Revision as of 08:39, 29 October 2020

RadSecProxy

Build

Patch for radsecproxy-1.6.8 on Ubuntu 16.04

In radsecproxy 1.6.9 and source from git on [git.nordu.net] this patch is not needed since [18.1.2017].

$ git clone https://git.nordu.net/radsecproxy.git

taken from here

diff -rub radsecproxy-1.6.8/tcp.c radsecproxy-1.6.8_Ubuntu_16.04/tcp.c
--- radsecproxy-1.6.8/tcp.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tcp.c	2017-07-13 16:35:52.414151832 +0200
@@ -353,7 +353,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);
diff -rub radsecproxy-1.6.8/tls.c radsecproxy-1.6.8_Ubuntu_16.04/tls.c
--- radsecproxy-1.6.8/tls.c	2016-09-21 13:49:09.000000000 +0200
+++ radsecproxy-1.6.8_Ubuntu_16.04/tls.c	2017-07-13 16:36:22.678166655 +0200
@@ -467,7 +467,7 @@
     struct sockaddr_storage from;
     socklen_t fromlen = sizeof(from);
 
-    listen(*sp, 0);
+    listen(*sp, 16);
 
     for (;;) {
 	s = accept(*sp, (struct sockaddr *)&from, &fromlen);

Configure

$ ./configure --prefix=/opt/radsecproxy-1.6.8 --sysconfdir=/etc/radsec --with-ssl --enable-fticks 
$ make clean all && sudo make install

Another example: Version 1.7.2 from git

$ mkdir radsecproxy && cd radsecproxy
$ git clone --single-branch --branch 1.7.2 https://github.com/radsecproxy/radsecproxy tags/1.7.2
$ cd tags/1.7.2
$ ./autogen.sh
$ ./configure --prefix=/opt/radsecproxy-${PWD##*/} --sysconfdir=/etc/radsec --with-ssl
$ make clean all && sudo make install

Config

/etc/radsec/radsecproxy.conf

# Master config file for radsecproxy

IPv4Only		on
listenUDP		<IP>:1812
listenUDP		<IP>:1813
listenTLS		<IP>:2083

LogLevel		5 # For testing later reduce to 3
#LogDestination		file:///var/log/radsecproxy.log
LogDestination		x-syslog:///LOG_DAEMON
LoopPrevention		on

######## TLS section
tls default {
  CACertificatePath             /etc/radsec/cert/ca
  CertificateFile               /etc/radsec/cert/radsecproxy-cert.pem
  CertificateKeyFile            /etc/radsec/cert/radsecproxy-key.pem
  CertificateKeyPassword        <PASSWORD>
}


Include /etc/radsec/rewrites.conf
Include /etc/radsec/clients.conf
Include /etc/radsec/servers.conf
Include /etc/radsec/realms.conf

/etc/radsec/rewrites.conf

## Empty for our setup

/etc/radsec/clients.conf

This matches our german top level radius (tlr) you have to customize it for other countries.

client tlr1 {
	host	193.174.75.134
	type	tls
        certificatenamecheck		off
        matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/
}

client tlr2 {
	host	193.174.75.138
	type	tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
}

# Our WLAN Controller
client wlc {
	host	10.1.1.0/24
	type	udp
        secret	****secret****
}


#client anyIP4TLS {
#  host 0.0.0.0/0
#  type TLS
#}

/etc/radsec/servers.conf

#
## UDP Radius
#

#Server Our-EduroamRadiusAuth {
#	host		<internal radius server>
#	port		1812
#	type		udp
#	secret		****secret****
#}
#Server Our-EduroamRadiusAcct {
#	host		<internal radius accounting server>
#	port		1813
#	type		udp
#	secret		****secret****
#}

#
## TLS Radius / RadSec
#
server freeradius-1 {
	host				<internal radius accounting server1>
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^freeradius1\.domain\.tld$/
	StatusServer			on
	secret				****secret****
}

server freeradius-2 {
	host				<internal radius accounting server2>
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^freeradius2\.domain\.tld$/
	StatusServer			on
	secret				****secret****
}

server tlr1 {
	host				193.174.75.134
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius1\.dfn|tld1\.eduroam)\.de$/     
	StatusServer			on
}
server tlr2 {
	host				193.174.75.138
	type				tls
	certificatenamecheck		off
	matchCertificateAttribute	CN:/^(radius2\.dfn|tld2\.eduroam)\.de$/
	StatusServer			on
}

