RadSecProxy: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
Line 170: Line 170:


==Run the daemon==
==Run the daemon==
===systemd unit file===
===Security===
# systemctl cat radsecproxy.service  
There is no need to run radsecproxy as root.
But you need write access to the log or use syslog.
====User====
<source lang=bash>
# addgroup -g 2083 radsecproxy
# useradd  -u 2083 -g nogroup -s /bin/false -h /nonexistent
</source>
====Permissions====
<source lang=bash>
# chown -R root:radsecproxy /etc/radsec
# find /etc/radsec -type d -exec chmod 0750 {} \;
# find /etc/radsec -type f -exec chmod 0640 {} \;
</source>
 
====systemd unit file====
 
<source lang=bash>
# systemctl cat radsecproxy.service  
</source>
<source lang=ini>
<source lang=ini>
# /lib/systemd/system/radsecproxy.service
# /lib/systemd/system/radsecproxy.service
Line 182: Line 200:
[Service]
[Service]
Type=forking
Type=forking
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy.pid
User=radsecproxy
PIDFile=/run/radsecproxy.pid
Group=radsecproxy
RuntimeDirectory=radsecproxy
RuntimeDirectoryMode=0700
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid
PIDFile=/run/radsecproxy/radsecproxy.pid


[Install]
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
</source>
</source>
Put this to /lib/systemd/system/radsecproxy.service and do:
Put this to /lib/systemd/system/radsecproxy.service and do:
  # systemctl daemon-reload
  # systemctl daemon-reload

Revision as of 13:50, 14 July 2017

Kategorie:Eduroam

RadSecProxy

Build

Patch for radsecproxy-1.6.8 on Ubuntu 16.04

taken from here

diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
--- radsecproxy-1.6.8/tcp.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c	2017-07-13 16:35:52.414151832 +0200
@@ -353,7 +353,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);
diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c
--- radsecproxy-1.6.8/tls.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c	2017-07-13 16:36:22.678166655 +0200
@@ -467,7 +467,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);

Configure

$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks 
$ make clean all && sudo make install

Config

/etc/radsec/radsecproxy.conf

# Master config file for radsecproxy

IPv4Only		on
listenUDP		<IP>:1812
listenUDP		<IP>:1813
listenTLS		<IP>:2083

LogLevel		5 # For testing later reduce to 3
#LogDestination		file:///var/log/radsecproxy.log
LogDestination		x-syslog:///LOG_DAEMON
LoopPrevention		on

######## TLS section
tls default {
  #CACertificatePath     	/etc/radsec/cert/ca
  CACertificateFile		/etc/radsec/cert/radsecproxy.pem 
  CertificateFile		/etc/radsec/cert/radsecproxy.pem 
  CertificateKeyFile		/etc/radsec/cert/radsecproxy.key
  CertificateKeyPassword	****secret****
}

Include /etc/radsec/rewrites.conf
Include /etc/radsec/clients.conf
Include /etc/radsec/servers.conf
Include /etc/radsec/realms.conf

/etc/radsec/rewrites.conf

## Empty for our setup

/etc/radsec/clients.conf

This matches our german top level radius (tlr) you have to customize it for other countries.

client tlr1 {
	host	193.174.75.134
	type	tls
        certificatenamecheck		off
        matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
}

client tlr2 {
	host	193.174.75.138
	type	tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
}

# Our WLAN Controller
client wlc {
	host	10.1.1.0/24
	type	udp
        secret	****secret****
}


client anyIP4TLS {
  host 0.0.0.0/0
  type TLS
}

/etc/radsec/servers.conf

Server Our-EduroamRadiusAuth {
	host		<internal radius server>
        port		1812
	#rewriteOut	UserName
	type		udp
	secret		****secret****
}
Server Our-EduroamRadiusAcct {
	host		<internal radius accounting server>
        port		1813
	type		udp
	secret		****secret****
}
server tlr1 {
	host				193.174.75.134
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/     
	StatusServer			on
}
server tlr2 {
	host				193.174.75.138
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
	StatusServer			on
}

/etc/radsec/realms.conf

# Our domain
realm domain.tld {
        server			Our-EduroamRadiusAuth
        accountingServer	Our-EduroamRadiusAcct
}

# Wrong counfigured clients are rejected here
realm /myabc\.com$ {
          replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us."
          accountingresponse on
}

realm /^$/ {
          replymessage "Misconfigured client: empty realm! Rejected by us."
          accountingresponse on
}

# Default route -> Eduroam toplevel servers
realm * {
 server tlr1
 server tlr2
 accountingserver tlr1
 accountingserver tlr2
}

/etc/radsec/cert/radsecproxy.pem

subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
And now the whole cerstificate chain...

Run the daemon

Security

There is no need to run radsecproxy as root. But you need write access to the log or use syslog.

User

# addgroup -g 2083 radsecproxy
# useradd  -u 2083 -g nogroup -s /bin/false -h /nonexistent

Permissions

# chown -R root:radsecproxy /etc/radsec
# find /etc/radsec -type d -exec chmod 0750 {} \;
# find /etc/radsec -type f -exec chmod 0640 {} \;

systemd unit file

# systemctl cat radsecproxy.service
# /lib/systemd/system/radsecproxy.service
[Unit]
Description=radsecproxy
ConditionPathExists=/etc/radsec/radsecproxy.conf
After=network.target
Documentation=man:radsecproxy(1)

[Service]
Type=forking
User=radsecproxy
Group=radsecproxy
RuntimeDirectory=radsecproxy
RuntimeDirectoryMode=0700
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid
PIDFile=/run/radsecproxy/radsecproxy.pid

[Install]
WantedBy=multi-user.target

Put this to /lib/systemd/system/radsecproxy.service and do:

# systemctl daemon-reload
# systemctl enable radsecproxy.service
# systemctl start radsecproxy.service

Testing

 # openssl s_client -connect <IP>:2083 -showcerts