RadSecProxy: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
m (Text replacement - "<source" to "<syntaxhighlight")
Line 5: Line 5:


In radsecproxy 1.6.9 and source from git on [[https://git.nordu.net/?p=radsecproxy.git;a=tree git.nordu.net]] this patch is not needed since [[https://git.nordu.net/?p=radsecproxy.git;a=commit;h=f3619bf65967255e1009fec42b28007b49e0f4e4 18.1.2017]].
In radsecproxy 1.6.9 and source from git on [[https://git.nordu.net/?p=radsecproxy.git;a=tree git.nordu.net]] this patch is not needed since [[https://git.nordu.net/?p=radsecproxy.git;a=commit;h=f3619bf65967255e1009fec42b28007b49e0f4e4 18.1.2017]].
<source lang=bash>
<syntaxhighlight lang=bash>
$ git clone https://git.nordu.net/radsecproxy.git
$ git clone https://git.nordu.net/radsecproxy.git
</source>
</source>


[https://project.nordu.net/browse/RADSECPROXY-72 taken from here]  
[https://project.nordu.net/browse/RADSECPROXY-72 taken from here]  
<source lang=diff>
<syntaxhighlight lang=diff>
diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
--- radsecproxy-1.6.8/tcp.c 2016-09-21 13:49:09.000000000 +0200
--- radsecproxy-1.6.8/tcp.c 2016-09-21 13:49:09.000000000 +0200
Line 38: Line 38:


===Configure===
===Configure===
<source lang=bash>
<syntaxhighlight lang=bash>
$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks  
$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks  
$ make clean all && sudo make install
$ make clean all && sudo make install
Line 44: Line 44:


=== Another example: Version 1.7.2 from git ===
=== Another example: Version 1.7.2 from git ===
<source lang=bash>
<syntaxhighlight lang=bash>
$ mkdir radsecproxy && cd radsecproxy
$ mkdir radsecproxy && cd radsecproxy
$ git clone --single-branch --branch 1.7.2 https://github.com/radsecproxy/radsecproxy tags/1.7.2
$ git clone --single-branch --branch 1.7.2 https://github.com/radsecproxy/radsecproxy tags/1.7.2
Line 55: Line 55:
==Config==
==Config==
===/etc/radsec/radsecproxy.conf===
===/etc/radsec/radsecproxy.conf===
<source lang=text>
<syntaxhighlight lang=text>
# Master config file for radsecproxy
# Master config file for radsecproxy


Line 87: Line 87:


====The destination file name is <hash of the certificate>.0====
====The destination file name is <hash of the certificate>.0====
<source lang=text>
<syntaxhighlight lang=text>
# openssl x509 -noout -hash -in /tmp/telesec.pem  
# openssl x509 -noout -hash -in /tmp/telesec.pem  
1e09d511
1e09d511
Line 94: Line 94:


====/etc/radsec/cert/ca/1e09d511.0====
====/etc/radsec/cert/ca/1e09d511.0====
<source lang=text>
<syntaxhighlight lang=text>
subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Line 122: Line 122:


===/etc/radsec/rewrites.conf===
===/etc/radsec/rewrites.conf===
<source lang=text>
<syntaxhighlight lang=text>
## Empty for our setup
## Empty for our setup
</source>
</source>
===/etc/radsec/clients.conf===
===/etc/radsec/clients.conf===
This matches our german top level radius (tlr) you have to customize it for other countries.
This matches our german top level radius (tlr) you have to customize it for other countries.
<source lang=text>
<syntaxhighlight lang=text>
client tlr1 {
client tlr1 {
host 193.174.75.134
host 193.174.75.134
Line 157: Line 157:


===/etc/radsec/servers.conf===
===/etc/radsec/servers.conf===
<source lang=text>
<syntaxhighlight lang=text>
#
#
## UDP Radius
## UDP Radius
Line 213: Line 213:


