LEARN eduroam Workshop 6th May 2016

Base FreeRADIUS Installation

Useful EAP Tools for Authentication Testing Purposes

Install eapol_test

Install rad_eap_test

Configure FreeRADIUS for eduroam SP and IdP

Create a virtual server site for eduroam

Create a virtual server site for eduroam-inner-tunnel

Configure EAP authentication

Configure pre-proxy attributes

Change the cui_hash_key

Configure clients

Configure proxies

TEST TEST TEST

LEARN eduroam Workshop 6th May 2016

This is a guide to build an institutional FreeRADIUS eduroam service as SP and IdP.

Manual eduroam institutional RADIUS server setup involves ...

  1. Base FreeRADIUS installation.
  2. EAP tools installation.
  3. Add eduroam-specific configuration.
  4. TEST TEST TEST.

Base FreeRADIUS Installation

( Reference: http://wiki.eduroam.kr/display/XEAP/xeap+Home )

Change user to root ...

$ sudo su -

Add repository to notify latest version. It is ver 3.0 in this document.

Note: if you don't add repository, previous version (ver 2.x) can be installed.

$ add-apt-repository ppa:freeradius/stable-3.0

$ apt-get update

$ apt-get upgrade

Install the FreeRadius ...

$ apt-get install freeradius

Check that you have FreeRadius version 3.0 ...

$ freeradius -v

radiusd: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on Mar 15 2016 at 04:39:32

Check that the FreeRadius daemon is running ...

$ service freeradius status

 * freeradius is running

Other examples ...

$ service freeradius stop

 * Stopping FreeRADIUS daemon freeradius                                                            [ OK ]

$ service freeradius status

 * freeradius is not running

$ service freeradius start

 * Starting FreeRADIUS daemon freeradius                                                            [ OK ]

$ service freeradius restart

 * Checking FreeRADIUS daemon configuration...                                                                                     [ OK ]

 * Stopping FreeRADIUS daemon freeradius                                                                                           [ OK ]

 * Starting FreeRADIUS daemon freeradius                                                                                  

         [ OK ]

FreeRADIUS is now installed.

Next is to test that the base FreeRADIUS installation is working.

Configuration for this freeradius installation is in /etc/freeradius.

Add a user credential for testing ...

$ vi /etc/freeradius/users

Find bob which is commented out and uncomment it by deleting the '#' as shown ...

To search for bob, do "/bob" and [enter].

bob Cleartext-Password := "hello"

        Reply-Message := "Hello, %{User-Name}"

Restart the FreeRADIUS daemon ...

$ service freeradius restart

Do radtest. You can do local test with 'radtest' for the created user above. If the test is successful, you will receive Access-Accept.

$ radtest -t mschap -x bob hello 127.0.0.1:1812 10000 testing123

Sent Access-Request Id 155 from 0.0.0.0:40567 to 127.0.0.1:1812 length 144

        User-Name = "bob"

        MS-CHAP-Password = "hello"

        NAS-IP-Address = 202.158.223.157

        NAS-Port = 10000

        Message-Authenticator = 0x00

        Cleartext-Password = "hello"

        MS-CHAP-Challenge = 0xbcdf28e144c9439c

erMS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000061b7bdb4533a4e6eaafa18473a30e05ef5cf6d4180db6042

Received Access-Accept Id 155 from 127.0.0.1:1812 to 0.0.0.0:0 length 111

        Reply-Message = "Hello, bob"

        MS-CHAP-MPPE-Keys = 0x02146f9e3951fddf4c59384f3d4d2ad2f96b936e0dd123d1

        MS-MPPE-Encryption-Policy = Encryption-Allowed

        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

$ radtest

Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]

        -d RADIUS_DIR       Set radius directory

        -t <type>           Set authentication method

                            type can be pap, chap, mschap, or eap-md5

        -P protocol         Select udp (default) or tcp

        -x                  Enable debug output

        -4                  Use IPv4 for the NAS address (default)

        -6                  Use IPv6 for the NAS address

You can start FreeRADIUS in debugging mode in separate terminal to observe logs as you test ...

$ service freeradius stop

$ freeradius -X

To exit debugging mode, press 'Ctrl + c' button.

THIS COMPLETES the BASE FreeRADIUS installation.


Useful EAP Tools for Authentication Testing Purposes

To do testing with EAP, you need the wpa_supplicant package, which comes with eapol_test.

The rad_eap_test script is a eapol_test wrapper to make using eapol_test easy.

