Från: Wolfgang Schweer <wschweer@arcor.de>
Till: debian-edu@lists.debian.org
Skickat: fredag, 28 december 2012 11:08
Ämne: Re: Radius, or rather how to manage certificates...
On Wed, Dec 26, 2012 at 11:16:17AM +0000, George wrote:
>
> I tried to find a better way to manage this, so I looked at
> freeradius. My idea is to let radius give access to users in our
> system, collected from tjeners ldap
server.
>
> To not to mess up tjener to much and to get everything regarding wifi
> on its own I installed a debian 6.06 vm, with radius and mysql (for
> accounting). Now, radius works with flatfile and mysql- users, but i
> cant make it to talk to tjener using TLS... The reason of the problem
> is not really radius or ldap, buth how to get radius to connect using
> TLS I set the access_attr = "uid", which means everyone with an
> account on our school will have access to login via radius
Although passwords are stored in LDAP on tjener, Kerberos has to be used
to access them.
So IMO you need a Kerberos principal for the service freeradius, the
package freeradius-krb5, and a freeradius configuration using krb5; the
package freeradius-ldap isn't neccessary.
Below you can find (translated) instructions that I've posted to the
German Skolelinux list a while ago.
Everything is done on tjener,
though. This setup is supposed to work.
Wolfgang
-----------------------------------------------------------------------
Debian-Edu Squeeze: Wi-Fi (WPA2 Enterprise: EAP-TTLS-PAP)
-----------------------------------------------------------------------
All done as root@tjener.
1) Create Kerberos service principal for freeradius.
kadmin -p root/admin@INTERN
[Enter admin password]
At the kadmin prompt:
kadmin: ank -randkey radius/tjener@INTERN
kadmin: ktadd -k /etc/krb5.keytab.radius radius/tjener@INTERN
kadmin: q
Control key tab file permissions; should be 0600.
2) Install packages.
aptget update
apt-get install freeradius-krb5
(Packages freeradius, freeradius-common and freeradius-utils should
be installed automatically this way.)
3) Modify six freeradius related files; below, almost all superfluous
lines
are skipped.
1.
#/etc/freeradius/modules/krb5
krb5 {
keytab = /etc/krb5.keytab.radius
service_principal = radius/tjener
}
#
2.
#/etc/freeradius/eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
cache {
enable = no
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
#
3.
#/etc/freeradius/users
#
# Example; alternativ group control may be coded
# using the file ../sites-available/default.
#
#DEFAULT Group != "teachers", Auth-Type := Reject
# Reply-Message = "Access forbidden."
DEFAULT Auth-Type = Kerberos
#
4.
#/etc/freeradius/clients.conf
# Client-IP (Access-Point or Concentrator), adapt secret and shortname.
client 10.0.2.3 {
secret = pls_change
shortname = this_too
}
#
5.
#/etc/freeradius/sites-available/default
authorize {
#auth_log
#preprocess
eap {
ok = return
}
files
}
authenticate {
Auth-Type Kerberos {
krb5
}
eap
}
accounting {
#detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
# Example access control, group related. If you want an additional
# access point related control, uncomment preprocess above, use settings
# in the freeradius huntgroups file, and Huntgroup-Name below.
post-auth {
if ( Group == teachers ) {
noop
}
elsif ( Group == wireless ) {
noop
}
else {
reject
}
}
#
6.
#/etc/freeradius/sites-available/inner-tunnel
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP
{
pap
}
Auth-Type Kerberos {
krb5
}
}
session {
radutmp
}
}
4) Restart service.
invoke-rc.d freeradius restart