===/etc/radsec/realms.conf===
===/etc/radsec/realms.conf===
<source lang=text>
<syntaxhighlight lang=text>


# Our domain domain.tld
# Our domain domain.tld
Line 282: Line 282:


===/etc/radsec/cert/radsecproxy.pem===
===/etc/radsec/cert/radsecproxy.pem===
<source lang=text>
<syntaxhighlight lang=text>
subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Line 298: Line 298:


====User====
====User====
<source lang=bash>
<syntaxhighlight lang=bash>
# addgroup -g 2083 radsecproxy
# addgroup -g 2083 radsecproxy
# useradd  -u 2083 -g nogroup -s /bin/false -h /nonexistent
# useradd  -u 2083 -g nogroup -s /bin/false -h /nonexistent
</source>
</source>
====Permissions====
====Permissions====
<source lang=bash>
<syntaxhighlight lang=bash>
# chown -R root:radsecproxy /etc/radsec
# chown -R root:radsecproxy /etc/radsec
# find /etc/radsec -type d -exec chmod 0750 {} \;
# find /etc/radsec -type d -exec chmod 0750 {} \;
Line 311: Line 311:
====systemd unit file====
====systemd unit file====


<source lang=bash>
<syntaxhighlight lang=bash>
# systemctl cat radsecproxy.service  
# systemctl cat radsecproxy.service  
</source>
</source>
<source lang=ini>
<syntaxhighlight lang=ini>
[Unit]
[Unit]
Description=radsecproxy
Description=radsecproxy
Line 347: Line 347:


Check on the server if the radsecproxy is listening:
Check on the server if the radsecproxy is listening:
<source lang=bash>
<syntaxhighlight lang=bash>
# lsof -Pni TCP:2083 -s TCP:Listen
# lsof -Pni TCP:2083 -s TCP:Listen
COMMAND    PID        USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
COMMAND    PID        USER  FD  TYPE DEVICE SIZE/OFF NODE NAME

Revision as of 23:54, 25 November 2021

RadSecProxy

Build

Patch for radsecproxy-1.6.8 on Ubuntu 16.04

In radsecproxy 1.6.9 and source from git on [git.nordu.net] this patch is not needed since [18.1.2017]. <syntaxhighlight lang=bash> $ git clone https://git.nordu.net/radsecproxy.git </source>

taken from here <syntaxhighlight lang=diff> diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c --- radsecproxy-1.6.8/tcp.c 2016-09-21 13:49:09.000000000 +0200 +++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c 2017-07-13 16:35:52.414151832 +0200 @@ -353,7 +353,7 @@

    struct sockaddr_storage from;
    socklen_t fromlen = sizeof(from);

- listen(*sp, 0); + listen(*sp, 16);

    for (;;) {
	s = accept(*sp, (struct sockaddr *)&from, &fromlen);

diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c --- radsecproxy-1.6.8/tls.c 2016-09-21 13:49:09.000000000 +0200 +++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c 2017-07-13 16:36:22.678166655 +0200 @@ -467,7 +467,7 @@

    struct sockaddr_storage from;
    socklen_t fromlen = sizeof(from);

- listen(*sp, 0); + listen(*sp, 16);

    for (;;) {
	s = accept(*sp, (struct sockaddr *)&from, &fromlen);

</source>

Configure

<syntaxhighlight lang=bash> $ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks $ make clean all && sudo make install </source>

Another example: Version 1.7.2 from git

<syntaxhighlight lang=bash> $ mkdir radsecproxy && cd radsecproxy $ git clone --single-branch --branch 1.7.2 https://github.com/radsecproxy/radsecproxy tags/1.7.2 $ cd tags/1.7.2 $ ./autogen.sh $ ./configure --prefix=/opt/radsecproxy-${PWD##*/} --sysconfdir=/etc/radsec --with-ssl $ make clean all && sudo make install </source>

