LEARN eduroam Workshop 6th May 2016
Useful EAP Tools for Authentication Testing Purposes
Configure FreeRADIUS for eduroam SP and IdP
Create a virtual server site for eduroam
Create a virtual server site for eduroam-inner-tunnel
Configure pre-proxy attributes
This is a guide to build an institutional FreeRADIUS eduroam service as SP and IdP.
Manual eduroam institutional RADIUS server setup involves ...
( Reference: http://wiki.eduroam.kr/display/XEAP/xeap+Home )
Change user to root ...
$ sudo su -
Add repository to notify latest version. It is ver 3.0 in this document.
Note: if you don't add repository, previous version (ver 2.x) can be installed.
$ add-apt-repository ppa:freeradius/stable-3.0
$ apt-get update
$ apt-get upgrade
Install the FreeRadius ...
$ apt-get install freeradius
Check that you have FreeRadius version 3.0 ...
$ freeradius -v
radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on Mar 15 2016 at 04:39:32
Check that the FreeRadius daemon is running ...
$ service freeradius status
* freeradius is running
Other examples ...
$ service freeradius stop
* Stopping FreeRADIUS daemon freeradius [ OK ]
$ service freeradius status
* freeradius is not running
$ service freeradius start
* Starting FreeRADIUS daemon freeradius [ OK ]
$ service freeradius restart
* Checking FreeRADIUS daemon configuration... [ OK ]
* Stopping FreeRADIUS daemon freeradius [ OK ]
* Starting FreeRADIUS daemon freeradius
[ OK ]
FreeRADIUS is now installed.
Next is to test that the base FreeRADIUS installation is working.
Configuration for this freeradius installation is in /etc/freeradius.
Add a user credential for testing ...
$ vi /etc/freeradius/users
Find bob which is commented out and uncomment it by deleting the '#' as shown ...
To search for bob, do "/bob" and [enter].
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Restart the FreeRADIUS daemon ...
$ service freeradius restart
Do radtest. You can do local test with 'radtest' for the created user above. If the test is successful, you will receive Access-Accept.
$ radtest -t mschap -x bob hello 127.0.0.1:1812 10000 testing123
Sent Access-Request Id 155 from 0.0.0.0:40567 to 127.0.0.1:1812 length 144
User-Name = "bob"
MS-CHAP-Password = "hello"
NAS-IP-Address = 202.158.223.157
NAS-Port = 10000
Message-Authenticator = 0x00
Cleartext-Password = "hello"
MS-CHAP-Challenge = 0xbcdf28e144c9439c
erMS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000061b7bdb4533a4e6eaafa18473a30e05ef5cf6d4180db6042
Received Access-Accept Id 155 from 127.0.0.1:1812 to 0.0.0.0:0 length 111
Reply-Message = "Hello, bob"
MS-CHAP-MPPE-Keys = 0x02146f9e3951fddf4c59384f3d4d2ad2f96b936e0dd123d1
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
$ radtest
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
-d RADIUS_DIR Set radius directory
-t <type> Set authentication method
type can be pap, chap, mschap, or eap-md5
-P protocol Select udp (default) or tcp
-x Enable debug output
-4 Use IPv4 for the NAS address (default)
-6 Use IPv6 for the NAS address
You can start FreeRADIUS in debugging mode in separate terminal to observe logs as you test ...
$ service freeradius stop
$ freeradius -X
To exit debugging mode, press 'Ctrl + c' button.
THIS COMPLETES the BASE FreeRADIUS installation.
To do testing with EAP, you need the wpa_supplicant package, which comes with eapol_test.
The rad_eap_test script is a eapol_test wrapper to make using eapol_test easy.
( Reference: http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_supplicant )
$ sudo su -
$ wget http://w1.fi/releases/wpa_supplicant-2.5.tar.gz
$ tar -xvf wpa_supplicant-2.5.tar.gz
$ cd wpa_supplicant-2.5/wpa_supplicant
$ cp defconfig .config
$ vi .config
Uncomment ...
CONFIG_EAPOL_TEST=y
Comment out (required for Ubuntu 16.04) ...
#CONFIG_DRIVER_NL80211=y
Save and exit.
