Spacenet/FreeRADIUS configuration: Difference between revisions
Jump to navigation
Jump to search
(Initial configuration) |
(Fix IPv6 listening (and thus remote SpaceFed logins)) |
||
(One intermediate revision by the same user not shown) | |||
Line 59: | Line 59: | ||
- outer.conf # outer unencrypted tunnel, to determine where the request should be proxied towards | - outer.conf # outer unencrypted tunnel, to determine where the request should be proxied towards | ||
- inner.revspace.conf # inner encrypted tunnel, for authenticating RevSpace participants | - inner.revspace.conf # inner encrypted tunnel, for authenticating RevSpace participants | ||
Debugging: | |||
As we use TLS, the usual recommended way to run FreeRADIUS in debug mode (`freeradius -X`) will not work. | |||
TLS on FreeRADIUS requires threads, and `-X` is a shorthand for `-sfxx -l stdout`; `-s` disables threading. | |||
Instead, use `-fxx -l stdout` when debugging. | |||
</pre> | </pre> | ||
Line 390: | Line 395: | ||
# outer unencrypted server for PEAP/TTLS | # outer unencrypted server for PEAP/TTLS | ||
server default { | server default { | ||
# both listen blocks are needed for every server! | |||
# ipaddr = * is broken | |||
# radius (1812) | # radius (1812) | ||
listen { | listen { | ||
type = auth | type = auth | ||
ipv4addr = * | |||
port = 0 # use /etc/services | |||
virtual_server = "default" | |||
} | |||
listen { | |||
type = auth | |||
ipv6addr = :: | |||
port = 0 # use /etc/services | port = 0 # use /etc/services | ||
virtual_server = "default" | virtual_server = "default" | ||
Line 400: | Line 414: | ||
listen { | listen { | ||
type = acct | type = acct | ||
ipv4addr = * | |||
port = 0 # use /etc/services | |||
} | |||
listen { | |||
type = acct | |||
ipv6addr = :: | |||
port = 0 # use /etc/services | port = 0 # use /etc/services | ||
} | } | ||
Line 406: | Line 425: | ||
listen { | listen { | ||
type = auth+acct | type = auth+acct | ||
ipv4addr = * | |||
port = 2083 | |||
proto = tcp | |||
tls = ${tls} | |||
} | |||
listen { | |||
type = auth+acct | |||
ipv6addr = :: | |||
port = 2083 | port = 2083 | ||
proto = tcp | proto = tcp | ||
tls = ${tls} | tls = ${tls} | ||
} | } | ||
# auth flow: start | # auth flow: start |
Latest revision as of 20:53, 10 April 2024
The below configuration is used for SpaceNet at RevSpace, written for and tested with FreeRADIUS 3.2.1.
The paths are relative to the base configuration directory, e.g. /etc/freeradius/3.0
.
README
FreeRADIUS config - RevSpace edition Operating principle: We are federated with SpaceFED (https://spacefed.net/) to provide the 'spacenet' network. Our participants can authenticate at any spacenet-compatible access point with their RevSpace LDAP credentials, and participants from other hackerspaces can authenticate through their own hackerspace via our access points. Usernames are formatted like <username>@<hackerspace.nl>, and the domain part is used to proxy the authentication to the correct remote RADIUS server through SpaceFED. In order to prevent credential sniffing by the local RADIUS server, a tunnel from the client to the remote RADIUS server is setup by means of EAP-TTLS or PEAP, and an anonymous outer identity (usually anonymous@<domain>) is used instead to route the request. We have three scenarios: - RevSpace participant authenticates at RevSpace spacenet: User -(802.1X)----------------> Local client (access point) -(RADIUS: lan.conf)------> Local server (outer.conf) -(EAP-TTLS or PEAP)------> Local server (inner.revspace.conf) -(PAP or EAP-GTC)--------> LDAP - RevSpace participant authenticates at other location: User -(802.1X)----------------> External client (access point) -(RADIUS)----------------> External server -(RADIUS: spacefed.conf)-> Local server (outer.conf) -(EAP-TTLS or PEAP)------> Local server (inner.revspace.conf) -(PAP or EAP-GTC)--------> LDAP - Spacenet participant authenticates at RevSpace spacenet: User -(802.1X)----------------> Local client (access point) -(RADIUS: lan.conf)------> Local server (outer.conf) -(RADIUS: spacefed.conf)-> External server -(EAP-TTLS or PEAP)------> External server Authentication: While we could skip EAP-TTLS or PEAP for local-local authentication, this would make user configuration inconsistent between being at RevSpace