( Reference: http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_supplicant )

Install eapol_test

$ sudo su -

$ wget http://w1.fi/releases/wpa_supplicant-2.5.tar.gz

$ tar -xvf wpa_supplicant-2.5.tar.gz

$ cd wpa_supplicant-2.5/wpa_supplicant

$ cp defconfig .config

$ vi .config

Uncomment ...

CONFIG_EAPOL_TEST=y

Comment out (required for Ubuntu 16.04) ...

#CONFIG_DRIVER_NL80211=y

Save and exit.

[esc] and [:wq!] and [enter]

$ apt-get install build-essential openssl libnl-utils libnl-3-dev libssl-dev

$ make eapol_test

$ cp eapol_test /usr/local/bin

You should now be able to run eapol_test command from anywhere …

$ eapol_test

usage:

eapol_test [-enWS] -c<conf> [-a<AS IP>] [-p<AS port>] [-s<AS secret>]\

           [-r<count>] [-t<timeout>] [-C<Connect-Info>] \

           [-M<client MAC address>] [-o<server cert file] \

           [-N<attr spec>] [-R<PC/SC reader>] [-P<PC/SC PIN>] \

           [-A<client IP>] [-i<ifname>] [-T<ctrl_iface>]

eapol_test scard

eapol_test sim <PIN> <num triplets> [debug]

options:

  -c<conf> = configuration file

  -a<AS IP> = IP address of the authentication server, default 127.0.0.1

  -p<AS port> = UDP port of the authentication server, default 1812

  -s<AS secret> = shared secret with the authentication server, default 'radius'

  -A<client IP> = IP address of the client, default: select automatically

  -r<count> = number of re-authentications

  -e = Request EAP-Key-Name

  -W = wait for a control interface monitor before starting

  -S = save configuration after authentication

  -n = no MPPE keys expected

  -t<timeout> = sets timeout in seconds (default: 30 s)

  -C<Connect-Info> = RADIUS Connect-Info (default: CONNECT 11Mbps 802.11b)

  -M<client MAC address> = Set own MAC address (Calling-Station-Id,

                           default: 02:00:00:00:00:01)

  -o<server cert file> = Write received server certificate

                         chain to the specified file

  -N<attr spec> = send arbitrary attribute specified by:

                  attr_id:syntax:value or attr_id

                  attr_id - number id of the attribute

                  syntax - one of: s, d, x

                     s = string

                     d = integer

                     x = octet string

                  value - attribute value.

       When only attr_id is specified, NULL will be used as value.

       Multiple attributes can be specified by using the option several times.

Configuration file is required.

Install rad_eap_test

$ sudo su -

$ wget http://www.eduroam.cz/rad_eap_test/rad_eap_test-0.26.tar.bz2

$ tar -xvf rad_eap_test-0.26.tar.bz2

$ cd rad_eap_test-0.26

$ vi rad_eap_test

# Update the path to eapol test

EAPOL_PROG=eapol_test

[esc] and [:wq!] and [enter]

$ cp rad_eap_test /usr/local/bin

You should now be able to run rad_eap_test command from anywhere …

$ rad_eap_test

# wrapper script around eapol_test from wpa_supplicant project

# script generates configuration for eapol_test and runs it

# eapol_test is program for testing RADIUS and their EAP methods authentication

Parameters :

-H <address> - Address of radius server

-P <port> - Port of radius server

-S <secret> - Secret for radius server communication

-u <username> - Username (user@realm)

-A <anonymous_id> - Anonymous identity (anonymous_user@realm)

-p <password> - Password

-t <timeout> - Timeout (default is 5 seconds)

-m <method> - Method (WPA-EAP | IEEE8021X )

-v - Verbose (prints decoded last Access-accept packet)

-c - Prints all packets decoded

-s <ssid> - SSID

-e <method> - EAP method (PEAP | TLS | TTLS | LEAP)

-M <mac_addr> - MAC address in xx:xx:xx:xx:xx:xx format

-i <connect_info> - Connection info (in radius log: connect from <connect_info>)

-d <directory> - status directory (unified identifier of packets)

-k <user_key_file> - user certificate key file

-l <user_key_file_password> - password for user certificate key file

-j <user_cert_file> - user certificate file

-a <ca_cert_file> - certificate of CA

-2 <phase2 method> - Phase2 type (PAP,CHAP,MSCHAPV2)

-x <subject_match> - Substring to be matched against the subject of the authentication server certificate.

-N - Identify and do not delete temporary files

-O <domain.edu.cctld> - Operator-Name value in domain name format

-I <ip address> - explicitly specify NAS-IP-Address

-C - request Chargeable-User-Identity

-h - show this message


Configure FreeRADIUS for eduroam SP and IdP

Create a virtual server site for eduroam

Add the below stanza into /etc/freeradius/sites-available/eduroam.

