▸ Comment out "client wireless_access_points_mgmt" and the next five lines. We'll set this later to
be the IP of the Cisco access points.

cp /dev/null /etc/raddb/clients.conf
nano /etc/raddb/clients.conf
TEST DATA
CONFIGURATION

DIGITAL CERTIFICATES

▸ When a supplicant connects, the IdP sends over a digital certificate.

▸ The certificate proves the IdP is run by the user's organisation.

▸ This certificate must be checked by the supplicant before it sends

credentials.

▸ It's important for the supplicant to check the certificate, otherwise attackers
can steal student/staff passwords.
 CONFIGURATION

GENERATING TEST CERTIFICATES

▸ For your deployment you should get 'real' digital certificates from a
commercial certificate vendor.

▸ ...but for testing, we can generate some temporary certificates.

▸ DO NOT USE TEST CERTIFICATES IN PRODUCTION DEPLOYMENTS. They will

expire in 3 months after today, and will no longer work.

sudo -s
# Generate the certificates for debian packages and fixup some certs permissions
cd /etc/raddb/certs && make
chown -R root:freerad /etc/raddb/certs/*
exit
 CONFIGURATION

TEST CREDENTIALS

▸ In your final configuration, you will link FreeRADIUS to OpenLDAP, or another

User Directory at your site.

▸ For testing we will setup some local credentials on your IDP.

▸ YOU MUST DISABLE THESE CREDENTIALS BEFORE MOVING THE SERVERS TO

PRODUCTION

# Allow any username, with the password 'gantisaya'

sudo -s
echo "DEFAULT Cleartext-Password := 'gantisaya'" > /etc/raddb/mods-config/files/authorize
exit
 CONFIGURATION

CHECK IT WORKS!

▸ First stop/disable FreeRADIUS so it doesn't run as a background process

▸ Then start the server in debug mode (stop with cntrl + c)

# You can re-enable it later with sudo systemctl enable freeradius

sudo systemctl disable freeradius
sudo systemctl stop freeradius
radiusd -X
...
Listening on auth address * port 18120 bound to server eduroam-inner
Listening on auth address * port 1812 bound to server eduroam
Listening on proxy address * port 38628
Ready to process requests
Cntrl + C
RADTEST
RADTEST

WHEN TO USE RADTEST

▸ radtest is bundled with FreeRADIUS

▸ It can be used to check FreeRADIUS can talk to the user directory.
▸ If a user can't connect to the wireless network, try their credentials with
radtest first, to make sure that they're correct before any more complex
debugging.

▸ radtest is simple, it doesn't need any configuration, everything is done with

the command line.

▸ For testing we can send RADIUS packets to port 18120 (bound to the inner-
tunnel server).
 RADTEST

CHECK IT WORKS!

▸ In one SSH session start FreeRADIUS in debug mode (radiusd -X).

▸ In another SSH session run radtest with some test credentials.
▸ If you don't see "Received Access-Accept", check the FreeRADIUS debug
output to see why.

radtest user@<your-institutions-domain> gantisaya 127.0.0.1:18120 0 testing123

...
Cleartext-Password = "gantisaya"
Received Access-Accept Id 92 from 127.0.0.1:18120 to 127.0.0.1:40278 length 20
EAPOL TEST
 EAPOL_TEST

BUILDING EAPOL_TEST

▸ eapol_test is part of hostapd

▸ It can simulate a laptop or phone and Wireless Access Point
▸ Usually complicated to build, but the QA scripts bundled with FreeRADIUS
make it easier

sudo apt-get install build-essential pkg-config libssl-dev libnl-3-dev libnl-genl-3-dev

cd ~/
git clone --depth=1 https://github.com/FreeRADIUS/freeradius-server.git
# Accept the RSA key (type yes)
~/freeradius-server/scripts/travis/eapol_test-build.sh
sudo cp ~/freeradius-server/scripts/travis/eapol_test/eapol_test /usr/local/bin/
EAPOL_TEST

WHEN TO USE EAPOL_TEST

▸ eapol_test is good to test end to end authentication.

▸ It simulates much more complex authentication than radtest.
▸ If radtest works but eapol_test fails, then the problem is with the EAP
configuration or the outer virtual server.

▸ If radtest fails then the problem is with the user directory, or the inner-
tunnel virtual server.
EAPOL_TEST

EDUROAM PROTOCOL LAYERS

EAP-TTLS with plaintext auth against LDAP

EAP
EAP-TLS
Diameter
PAP/EAP-GTC

LDAP

EAPOL RADIUS

Supplicant NAS RADIUS Server OpenLDAP

Author Arran Cudbard-Bell

Copyright 2018 The FreeRADIUS project
Creative commons license CC BY
 EAPOL_TEST

BUILD A TEST CONFIG

▸ Copy one of the default config files from the FreeRADIUS source dir (src/tests/
eapol_test/ttls-pap.conf ) to your home directory.

▸ Change anonymous_identity to 'anonymous@<your-instiutions-domain>.

▸ Change identity to 'user@<your-institutions-domain>'
▸ Change the password to 'gantisaya' (the one we setup as a test credential earlier).

cp ~/freeradius-server/src/tests/eapol_test/ttls-pap.conf ~/ttls-pap.conf
nano ~/ttls-pap.conf
 EAPOL_TEST

CHECK IT WORKS!

▸ In one SSH session start FreeRADIUS in debug mode (radiusd -X).

▸ In another SSH session run eapol_test with the config you created.
▸ If you don't see 'SUCCESS', check the FreeRADIUS debug output to see why.

eapol_test -a 127.0.0.1 -s testing123 -c ~/ttls-pap.conf

...

MPPE keys OK: 1 mismatch: 0
SUCCESS
FINISHED! PHEW!