Config

/etc/radsec/radsecproxy.conf

<syntaxhighlight lang=text>

  1. Master config file for radsecproxy

IPv4Only on listenUDP <IP>:1812 listenUDP <IP>:1813 listenTLS <IP>:2083

LogLevel 5 # For testing later reduce to 3

  1. LogDestination file:///var/log/radsecproxy.log

LogDestination x-syslog:///LOG_DAEMON LoopPrevention on

                1. TLS section

tls default {

 CACertificatePath             /etc/radsec/cert/ca
 CertificateFile               /etc/radsec/cert/radsecproxy-cert.pem
 CertificateKeyFile            /etc/radsec/cert/radsecproxy-key.pem
 CertificateKeyPassword        <PASSWORD>

}


Include /etc/radsec/rewrites.conf Include /etc/radsec/clients.conf Include /etc/radsec/servers.conf Include /etc/radsec/realms.conf </source>

ca certificate in /etc/radsec/cert/ca

For DFN users it is the TeleSec root certificate

The destination file name is <hash of the certificate>.0

<syntaxhighlight lang=text>

  1. openssl x509 -noout -hash -in /tmp/telesec.pem

1e09d511

  1. mv /tmp/telesec.pem /etc/radsec/cert/ca/1e09d511.0

</source>

/etc/radsec/cert/ca/1e09d511.0

<syntaxhighlight lang=text> subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2


BEGIN CERTIFICATE-----

MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1 OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50 ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi 1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/ WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6 g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN 9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP BSeOE6Fuwg==


END CERTIFICATE-----

</source>

/etc/radsec/rewrites.conf

<syntaxhighlight lang=text>

    1. Empty for our setup

</source>

/etc/radsec/clients.conf

This matches our german top level radius (tlr) you have to customize it for other countries. <syntaxhighlight lang=text> client tlr1 { host 193.174.75.134 type tls

       certificatenamecheck		off
       matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/

}

client tlr2 { host 193.174.75.138 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/ }

  1. Our WLAN Controller

client wlc { host 10.1.1.0/24 type udp

       secret	****secret****

}


  1. client anyIP4TLS {
  2. host 0.0.0.0/0
  3. type TLS
  4. }

</source>

/etc/radsec/servers.conf

<syntaxhighlight lang=text>

    1. UDP Radius
  1. Server Our-EduroamRadiusAuth {
  2. host <internal radius server>
  3. port 1812
  4. type udp
  5. secret ****secret****
  6. }
  7. Server Our-EduroamRadiusAcct {
  8. host <internal radius accounting server>
  9. port 1813
  10. type udp
  11. secret ****secret****
  12. }
    1. TLS Radius / RadSec

server freeradius-1 { host <internal radius accounting server1> type tls certificatenamecheck off matchCertificateAttribute CN:/^freeradius1\.domain\.tld$/ StatusServer on secret ****secret**** }

server freeradius-2 { host <internal radius accounting server2> type tls certificatenamecheck off matchCertificateAttribute CN:/^freeradius2\.domain\.tld$/ StatusServer on secret ****secret**** }

server tlr1 { host 193.174.75.134 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/ StatusServer on } server tlr2 { host 193.174.75.138 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/ StatusServer on } </source>

/etc/radsec/realms.conf

<syntaxhighlight lang=text>

  1. Our domain domain.tld

realm /(eduroam|anonymous)@domain\.tld$/ {

 server			freeradius-1
 server			freeradius-2
 accountingServer	freeradius-1
 accountingServer	freeradius-2

}

  1. If the anonymous user has not been matched above, fail
  2. So users that use their real identity fail, too. Force anonymous!

realm /@domain\.tld$ {

 replymessage "Access rejected, wrong anonymous identity. Use eduroam@domain.tld as anonymous identity."
 accountingresponse on

}

  1. Other domain of our site not used for eduroam

realm /@wrong-domain\.tld$/ {

 replymessage "Misconfigured client: Use domain.tld as domain instead."
 accountingresponse on

