RadSecProxy

From Lolly's Wiki
Revision as of 16:16, 13 July 2017 by Lollypop (talk | contribs)
Jump to navigationJump to search

Kategorie:Eduroam

RadSecProxy

Build

Patch for radsecproxy-1.6.8 on Ubuntu 16.04

taken from here

diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
--- radsecproxy-1.6.8/tcp.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c	2017-07-13 16:35:52.414151832 +0200
@@ -353,7 +353,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);
diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c
--- radsecproxy-1.6.8/tls.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c	2017-07-13 16:36:22.678166655 +0200
@@ -467,7 +467,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);

Configure

$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks 
$ make clean all && sudo make install

Config

/etc/radsec/radsecproxy.conf

# Master config file for radsecproxy

IPv4Only		on
listenUDP		<IP>:1812
listenUDP		<IP>:1813
listenTLS		<IP>:2083

LogLevel		5 # For testing later reduce to 3
#LogDestination		file:///var/log/radsecproxy.log
LogDestination		x-syslog:///LOG_DAEMON
LoopPrevention		on

######## TLS section
tls default {
  #CACertificatePath     	/etc/radsec/cert/ca
  CACertificateFile		/etc/radsec/cert/radsecproxy.pem 
  CertificateFile		/etc/radsec/cert/radsecproxy.pem 
  CertificateKeyFile		/etc/radsec/cert/radsecproxy.key
  CertificateKeyPassword	****secret****
}

Include /etc/radsec/rewrites.conf
Include /etc/radsec/clients.conf
Include /etc/radsec/servers.conf
Include /etc/radsec/realms.conf

/etc/radsec/rewrites.conf

## Empty for our setup

/etc/radsec/clients.conf

This matches our german top level radius (tlr) you have to customize it for other countries.

client tlr1 {
	host	193.174.75.134
	type	tls
        certificatenamecheck		off
        matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
}

client tlr2 {
	host	193.174.75.138
	type	tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
}

# Our WLAN Controller
client wlc {
	host	10.1.1.0/24
	type	udp
        secret	****secret****
}


client anyIP4TLS {
  host 0.0.0.0/0
  type TLS
}

/etc/radsec/servers.conf

Server Our-EduroamRadiusAuth {
	host		<internal radius server>
        port		1812
	#rewriteOut	UserName
	type		udp
	secret		****secret****
}
Server Our-EduroamRadiusAcct {
	host		<internal radius accounting server>
        port		1813
	type		udp
	secret		****secret****
}
server tlr1 {
	host				193.174.75.134
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/     
	StatusServer			on
}
server tlr2 {
	host				193.174.75.138
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
	StatusServer			on
}

/etc/radsec/realms.conf

# Our domain
realm domain.tld {
        server			Our-EduroamRadiusAuth
        accountingServer	Our-EduroamRadiusAcct
}

# Wrong counfigured clients are rejected here
realm /myabc\.com$ {
          replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us."
          accountingresponse on
}

realm /^$/ {
          replymessage "Misconfigured client: empty realm! Rejected by us."
          accountingresponse on
}

# Default route -> Eduroam toplevel servers
realm * {
 server tlr1
 server tlr2
 accountingserver tlr1
 accountingserver tlr2
}

/etc/radsec/cert/radsecproxy.pem

subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
And now the whole cerstificate chain...

Run the daemon

systemd unit file

# systemctl cat radsecproxy.service 
# /lib/systemd/system/radsecproxy.service
[Unit]
Description=radsecproxy
ConditionPathExists=/etc/radsec/radsecproxy.conf
After=network.target
Documentation=man:radsecproxy(1)

[Service]
Type=forking
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy.pid
PIDFile=/run/radsecproxy.pid

[Install]
WantedBy=multi-user.target

Put this to /lib/systemd/system/radsecproxy.service and do:

# systemctl daemon-reload
# systemctl enable radsecproxy.service
# systemctl start radsecproxy.service

Testing

 # openssl s_client -connect <IP>:2083 -showcerts