and at other hackerspaces, defeating the point. Thus, we *always* use EAP-TTLS or PEAP as the outer authentication layer. Since we do not store LDAP passwords in plain text or a weak hash, we need to receive the plaintext password inside the encrypted TLS tunnel to compare it. This limits us to one of the following plaintext password mechanisms as the inner layer: - PAP - EAP-GTC Configuration structure: - radiusd.conf # main configuration file, generic settings and includes everything - modules.d/ # configuration for FreeRADIUS modules - realms.conf # ! realm /format/ configuration (user@realm) - eap.revspace.conf # ! EAP configuration (TLS certificates, mechanisms, ...) - ldap.revspace.conf # ! LDAP configuration (server, RADIUS server DN and password, filters, ...) - clients.d/ # configuration for RADIUS clients (entities like access points that talk to us to authenticate a user) - realms.d/ # configuration for RADIUS realms (the domain part, to figure out where to route authentication request) - default.conf # 'must-define' realms LOCAL and NULL - revspace.conf # realms we handle, mostly empty configuration blocks to imply local processing - spacefed.conf # fallback realm, with instructions to proxy to SpaceFED - servers.d/ # configuration for RADIUS servers (that listen on ports and process authentication requests) - outer.conf # outer unencrypted tunnel, to determine where the request should be proxied towards - inner.revspace.conf # inner encrypted tunnel, for authenticating RevSpace participants Debugging: As we use TLS, the usual recommended way to run FreeRADIUS in debug mode (`freeradius -X`) will not work. TLS on FreeRADIUS requires threads, and `-X` is a shorthand for `-sfxx -l stdout`; `-s` disables threading. Instead, use `-fxx -l stdout` when debugging.
radiusd.conf
# Paths prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var runstatedir = /run sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/freeradius libdir = ${exec_prefix}/lib/freeradius raddbdir = ${sysconfdir}/freeradius/3.0 radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} modconfdir = ${confdir}/modules.d certdir = ${confdir}/pki cadir = ${confdir}/pki run_dir = ${runstatedir}/${name} db_dir = ${raddbdir} checkrad = ${sbindir}/checkrad # Server pidfile = ${run_dir}/${name}.pid security { user = freerad group = freerad allow_core_dumps = no max_attributes = 200 # reject immediately (no security delay) reject_delay = 0 # respond to server status requests status_server = yes } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 # unlimited power... err, requests max_requests_per_server = 0 auto_limit_acct = no } tls { certificate_file = "${certdir}/server.pem" private_key_file = "${certdir}/server.key" tls_min_version = "1.0" tls_max_version = "1.3" cipher_list = "DEFAULT@SECLEVEL=0" random_file = "/dev/urandom" } # Requests max_request_time = 30 cleanup_delay = 5 max_requests = 16384 hostname_lookups = no # SPACENET: required! proxy_requests = yes # Logging log { destination = stderr colourise = yes # don't log secrets, even in debug mode suppress_secrets = yes ## please set the fields below to 'no' ## when not debugging! # log authentication stripped_names = yes auth = no auth_accept = no auth_reject = no # log password attempts auth_badpass = no auth_goodpass = no ## debug configuration for above #auth = yes #stripped_names = no #auth_accept = yes #auth_reject = yes #auth_badpass = yes #auth_goodpass = no } # Modules modules { $INCLUDE modules.d/ } # Policy policy { $INCLUDE policy.d/ } # Clients $INCLUDE clients.d/ # Realms $INCLUDE realms.d/ # Servers $INCLUDE servers.d/
modules.d/
eap.revspace.conf
eap eap.outer { default_eap_type = ttls timer_expire = 60 tls-config tls-config { certificate_file = ${tls.certificate_file} private_key_file = ${tls.private_key_file} tls_min_version = ${tls.tls_min_version} tls_max_version = ${tls.tls_max_version} cipher_list = ${tls.cipher_list} random_file = ${tls.random_file} } ttls { tls = tls-config virtual_server = server.inner-revspace default_eap_type = "gtc" } peap { tls = tls-config virtual_server = server.inner-revspace inner_eap_module = eap.inner-revspace default_eap_type = "gtc" } } eap eap.inner-revspace { default_eap_type = "gtc" timer_expire = 60 gtc { auth_type = "PAP" } }