Make sure to insert your IRS realm (e.g. inst.ac.lk) in Operator-Name.

(Reference: https://wiki.geant.org/display/H2eduroam/freeradius-sp and https://wiki.geant.org/display/H2eduroam/freeradius-idp and https://community.jisc.ac.uk/library/janet-services-documentation/advisory-injection-operator-name-attribute )

$ sudo su -

$ vi /etc/freeradius/sites-available/eduroam

server eduroam {

               

        authorize {

                filter_username

                if (("%{client:shortname}" != "FLR1")||("%{client:shortname}" != "FLR2")) {

                   update request {

                           Operator-Name := "1inst.ac.lk"

                            # the literal number "1" above is an important prefix! Do not change it!

                   }

                }

                cui

                auth_log    # logs incoming packets to the file system. Needed for eduroam SP to fulfil logging requirements              

                suffix      # inspects packets to find eduroam style realm which is separated by the @ symbol

                eap         # follows the configuration from /etc/raddb/mods-available/eap

            }

               

        authenticate {

               eap

        }

               

        preacct {

                suffix

        }

       

        accounting {

        }

               

        post-auth {

                # if you want detailed logging

                reply_log

                linelog

                Post-Auth-Type REJECT {

                        reply_log   # logs the reply packet after attribute filtering to the file system

                        linelog

                }

        }

               

        pre-proxy {

                # if you want detailed logging

                cui

                pre_proxy_log           # logs the packet to the file system again. Attributes that have been added on during inspection are now visible

                if("%{Packet-Type}" != "Accounting-Request") {

                        attr_filter.pre-proxy   # removes unnecessary attributes off of the request before sending the request upstream

                }

        }

        post-proxy {

                # if you want detailed logging

                post_proxy_log              # logs the rply packet to the file system - as received by upstream

                attr_filter.post-proxy      # strips unwanted attributes off of the reply, prior to sending it back to the Access Points (VLAN attributes in particular)

        }

}

Create a virtual server site for eduroam-inner-tunnel

Add the below stanza into /etc/freeradius/sites-available/eduroam-inner-tunnel.

( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-idp )

$ vi /etc/freeradius/sites-available/eduroam-inner-tunnel

server eduroam-inner-tunnel {

 

        authorize {

            suffix

                auth_log

                eap

                files

                #ldap

                mschap

                pap

        }      

               

        authenticate {

                Auth-Type PAP {

                        pap

                }

                Auth-Type MS-CHAP {

                        mschap

                }

                eap

        }              

               

        post-auth {

                cui-inner

                reply_log

                Post-Auth-Type REJECT {

                        reply_log

                }

        }      

                       

}              

       

Enable the now available eduroam and eduroam-inner-tunnel sites by creating symbolic links in sites-enabled ...

$ cd /etc/freeradius/sites-enabled/

$ ln -s ../sites-available/eduroam eduroam

$ ln -s ../sites-available/eduroam-inner-tunnel eduroam-inner-tunnel

Restart the FreeRADIUS daemon to apply the eduroam configuration. It is good to do this every time after a major configuration change so we know what was last changed in case a problem arises.

$ service freeradius restart

Configure EAP authentication

The file /etc/freeradius/eap.conf defines how EAP authentication is to be executed.

The shipped configuration file is not adequate for eduroam use; it enabled EAP-MD5 and LEAP, which are not suitable as eduroam EAP types.

Use the below stanza for eap configuration. It enables PEAP and TTLS.

( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-idp )

$ cd /etc/freeradius

$ mv mods-available/eap mods-available/eap.orig

$ vi mods-available/eap

eap {

                default_eap_type = peap     # change to your organisation's preferred eap type (tls, ttls, peap, mschapv2)

                timer_expire     = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

               

                tls {

                        certdir = ${confdir}/certs

                        cadir = ${confdir}/certs

                        private_key_password = whatever

                        private_key_file = ${certdir}/server.key

                        certificate_file = ${certdir}/server.pem

                        ca_file = ${cadir}/ca.pem

                        dh_file = ${certdir}/dh

                        random_file = /dev/urandom

                        fragment_size = 1024

                        include_length = yes

                        check_crl = no

                        cipher_list = "DEFAULT"

                }      

                       

                ttls {  

                        default_eap_type = mschapv2

                        copy_request_to_tunnel = yes

                        use_tunneled_reply = yes

                        virtual_server = "eduroam-inner-tunnel"

                }      

                       

                peap {

                        default_eap_type = mschapv2

                        copy_request_to_tunnel = yes

                        use_tunneled_reply = yes

                        virtual_server = "eduroam-inner-tunnel"

                }

                mschapv2 {

                }

        }

Configure pre-proxy attributes

By default Operator-Name and Calling-Station-Id are stripped from the proxied request in the base FreeRADIUS installation.