}

  1. Default realm of some clients. Do not send to top level radius servers.

realm /@.*\.3gppnetwork\.org$/ {

 replymessage "Misconfigured client."
 accountingresponse on

}

  1. Default realm of some clients. Do not send to top level radius servers.

realm /myabc\.com$/ {

 replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us."
 accountingresponse on

}

  1. Empty realm. Do not send to top level radius servers.

realm /^$/ {

 replymessage "Misconfigured client: empty realm! Rejected by us."
 accountingresponse on

}

  1. Typo in realm. Realm without any dot in it. Do not send to top level radius servers.

realm /@[^\.]+$/ {

 replymessage "Misconfigured client: Typo in realm - No dot in realm ! Rejected by us."
 accountingresponse on

}

  1. Typo in realm. Realm without double dot in it. Do not send to top level radius servers.

realm /@.*\.\..*$/ {

 replymessage "Misconfigured client: Typo in realm - .. ! Rejected by us."
 accountingresponse on

}

  1. Typo in realm. Realm without space in it. Do not send to top level radius servers.

realm /@.*\s+.*$/ {

 replymessage "Misconfigured client: Typo in realm - Don't use spaces in your realm! Rejected by us."
 accountingresponse on

}

  1. All other realms -> Eduroam toplevel servers

realm * {

 server tlr1
 server tlr2
 accountingserver tlr1
 accountingserver tlr2

} </source>

/etc/radsec/cert/radsecproxy.pem

<syntaxhighlight lang=text> subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE


BEGIN CERTIFICATE-----

...


END CERTIFICATE-----

And now the whole cerstificate chain... </source>

Run the daemon

Security

There is no need to run radsecproxy as root. But you need write access to the log or use syslog.

The config, certificate and key is not readable by the user (nogroup) but by the group radsecproxy where the porocess lives in (see systemd unit file radsecproxy.service).

User

<syntaxhighlight lang=bash>

  1. addgroup -g 2083 radsecproxy
  2. useradd -u 2083 -g nogroup -s /bin/false -h /nonexistent

</source>

Permissions

<syntaxhighlight lang=bash>

  1. chown -R root:radsecproxy /etc/radsec
  2. find /etc/radsec -type d -exec chmod 0750 {} \;
  3. find /etc/radsec -type f -exec chmod 0640 {} \;

</source>

systemd unit file

<syntaxhighlight lang=bash>

  1. systemctl cat radsecproxy.service

</source> <syntaxhighlight lang=ini> [Unit] Description=radsecproxy ConditionPathExists=/etc/radsec/radsecproxy.conf After=network.target Documentation=man:radsecproxy(1)

[Service] Type=forking User=radsecproxy Group=radsecproxy RuntimeDirectory=radsecproxy RuntimeDirectoryMode=0700 PrivateTmp=yes InaccessibleDirectories=/var ReadOnlyDirectories=/etc ReadOnlyDirectories=/lib ReadOnlyDirectories=/usr ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid PIDFile=/run/radsecproxy/radsecproxy.pid

[Install] WantedBy=multi-user.target </source>

Put this to /lib/systemd/system/radsecproxy.service and do:

# systemctl daemon-reload
# systemctl enable radsecproxy.service
# systemctl start radsecproxy.service

Testing

Check on the server if the radsecproxy is listening: <syntaxhighlight lang=bash>

  1. lsof -Pni TCP:2083 -s TCP:Listen

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME radsecpro 1344 radsecproxy 9u IPv4 22751 0t0 TCP <server ip>:2083 (LISTEN) </source>

Certificate Enddate

$ openssl s_client -connect <IP>:2083 -tls1 -no_ssl2 -no_ssl3 -showcerts 2>/dev/null | openssl x509 -enddate -noout

notAfter=Oct 9 12:13:17 2020 GMT