ldap.revspace.conf
ldap ldap.revspace { server = "ldaps://ldap2.space.revspace.nl" identity = "cn=freeradius,ou=services,dc=space,dc=revspace,dc=nl" password = "<EXPUNGED>" base_dn = "dc=space,dc=revspace,dc=nl" user_dn = "RevSpace-LDAP-UserDn" tls { ca_path = "/etc/ssl/certs" } user { base_dn = "ou=people,dc=space,dc=revspace,dc=nl" scope = "one" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = "ou=groups,dc=space,dc=revspace,dc=nl" scope = "one" filter = "" membership_filter = "(member=%{control:${..user_dn}})" } options { dereference = "always" } update { control:Password-With-Header += 'userPassword' } post-auth { update {} } accounting {} }
realm.conf
# realm formats # 'user@realm' realm realm.email { format = suffix delimiter = "@" ignore_null = yes } # 'realm\user' realm realm.ntdomain { format = prefix delimiter = "\\" ignore_null = yes }
realms.d/
default.conf
# these entries are needed, but we don't do anything with them realm LOCAL { } realm NULL { }
revspace.conf
realm revspace.nl { # nothing here implies local handling }
spacefed.conf
home_server nlnode1.spacefed.net { type = auth+acct ipv6addr = <REDACTED> port = 1812 secret = "<EXPUNGED>" require_message_authenticator = yes response_window = 5 zombie_period = 60 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { # initial retransmit interval (1..5) irt = 2 # maximum retransmit timeout (1..30, 0 == no maximum) mrt = 16 # maximum retransmit count (1..20, 0 == retransmit forever) mrc = 5 # maximum retransmit duration (5..60) mrd = 30 } } home_server_pool spacefed-pool { type = "client-balance" home_server = nlnode1.spacefed.net } realm DEFAULT { nostrip auth_pool = spacefed-pool }
clients.d/
localhost.conf
# for debugging client localhost { shortname = "localhost" ipaddr = 127.0.0.1 secret = "<EXPUNGED>" require_message_authenticator = no nas_type = "other" }
lan.conf
# Ethernet client lan.poeswitch { ipaddr = 10.42.42.12 secret = "<EXPUNGED>" shortname = "poeswitch" } # Wi-Fi client lan.foundrymc1000 { ipaddr = 10.42.62.1 secret = "<EXPUNGED>" shortname = "foundrymc1000" } client lan.aruba { ipaddr = 10.42.62.3 secret = "<EXPUNGED>" shortname = "aruba radius proxy ip" }
spacefed.conf
client spacefed.nlnode1v6 { ipaddr = <REDACTED> secret = "<EXPUNGED>" shortname = nlnode1v6 }
servers.d/
outer.conf
# outer unencrypted server for PEAP/TTLS server default { # both listen blocks are needed for every server! # ipaddr = * is broken # radius (1812) listen { type = auth ipv4addr = * port = 0 # use /etc/services virtual_server = "default" } listen { type = auth ipv6addr = :: port = 0 # use /etc/services virtual_server = "default" } # radius-acct (1813) listen { type = acct ipv4addr = * port = 0 # use /etc/services } listen { type = acct ipv6addr = :: port = 0 # use /etc/services } # radsec (2083) listen { type = auth+acct ipv4addr = * port = 2083 proto = tcp tls = ${tls} } listen { type = auth+acct ipv6addr = :: port = 2083 proto = tcp tls = ${tls} } # auth flow: start authorize { preprocess # this statement decides where the request should be proxied to, # through the `pre-proxy` & `post-proxy` flows, or if it should # be processed locally through the `authenticate` flow. realm.email if (!&Realm) { update reply { Reply-Message := "Please specify a realm to authenticate with." } reject } eap.outer } # auth flow: process local authenticate { eap.outer } # auth flow: process remote pre-proxy { # uncomment when we upgrade to FreeRADIUS 3.2.3/3.3+ #eap.outer } post-proxy { eap.outer } # auth flow: end post-auth { eap.outer } # acct flow: start preacct { preprocess acct_unique realm.email } # acct flow: local accounting { attr_filter.accounting_response } }
inner.revspace.conf
# inner encrypted server for EAP-TTLS/PEAP server server.inner-revspace { # for debug purposes #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} # auth flow: start authorize { # split and lookup user and password realm.email if (Realm != "revspace.nl") { reject } ldap.revspace # authentication methods eap.inner-revspace pap } # auth flow: process local authenticate { # lookup user and password ldap.revspace # authentication methods eap.inner-revspace Auth-Type PAP { pap } } # auth flow: end post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } ldap.revspace eap.inner-revspace } }