In order for them not to be removed (as required for eduroam), add the attributes to /etc/freeradius/mods-config/attr_filter/pre-proxy.

( Reference: https://wiki.geant.org/display/H2eduroam/freeradius-sp  )

$ cd /etc/freeradius

$ mv mods-config/attr_filter/pre-proxy mods-config/attr_filter/pre-proxy.orig

$ vi mods-config/attr_filter/pre-proxy

DEFAULT

        User-Name =* ANY,

        EAP-Message =* ANY,

        Message-Authenticator =* ANY,

        NAS-IP-Address =* ANY,

        NAS-Identifier =* ANY,

        State =* ANY,

        Proxy-State =* ANY,

        Calling-Station-Id =* ANY,

        Called-Station-Id =* ANY,

        Operator-Name =* ANY,

        Class =* ANY,

        Chargeable-User-Identity =* ANY

Restart the FreeRADIUS daemon to apply the eduroam configuration. It is good to do this every time after a major configuration change so we know what was last changed in case a problem arises.

$ service freeradius restart

Change the cui_hash_key

( Reference: https://community.jisc.ac.uk/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation )

$ vi /etc/freeradius/policy.d/cui

cui_hash_key = “changeme

Configure clients

To allow LEARN NRS (or FLR) to access your IRS, add it as a client of FreeRADIUS.

At end of the file, add the below stanza to allow LEARN NRS access to your IRS.

If there is a second NRS/FLR, you can call it "client FLR2 {}" but the shortname must be called FLR2 because it is referenced in virtual_server eduroam configuration. You will get the secret from your NRO.

$ vi /etc/freeradius/clients.conf

client FLR1 {

        ipaddr          = 192.248.1.165

        secret          = [secret of FLR]

        shortname       = FLR1

        nas_type        = other

        add_cui         = yes

        virtual_server  = eduroam

}      

client FLR2 {

        ipaddr          = 192.248.1.166

        secret          = [secret of FLR]

        shortname       = FLR2

        nas_type        = other

        add_cui        = yes

       virtual_server  = eduroam

}      

Configure proxies

Configure your eduroam FLR servers with their corresponding secrets and your eduroam realm settings in proxy.conf to route requests to appropriate destinations for realms (domains) unknown to your institution.

$ cd /etc/freeradius

$ mv proxy.conf proxy.conf.orig

$ vi proxy.conf

proxy server {

        default_fallback        = no

}

# Add your country's FLR details.                            

# Check with NRO for secret to use.

home_server FLR1 {              

        ipaddr                  = 192.248.1.165

        port                    = 1812

        secret                  = [secret of FLR]

        status_check            = status-server

}        

home_server FLR2 {

        ipaddr                  = 192.248.1.166

        port                    = 1812

        secret                  = [secret of FLR]

        status_check            = status-server

}

home_server_pool EDUROAM {

        type                    = fail-over

        home_server             = FLR1

        home_server            = FLR2

}

realm "~.+$" {

        pool                    = EDUROAM

        nostrip                

}      

# Your IdP realm

realm inst.ac.lk {

}      

Restart the FreeRADIUS daemon to apply the eduroam configuration.

$ service freeradius restart


TEST TEST TEST

You can start FreeRADIUS in debugging mode in separate terminal to observe logs as you test ...

$ service freeradius stop

$ freeradius -X

To exit debugging mode, press 'Ctrl + c' buttons.

Authenticate a local user within home institution ...

$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123  -u bob@inst.ac.lk -p hello -m WPA-EAP -e PEAP

access-accept; 0

Remote authentication for other users within eduroam  ...

$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123  -u testme@learn.ac.lk -p Eduroam@LearnLanka -m WPA-EAP -e PEAP

access-accept; 3

$ rad_eap_test -H 127.0.0.1 -P 1812 -S testing123  -u testuser@[another IdP realm] -p testuser123 -m WPA-EAP -e PEAP

access-accept; 0

If all tests above are successful, you have now completed the eduroam configuration on FreeRADIUS. The next step is to integrate with a LDAP - http://www.learn.ac.lk/Idp.

paul.hii@aarnet.edu.au