/etc/radsec/realms.conf

# Our domain domain.tld
realm /(eduroam|anonymous)@domain\.tld$/ {
  server			freeradius-1
  server			freeradius-2
  accountingServer	freeradius-1
  accountingServer	freeradius-2
}

# If the anonymous user has not been matched above, fail
# So users that use their real identity fail, too. Force anonymous!
realm /@domain\.tld$ {
  replymessage "Access rejected, wrong anonymous identity. Use eduroam@domain.tld as anonymous identity."
  accountingresponse on
}

# Other domain of our site not used for eduroam
realm /@wrong-domain\.tld$/ {
  replymessage "Misconfigured client: Use domain.tld as domain instead."
  accountingresponse on
}

# Default realm of some clients. Do not send to top level radius servers.
realm /@.*\.3gppnetwork\.org$/ {
  replymessage "Misconfigured client."
  accountingresponse on
}

# Default realm of some clients. Do not send to top level radius servers.
realm /myabc\.com$/ {
  replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by us."
  accountingresponse on
}

# Empty realm. Do not send to top level radius servers.
realm /^$/ {
  replymessage "Misconfigured client: empty realm! Rejected by us."
  accountingresponse on
}

# Typo in realm. Realm without any dot in it. Do not send to top level radius servers.
realm /@[^\.]+$/ {
  replymessage "Misconfigured client: Typo in realm - No dot in realm ! Rejected by us."
  accountingresponse on
}

# Typo in realm. Realm without double dot in it. Do not send to top level radius servers.
realm /@.*\.\..*$/ {
  replymessage "Misconfigured client: Typo in realm - .. ! Rejected by us."
  accountingresponse on
}

# Typo in realm. Realm without space in it. Do not send to top level radius servers.
realm /@.*\s+.*$/ {
  replymessage "Misconfigured client: Typo in realm - Don't use spaces in your realm! Rejected by us."
  accountingresponse on
}

# All other realms -> Eduroam toplevel servers
realm * {
  server tlr1
  server tlr2
  accountingserver tlr1
  accountingserver tlr2
}

/etc/radsec/cert/radsecproxy.pem

subject=/CN=radsecproxy.domain.tld/OU=bla/O=bli/L=Hamburg/ST=Hamburg/C=DE
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
And now the whole cerstificate chain...

Run the daemon

Security

There is no need to run radsecproxy as root. But you need write access to the log or use syslog.

The config, certificate and key is not readable by the user (nogroup) but by the group radsecproxy where the porocess lives in (see systemd unit file radsecproxy.service).

User

# addgroup -g 2083 radsecproxy
# useradd  -u 2083 -g nogroup -s /bin/false -h /nonexistent

Permissions

# chown -R root:radsecproxy /etc/radsec
# find /etc/radsec -type d -exec chmod 0750 {} \;
# find /etc/radsec -type f -exec chmod 0640 {} \;

systemd unit file

# systemctl cat radsecproxy.service

[Unit]
Description=radsecproxy
ConditionPathExists=/etc/radsec/radsecproxy.conf
After=network.target
Documentation=man:radsecproxy(1)

[Service]
Type=forking
User=radsecproxy
Group=radsecproxy
RuntimeDirectory=radsecproxy
RuntimeDirectoryMode=0700
PrivateTmp=yes
InaccessibleDirectories=/var
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/lib
ReadOnlyDirectories=/usr
ExecStart=/opt/radsecproxy/sbin/radsecproxy -i /run/radsecproxy/radsecproxy.pid
PIDFile=/run/radsecproxy/radsecproxy.pid

[Install]
WantedBy=multi-user.target

Put this to /lib/systemd/system/radsecproxy.service and do:

# systemctl daemon-reload
# systemctl enable radsecproxy.service
# systemctl start radsecproxy.service

Testing

# lsof -Pni TCP:2083 -s TCP:Listen
COMMAND    PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
radsecpro 1344 radsecproxy    9u  IPv4  22751      0t0  TCP 139.11.1.85:2083 (LISTEN)

$ openssl s_client -connect <IP>:2083 -showcerts

Certificate Enddate

$ openssl s_client -connect <IP>:2083 -tls1 -no_ssl2 -no_ssl3 -showcerts 2>/dev/null | openssl x509 -enddate -noout

notAfter=Oct 9 12:13:17 2020 GMT

RadSecProxy: Difference between revisions