RadSecProxy
From Lolly's Wiki
RadSecProxy
Build
Patch for radsecproxy-1.6.8 on Ubuntu 16.04
diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
--- radsecproxy-1.6.8/tcp.c 2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c 2017-07-13 16:35:52.414151832 +0200
@@ -353,7 +353,7 @@
struct sockaddr_storage from;
socklen_t fromlen = sizeof(from);
- listen(*sp, 0);
+ listen(*sp, 16);
for (;;) {
s = accept(*sp, (struct sockaddr *)&from, &fromlen);
diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c
--- radsecproxy-1.6.8/tls.c 2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c 2017-07-13 16:36:22.678166655 +0200
@@ -467,7 +467,7 @@
struct sockaddr_storage from;
socklen_t fromlen = sizeof(from);
- listen(*sp, 0);
+ listen(*sp, 16);
for (;;) {
s = accept(*sp, (struct sockaddr *)&from, &fromlen);
Configure
$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks
$ make clean all && sudo make install
Config
/etc/radsec/radsecproxy.conf
# Master config file for radsecproxy
IPv4Only on
listenUDP <IP>:1812
listenUDP <IP>:1813
listenTLS <IP>:2083
LogLevel 5 # For testing later reduce to 3
#LogDestination file:///var/log/radsecproxy.log
LogDestination x-syslog:///LOG_DAEMON
LoopPrevention on
######## TLS section
tls default {
#CACertificatePath /etc/radsec/cert/ca
CACertificateFile /etc/radsec/cert/radsecproxy.pem
CertificateFile /etc/radsec/cert/radsecproxy.pem
CertificateKeyFile /etc/radsec/cert/radsecproxy.key
CertificateKeyPassword ****secret****
}
Include /etc/radsec/rewrites.conf
Include /etc/radsec/clients.conf
Include /etc/radsec/servers.conf
Include /etc/radsec/realms.conf
/etc/radsec/rewrites.conf
## Empty for our setup
/etc/radsec/clients.conf
This matches our german top level radius (tlr) you have to customize it for other countries.
client tlr1 {
host 193.174.75.134
type tls
certificatenamecheck off
matchCertificateAttribute CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
}
client tlr2 {
host 193.174.75.138
type tls
certificatenamecheck off
matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
}
# Our WLAN Controller
client wlc {
host 10.1.1.0/24
type udp
secret ****secret****
}
client anyIP4TLS {
host 0.0.0.0/0
type TLS
}
/etc/radsec/servers.conf
Server Our-EduroamRadiusAuth {
host <internal radius server>
port 1812
#rewriteOut UserName
type udp
secret ****secret****
}
Server Our-EduroamRadiusAcct {
host <internal radius accounting server>
port 1813
type udp
secret ****secret****
}
server tlr1 {
host 193.174.75.134
type tls
certificatenamecheck off
matchCertificateAttribute CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
StatusServer on
}
server tlr2 {
host 193.174.75.138
type tls
certificatenamecheck off
matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
StatusServer on
}
/etc/radsec/realms.conf
# Our domain
realm domain.tld {
server Our-EduroamRadiusAuth
accountingServer Our-EduroamRadiusAcct
}
# Wrong counfigured clients are rejected here
realm /myabc\.com$ {
replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us."
accountingresponse on
}
realm /^$/ {
replymessage "Misconfigured client: empty realm! Rejected by us."
accountingresponse on
}
# Default route -> Eduroam toplevel servers
realm * {
server tlr1
server tlr2
accountingserver tlr1
accountingserver tlr2
}
/etc/radsec/cert/radsecproxy.pem
subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
And now the whole cerstificate chain...
Run the daemon
Security
There is no need to run radsecproxy as root. But you need write access to the log or use syslog.
The config, certificate and key is not readable by the user (nogroup) but by the group radsecproxy where the porocess lives in (see systemd unit file radsecproxy.service).
User
# addgroup -g 2083 radsecproxy
# useradd -u 2083 -g nogroup -s /bin/false -h /nonexistent
Permissions
# chown -R root:radsecproxy /etc/radsec
# find /etc/radsec -type d -exec chmod 0750 {} \;
# find /etc/radsec -type f -exec chmod 0640 {} \;
systemd unit file
# systemctl cat radsecproxy.service
# /lib/systemd/system/radsecproxy.service
[Unit]
Description=radsecproxy
ConditionPathExists=/etc/radsec/radsecproxy.conf
After=network.target
Documentation=man:radsecproxy(1)
[Service]
Type=forking
User=radsecproxy
Group=radsecproxy
RuntimeDirectory=radsecproxy
RuntimeDirectoryMode=0700
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid
PIDFile=/run/radsecproxy/radsecproxy.pid
[Install]
WantedBy=multi-user.target
Put this to /lib/systemd/system/radsecproxy.service and do:
# systemctl daemon-reload # systemctl enable radsecproxy.service # systemctl start radsecproxy.service
Testing
# openssl s_client -connect <IP>:2083 -showcerts