RadSecProxy
RadSecProxy
Build
Patch for radsecproxy-1.6.8 on Ubuntu 16.04
In radsecproxy 1.6.9 and source from git on [git.nordu.net] this patch is not needed since [18.1.2017]. <syntaxhighlight lang=bash> $ git clone https://git.nordu.net/radsecproxy.git </source>
taken from here <syntaxhighlight lang=diff> diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c --- radsecproxy-1.6.8/tcp.c 2016-09-21 13:49:09.000000000 +0200 +++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c 2017-07-13 16:35:52.414151832 +0200 @@ -353,7 +353,7 @@
struct sockaddr_storage from;
socklen_t fromlen = sizeof(from);
- listen(*sp, 0); + listen(*sp, 16);
for (;;) {
s = accept(*sp, (struct sockaddr *)&from, &fromlen);
diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c --- radsecproxy-1.6.8/tls.c 2016-09-21 13:49:09.000000000 +0200 +++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c 2017-07-13 16:36:22.678166655 +0200 @@ -467,7 +467,7 @@
struct sockaddr_storage from;
socklen_t fromlen = sizeof(from);
- listen(*sp, 0); + listen(*sp, 16);
for (;;) {
s = accept(*sp, (struct sockaddr *)&from, &fromlen);
</source>
Configure
<syntaxhighlight lang=bash> $ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks $ make clean all && sudo make install </source>
Another example: Version 1.7.2 from git
<syntaxhighlight lang=bash> $ mkdir radsecproxy && cd radsecproxy $ git clone --single-branch --branch 1.7.2 https://github.com/radsecproxy/radsecproxy tags/1.7.2 $ cd tags/1.7.2 $ ./autogen.sh $ ./configure --prefix=/opt/radsecproxy-${PWD##*/} --sysconfdir=/etc/radsec --with-ssl $ make clean all && sudo make install </source>
Config
/etc/radsec/radsecproxy.conf
<syntaxhighlight lang=text>
- Master config file for radsecproxy
IPv4Only on listenUDP <IP>:1812 listenUDP <IP>:1813 listenTLS <IP>:2083
LogLevel 5 # For testing later reduce to 3
- LogDestination file:///var/log/radsecproxy.log
LogDestination x-syslog:///LOG_DAEMON LoopPrevention on
- TLS section
tls default {
CACertificatePath /etc/radsec/cert/ca CertificateFile /etc/radsec/cert/radsecproxy-cert.pem CertificateKeyFile /etc/radsec/cert/radsecproxy-key.pem CertificateKeyPassword <PASSWORD>
}
Include /etc/radsec/rewrites.conf
Include /etc/radsec/clients.conf
Include /etc/radsec/servers.conf
Include /etc/radsec/realms.conf
</source>
ca certificate in /etc/radsec/cert/ca
For DFN users it is the TeleSec root certificate
The destination file name is <hash of the certificate>.0
<syntaxhighlight lang=text>
- openssl x509 -noout -hash -in /tmp/telesec.pem
1e09d511
- mv /tmp/telesec.pem /etc/radsec/cert/ca/1e09d511.0
</source>
/etc/radsec/cert/ca/1e09d511.0
<syntaxhighlight lang=text> subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1 OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50 ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi 1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/ WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6 g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN 9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP BSeOE6Fuwg==
END CERTIFICATE-----
</source>
/etc/radsec/rewrites.conf
<syntaxhighlight lang=text>
- Empty for our setup
</source>
/etc/radsec/clients.conf
This matches our german top level radius (tlr) you have to customize it for other countries. <syntaxhighlight lang=text> client tlr1 { host 193.174.75.134 type tls
certificatenamecheck off
matchCertificateAttribute CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
}
client tlr2 { host 193.174.75.138 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/ }
- Our WLAN Controller
client wlc { host 10.1.1.0/24 type udp
secret ****secret****
}
- client anyIP4TLS {
- host 0.0.0.0/0
- type TLS
- }
</source>
/etc/radsec/servers.conf
<syntaxhighlight lang=text>
-
- UDP Radius
- Server Our-EduroamRadiusAuth {
- host <internal radius server>
- port 1812
- type udp
- secret ****secret****
- }
- Server Our-EduroamRadiusAcct {
- host <internal radius accounting server>
- port 1813
- type udp
- secret ****secret****
- }
-
- TLS Radius / RadSec
server freeradius-1 { host <internal radius accounting server1> type tls certificatenamecheck off matchCertificateAttribute CN:/^freeradius1\.domain\.tld$/ StatusServer on secret ****secret**** }
server freeradius-2 { host <internal radius accounting server2> type tls certificatenamecheck off matchCertificateAttribute CN:/^freeradius2\.domain\.tld$/ StatusServer on secret ****secret**** }
server tlr1 { host 193.174.75.134 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/ StatusServer on } server tlr2 { host 193.174.75.138 type tls certificatenamecheck off matchCertificateAttribute CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/ StatusServer on } </source>
/etc/radsec/realms.conf
<syntaxhighlight lang=text>
- Our domain domain.tld
realm /(eduroam|anonymous)@domain\.tld$/ {
server freeradius-1 server freeradius-2 accountingServer freeradius-1 accountingServer freeradius-2
}
- If the anonymous user has not been matched above, fail
- So users that use their real identity fail, too. Force anonymous!