[esc] and [:wq!] and [enter]
$ apt-get install build-essential openssl libnl-utils libnl-3-dev libssl-dev
$ make eapol_test
$ cp eapol_test /usr/local/bin
You should now be able to run eapol_test command from anywhere …
$ eapol_test
usage:
eapol_test [-enWS] -c<conf> [-a<AS IP>] [-p<AS port>] [-s<AS secret>]\
[-r<count>] [-t<timeout>] [-C<Connect-Info>] \
[-M<client MAC address>] [-o<server cert file] \
[-N<attr spec>] [-R<PC/SC reader>] [-P<PC/SC PIN>] \
[-A<client IP>] [-i<ifname>] [-T<ctrl_iface>]
eapol_test scard
eapol_test sim <PIN> <num triplets> [debug]
options:
-c<conf> = configuration file
-a<AS IP> = IP address of the authentication server, default 127.0.0.1
-p<AS port> = UDP port of the authentication server, default 1812
-s<AS secret> = shared secret with the authentication server, default 'radius'
-A<client IP> = IP address of the client, default: select automatically
-r<count> = number of re-authentications
-e = Request EAP-Key-Name
-W = wait for a control interface monitor before starting
-S = save configuration after authentication
-n = no MPPE keys expected
-t<timeout> = sets timeout in seconds (default: 30 s)
-C<Connect-Info> = RADIUS Connect-Info (default: CONNECT 11Mbps 802.11b)
-M<client MAC address> = Set own MAC address (Calling-Station-Id,
default: 02:00:00:00:00:01)
-o<server cert file> = Write received server certificate
chain to the specified file
-N<attr spec> = send arbitrary attribute specified by:
attr_id:syntax:value or attr_id
attr_id - number id of the attribute
syntax - one of: s, d, x
s = string
d = integer
x = octet string
value - attribute value.
When only attr_id is specified, NULL will be used as value.
Multiple attributes can be specified by using the option several times.
Configuration file is required.
$ sudo su -
$ wget http://www.eduroam.cz/rad_eap_test/rad_eap_test-0.26.tar.bz2
$ tar -xvf rad_eap_test-0.26.tar.bz2
$ cd rad_eap_test-0.26
$ vi rad_eap_test
# Update the path to eapol test
EAPOL_PROG=eapol_test
[esc] and [:wq!] and [enter]
$ cp rad_eap_test /usr/local/bin
You should now be able to run rad_eap_test command from anywhere …
$ rad_eap_test
# wrapper script around eapol_test from wpa_supplicant project
# script generates configuration for eapol_test and runs it
# eapol_test is program for testing RADIUS and their EAP methods authentication
Parameters :
-H <address> - Address of radius server
-P <port> - Port of radius server
-S <secret> - Secret for radius server communication
-u <username> - Username (user@realm)
-A <anonymous_id> - Anonymous identity (anonymous_user@realm)
-p <password> - Password
-t <timeout> - Timeout (default is 5 seconds)
-m <method> - Method (WPA-EAP | IEEE8021X )
-v - Verbose (prints decoded last Access-accept packet)
-c - Prints all packets decoded
-s <ssid> - SSID
-e <method> - EAP method (PEAP | TLS | TTLS | LEAP)
-M <mac_addr> - MAC address in xx:xx:xx:xx:xx:xx format
-i <connect_info> - Connection info (in radius log: connect from <connect_info>)
-d <directory> - status directory (unified identifier of packets)
-k <user_key_file> - user certificate key file
-l <user_key_file_password> - password for user certificate key file
-j <user_cert_file> - user certificate file
-a <ca_cert_file> - certificate of CA
-2 <phase2 method> - Phase2 type (PAP,CHAP,MSCHAPV2)
-x <subject_match> - Substring to be matched against the subject of the authentication server certificate.
-N - Identify and do not delete temporary files
-O <domain.edu.cctld> - Operator-Name value in domain name format
-I <ip address> - explicitly specify NAS-IP-Address
-C - request Chargeable-User-Identity
-h - show this message
Add the below stanza into /etc/freeradius/sites-available/eduroam.
Make sure to insert your IRS realm (e.g. inst.ac.lk) in Operator-Name.
(Reference: https://wiki.geant.org/display/H2eduroam/freeradius-sp and https://wiki.geant.org/display/H2eduroam/freeradius-idp and https://community.jisc.ac.uk/library/janet-services-documentation/advisory-injection-operator-name-attribute )
$ sudo su -
$ vi /etc/freeradius/sites-available/eduroam
server eduroam {
authorize {
filter_username
if (("%{client:shortname}" != "FLR1")||("%{client:shortname}" != "FLR2")) {
update request {
Operator-Name := "1inst.ac.lk"
# the literal number "1" above is an important prefix! Do not change it!
}
}
cui
auth_log # logs incoming packets to the file system. Needed for eduroam SP to fulfil logging requirements
suffix # inspects packets to find eduroam style realm which is separated by the @ symbol
eap # follows the configuration from /etc/raddb/mods-available/eap
}
authenticate {
eap
}
preacct {
suffix
}
accounting {
}
post-auth {
# if you want detailed logging
reply_log
linelog
Post-Auth-Type REJECT {
reply_log # logs the reply packet after attribute filtering to the file system
linelog
}
}
pre-proxy {
# if you want detailed logging
cui
pre_proxy_log # logs the packet to the file system again. Attributes that have been added on during inspection are now visible
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy # removes unnecessary attributes off of the request before sending the request upstream
}
}
post-proxy {
# if you want detailed logging
post_proxy_log # logs the rply packet to the file system - as received by upstream
attr_filter.post-proxy # strips unwanted attributes off of the reply, prior to sending it back to the Access Points (VLAN attributes in particular)
}
}
Add the below stanza into /etc/freeradius/sites-available/eduroam-inner-tunnel.
( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-idp )
$ vi /etc/freeradius/sites-available/eduroam-inner-tunnel
server eduroam-inner-tunnel {
authorize {
suffix
auth_log
eap
files
#ldap
mschap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
cui-inner
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
}
Enable the now available eduroam and eduroam-inner-tunnel sites by creating symbolic links in sites-enabled ...
$ cd /etc/freeradius/sites-enabled/
$ ln -s ../sites-available/eduroam eduroam
$ ln -s ../sites-available/eduroam-inner-tunnel eduroam-inner-tunnel
Restart the FreeRADIUS daemon to apply the eduroam configuration. It is good to do this every time after a major configuration change so we know what was last changed in case a problem arises.
$ service freeradius restart
The file /etc/freeradius/eap.conf defines how EAP authentication is to be executed.
The shipped configuration file is not adequate for eduroam use; it enabled EAP-MD5 and LEAP, which are not suitable as eduroam EAP types.
Use the below stanza for eap configuration. It enables PEAP and TTLS.
( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-idp )
$ cd /etc/freeradius
$ mv mods-available/eap mods-available/eap.orig
$ vi mods-available/eap
eap {
default_eap_type = peap # change to your organisation's preferred eap type (tls, ttls, peap, mschapv2)
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
By default Operator-Name and Calling-Station-Id are stripped from the proxied request in the base FreeRADIUS installation.
In order for them not to be removed (as required for eduroam), add the attributes to /etc/freeradius/mods-config/attr_filter/pre-proxy.
( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-sp )
$ cd /etc/freeradius
$ mv mods-config/attr_filter/pre-proxy mods-config/attr_filter/pre-proxy.orig
$ vi mods-config/attr_filter/pre-proxy
DEFAULT
User-Name =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
State =* ANY,
Proxy-State =* ANY,
Calling-Station-Id =* ANY,
Called-Station-Id =* ANY,
Operator-Name =* ANY,
Class =* ANY,
Chargeable-User-Identity =* ANY
Restart the FreeRADIUS daemon to apply the eduroam configuration. It is good to do this every time after a major configuration change so we know what was last changed in case a problem arises.
$ service freeradius restart
( Reference: https://community.jisc.ac.uk/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation )
$ vi /etc/freeradius/policy.d/cui
cui_hash_key = “changeme”
To allow LEARN NRS (or FLR) to access your IRS, add it as a client of FreeRADIUS.
At end of the file, add the below stanza to allow LEARN NRS access to your IRS.
If there is a second NRS/FLR, you can call it "client FLR2 {}" but the shortname must be called FLR2 because it is referenced in virtual_server eduroam configuration. You will get the secret from your NRO.
$ vi /etc/freeradius/clients.conf
client FLR1 {
ipaddr = 192.248.1.165
secret = [secret of FLR]
shortname = FLR1
nas_type = other
add_cui = yes
virtual_server = eduroam
}
client FLR2 {
ipaddr = 192.248.1.166
secret = [secret of FLR]
shortname = FLR2
nas_type = other
add_cui = yes
virtual_server = eduroam
}
Configure your eduroam FLR servers with their corresponding secrets and your eduroam realm settings in proxy.conf to route requests to appropriate destinations for realms (domains) unknown to your institution.
$ cd /etc/freeradius
$ mv proxy.conf proxy.conf.orig
$ vi proxy.conf
proxy server {
default_fallback = no
}
# Add your country's FLR details.
# Check with NRO for secret to use.
home_server FLR1 {
ipaddr = 192.248.1.165
port = 1812
secret = [secret of FLR]
status_check = status-server
}
home_server FLR2 {
ipaddr = 192.248.1.166
port = 1812
secret = [secret of FLR]
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = FLR1
home_server = FLR2
}
realm "~.+$" {
pool = EDUROAM
nostrip
}
# Your IdP realm
realm inst.ac.lk {
}
Restart the FreeRADIUS daemon to apply the eduroam configuration.
$ service freeradius restart
You can start FreeRADIUS in debugging mode in separate terminal to observe logs as you test ...
$ service freeradius stop
$ freeradius -X
To exit debugging mode, press 'Ctrl + c' buttons.
Authenticate a local user within home institution ...
$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 -u bob@inst.ac.lk -p hello -m WPA-EAP -e PEAP
access-accept; 0
Remote authentication for other users within eduroam ...
$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 -u testme@learn.ac.lk -p Eduroam@LearnLanka -m WPA-EAP -e PEAP
access-accept; 3
$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 -u testuser@[another IdP realm] -p testuser123 -m WPA-EAP -e PEAP
access-accept; 0
If all tests above are successful, you have now completed the eduroam configuration on FreeRADIUS. The next step is to integrate with a LDAP - http://www.learn.ac.lk/Idp.