SV: Radius, or rather how to manage certificates...

[George <joje47@yahoo.se>]

Hi,

Thanks,

Very good guide. Tried it, but now Im a bit stuck on testing..

I downloaded the JRadius-simulator (Java tool) to test access to the server, I tried logging in via EAP-tls and EAP-MD5, however I get denied access. I didnt put any restriction on groups or users.

Are there any good ways of verify the setup?

Another question I tried to google.. how do you set or know radius internal "port"number of the nas? For ex.

radtest username password 127.0.01 100 sharedkey

where "100" is the portnumber. I see it sometimes (on google and in manuals) set to 0 and other numbers but how do you set that? Or know what it is? I have tried 0 and 100 but no big difference in the output actually..

The only nas that is started in clients.conf is the default testnas for localhost, with default settings.

Regards  /George

---

Från: Wolfgang Schweer <wschweer@arcor.de>
Till: debian-edu@lists.debian.org
Skickat: fredag, 28 december 2012 11:08
Ämne: Re: Radius, or rather how to manage certificates...

On Wed, Dec 26, 2012 at 11:16:17AM +0000, George wrote:
>
> I tried to find a better way to manage this, so I looked at
> freeradius. My idea is to let radius give access to users in our
> system, collected from tjeners ldap server.
>
> To not to mess up tjener to much and to get everything regarding wifi
> on its own I installed a debian 6.06 vm, with radius and mysql (for
> accounting). Now, radius works with flatfile and mysql- users, but i
> cant make it to talk to tjener using TLS... The reason of the problem
> is not really radius or ldap, buth how to get radius to connect using
> TLS I set the access_attr = "uid", which means everyone with an
> account on our school will have access to login via radius

Although passwords are stored in LDAP on tjener, Kerberos has to be used
to access them.

So IMO you need a Kerberos principal for the service freeradius, the
package freeradius-krb5, and a freeradius configuration using krb5; the
package freeradius-ldap isn't neccessary.

Below you can find (translated) instructions that I've posted to the
German Skolelinux list a while ago. Everything is done on tjener,
though. This setup is supposed to work.

Wolfgang

-----------------------------------------------------------------------
Debian-Edu Squeeze: Wi-Fi (WPA2 Enterprise: EAP-TTLS-PAP)
-----------------------------------------------------------------------

All done as root@tjener.


1) Create Kerberos service principal for freeradius.

kadmin -p root/admin@INTERN
[Enter admin password]

At the kadmin prompt:
kadmin: ank -randkey radius/tjener@INTERN
kadmin: ktadd -k /etc/krb5.keytab.radius radius/tjener@INTERN
kadmin: q

Control key tab file permissions; should be 0600.


2) Install packages.

aptget update
apt-get install freeradius-krb5

(Packages freeradius, freeradius-common and freeradius-utils should
be installed automatically this way.)


3) Modify six freeradius related files; below, almost all superfluous
lines are skipped.

1.
#/etc/freeradius/modules/krb5
krb5 {
    keytab = /etc/krb5.keytab.radius
    service_principal = radius/tjener
}
#

2.
#/etc/freeradius/eap.conf:
    eap {
        default_eap_type = ttls
        timer_expire    = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
        md5 {
        }
        tls {
            certdir = ${confdir}/certs
            cadir = ${confdir}/certs
            private_key_password = whatever
            private_key_file = ${certdir}/server.key
            certificate_file = ${certdir}/server.pem
            CA_file = ${cadir}/ca.pem
            dh_file = ${certdir}/dh
            random_file = /dev/urandom
            CA_path = ${cadir}
            cipher_list = "DEFAULT"
            cache {
                  enable = no
            }
        }
        ttls {
            default_eap_type = md5
            copy_request_to_tunnel = yes
            use_tunneled_reply = yes
            virtual_server = "inner-tunnel"
        }
    }
#

3.
#/etc/freeradius/users
#
# Example; alternativ group control may be coded
# using the file ../sites-available/default.
#
#DEFAULT    Group != "teachers", Auth-Type := Reject
#        Reply-Message = "Access forbidden."

DEFAULT Auth-Type = Kerberos
#

4.
#/etc/freeradius/clients.conf
# Client-IP (Access-Point or Concentrator), adapt secret and shortname.
client 10.0.2.3 {
    secret        = pls_change
    shortname    = this_too
}
#

5.
#/etc/freeradius/sites-available/default
authorize {
    #auth_log
    #preprocess
    eap {
        ok = return
    }
    files
}

authenticate {
    Auth-Type Kerberos {
        krb5
    }
    eap
}

accounting {
    #detail
    unix
    radutmp
    exec
    attr_filter.accounting_response
}

session {
    radutmp
}

# Example access control, group related. If you want an additional
# access point related control, uncomment preprocess above, use settings
# in the freeradius huntgroups file, and Huntgroup-Name below.
post-auth {
    if ( Group == teachers ) {
        noop
    }
    elsif ( Group == wireless ) {
        noop
    }
    else {
        reject
    }
}
#

6.

#/etc/freeradius/sites-available/inner-tunnel
server inner-tunnel {
listen {
      ipaddr = 127.0.0.1
      port = 18120
      type = auth
}
authorize {
    eap {
        ok = return
    }
    files
    expiration
    logintime
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type Kerberos {
        krb5
    }
}

session {
    radutmp
}

}

4) Restart service.

invoke-rc.d freeradius restart