realm /@domain\.tld$ {
replymessage "Access rejected, wrong anonymous identity. Use eduroam@domain.tld as anonymous identity." accountingresponse on
}
- Other domain of our site not used for eduroam
realm /@wrong-domain\.tld$/ {
replymessage "Misconfigured client: Use domain.tld as domain instead." accountingresponse on
}
- Default realm of some clients. Do not send to top level radius servers.
realm /@.*\.3gppnetwork\.org$/ {
replymessage "Misconfigured client." accountingresponse on
}
- Default realm of some clients. Do not send to top level radius servers.
realm /myabc\.com$/ {
replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us." accountingresponse on
}
- Empty realm. Do not send to top level radius servers.
realm /^$/ {
replymessage "Misconfigured client: empty realm! Rejected by us." accountingresponse on
}
- Typo in realm. Realm without any dot in it. Do not send to top level radius servers.
realm /@[^\.]+$/ {
replymessage "Misconfigured client: Typo in realm - No dot in realm ! Rejected by us." accountingresponse on
}
- Typo in realm. Realm without double dot in it. Do not send to top level radius servers.
realm /@.*\.\..*$/ {
replymessage "Misconfigured client: Typo in realm - .. ! Rejected by us." accountingresponse on
}
- Typo in realm. Realm without space in it. Do not send to top level radius servers.
realm /@.*\s+.*$/ {
replymessage "Misconfigured client: Typo in realm - Don't use spaces in your realm! Rejected by us." accountingresponse on
}
- All other realms -> Eduroam toplevel servers
realm * {
server tlr1 server tlr2 accountingserver tlr1 accountingserver tlr2
} </source>
/etc/radsec/cert/radsecproxy.pem
<syntaxhighlight lang=text> subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
BEGIN CERTIFICATE-----
...
END CERTIFICATE-----
And now the whole cerstificate chain... </source>
Run the daemon
Security
There is no need to run radsecproxy as root. But you need write access to the log or use syslog.
The config, certificate and key is not readable by the user (nogroup) but by the group radsecproxy where the porocess lives in (see systemd unit file radsecproxy.service).
User
<syntaxhighlight lang=bash>
- addgroup -g 2083 radsecproxy
- useradd -u 2083 -g nogroup -s /bin/false -h /nonexistent
</source>
Permissions
<syntaxhighlight lang=bash>
- chown -R root:radsecproxy /etc/radsec
- find /etc/radsec -type d -exec chmod 0750 {} \;
- find /etc/radsec -type f -exec chmod 0640 {} \;
</source>
systemd unit file
<syntaxhighlight lang=bash>
- systemctl cat radsecproxy.service
</source> <syntaxhighlight lang=ini> [Unit] Description=radsecproxy ConditionPathExists=/etc/radsec/radsecproxy.conf After=network.target Documentation=man:radsecproxy(1)
[Service] Type=forking User=radsecproxy Group=radsecproxy RuntimeDirectory=radsecproxy RuntimeDirectoryMode=0700 PrivateTmp=yes InaccessibleDirectories=/var ReadOnlyDirectories=/etc ReadOnlyDirectories=/lib ReadOnlyDirectories=/usr ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid PIDFile=/run/radsecproxy/radsecproxy.pid
[Install] WantedBy=multi-user.target </source>
Put this to /lib/systemd/system/radsecproxy.service and do:
# systemctl daemon-reload # systemctl enable radsecproxy.service # systemctl start radsecproxy.service
Testing
Check on the server if the radsecproxy is listening: <syntaxhighlight lang=bash>
- lsof -Pni TCP:2083 -s TCP:Listen
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME radsecpro 1344 radsecproxy 9u IPv4 22751 0t0 TCP <server ip>:2083 (LISTEN) </source>
Certificate Enddate
$ openssl s_client -connect <IP>:2083 -tls1 -no_ssl2 -no_ssl3 -showcerts 2>/dev/null | openssl x509 -enddate -noout
notAfter=Oct 9 12:13:17 2020 GMT
