Freeradius

Introduction

You can find here the basic configuration we tested to interconnect BELNET
to the belgium eduroam using freeradius. Freeradius is open source implementation
of the radius protocol. You can download it here

The installation of freeradius depend of you OS but the files that need to
be changed and configured are the following.

  • radiusd.conf the main configuration file
  • clients.conf clients device that can contact the radius server.
  • eap.conf configuration file for the Extensible Authentication Protocol
  • proxy.conf configuration file to proxying request for domains other than yours


radiusd.conf

This file contain all configuration and include other files like eap.conf and proxy.conf.
This configuration contain many section. We will only provide subset of configuration needed to the eduroam configuration. The configuration is itself well documented.

So what need to present is here

....

# you need to enable this to be able to forward request for user that belong
# to other domains than yours.

proxy_requests = yes

# ${confdir) variable is set at the begin of the files
# the proxy conf file describe what to do for realm that contains domains that
# is not yours.
$INCLUDE ${confdir}/proxy.conf

# include the clienst.conf file to provide information about which devices
# can contact your radius server.

$INCLUDE ${confdir}/clients.conf

....

# we will now configure the modules section.
# the modules section inform freeradius which authentication, accounting, authorization
# mechanism can be used

modules {

#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'.

# The most important modules in case of eduroam is the eap.
# so we need to include the files of the eap related module

$INCLUDE ${confdir}/eap.conf
# if you want to enable mschap as inner authentication for EAP-TTLS and peap
# you need to load the mschap modules.
mschap {
authtype = MS-CHAP
require_encryption = yes
require_strong = yes

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no

}

# you can base your authentication and authorization on LDAP
# if you want to do this you need to add this section.
# it is probably better to use tls between your
# freeradius server and your ldap server

ldap {
server = "ldap.domain.tld"
basedn = "dc=domain,dc=tld"
#define ldap search filter depend on your local ldap configuration.
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

# the two following field should be filled if you doesn't want do
# anonymous bind.

#identity = "cn=mycn,dc=domain,dc=tld"
#password = "mycleartextsecret"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections

start_tls = yes

# you have two way to configure the TLS connexion between your
# ldap and radius server. Depend ifyou want use self signed
# certifcate. If this is the case you can comment the following
# tls_* field except for the tls_require_cert that should be
# tls_require_cert = "allow". If you use certificate signed
# by a known Certificate Authority then you need to fill all tls_*
# field and put the tls_require_cert to require.

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd

tls_require_cert = "allow"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
# you will probably need this file to define which
# ldap attibute will be used for as replyItem for password.
# It is probablu best to use different attribute than the userPassword
# attribute of the posixAccount class.

dictionary_mapping = ${raddbdir}/ldap.attrmap
}

# Realm module, for proxying.
# you need this to inform radius server how to split user part and domain part
# when new request come from client.

# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.

# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}

...
}

# We now detail the authorization section of the configuration file.

Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server

authorize {

#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess

# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication and is need for eduroam.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set. enable this if you want to use ldap
# as backend
ldap
}

# Authentication section
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#

authenticate {
#eap is needed for eduroam

eap

# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

# Uncomment it if you want to use ldap for authentication

Auth-Type LDAP {
ldap
}
}

.....


proxy.conf

# proxy server section
# see freeradius files
....
#######################################################################
#
#  Configuration for the proxy realms.
#
#  The information given here is used in conjunction with the 'realms'
#  file.  This format is preferred, as it is more flexible.  The realms
#  listed here take priority over those listed in the 'realms' file.

#  A standard realm entry. A request from "user@company.com" will be
#  sent to radius.company.com as "user", unless the 'nostrip'
#  configuration item is specified:.  If the 'nostrip' configuration
#  item is specified, then the request will be proxied as
#  "user@company.com"

# handle all request for my domains as local

realm mydomains.be {
	type = radius
	authhost = LOCAL
	accthost = LOCAL
	secret = mylocalsecret
}


# forward all other request to the BELGIUM eduroam radius node
# as we set two server, these two server can be used in fail over 
# way. the most important is the nostrip param that tell to don't remove
# domain part in the realm.
# avoid to use the round_robin ldflag in your config , it will not work correctly with EAP-TTLS
realm DEFAULT {
		type = radius
		authhost = roaming1.belnet.be
		accthost = roaming1.belnet.be
		secret = follow procedure on www.eduroam.be to get it
		nostrip
}
realm DEFAULT {
		type = radius
		authhost = roaming2.belnet.be
		accthost = roaming2.belnet.be
		secret = follow procedure on www.eduroam.be to get it
		nostrip
}


eap.conf

      eap {
                #  Invoke the default supported EAP type when
                #  EAP-Identity response is received.
                #
                #  The incoming EAP messages DO NOT specify which EAP
                #  type they will be using, so it MUST be set here.
                #
                #  For now, only one default EAP type may be used at a time.
                #
                #  If the EAP-Type attribute is set by another module,
                #  then that EAP type takes precedence over the
                #  default type configured here.
                #
                default_eap_type = ttls

                #  A list is maintained to correlate EAP-Response
                #  packets with EAP-Request packets.  After a
                #  configurable length of time, entries in the list
                #  expire, and are deleted.
                #
                timer_expire     = 60

                #  There are many EAP types, but the server has support
                #  for only a limited subset.  If the server receives
                #  a request for an EAP type it does not support, then
                #  it normally rejects the request.  By setting this
                #  configuration to "yes", you can tell the server to
                #  instead keep processing the request.  Another module
                #  MUST then be configured to proxy the request to
                #  another RADIUS server which supports that EAP type.
                #
                #  If another module is NOT configured to handle the
                #  request, then the request will still end up being
                #  rejected.
                ignore_unknown_eap_types = no

                # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
                # a User-Name attribute in an Access-Accept, it copies one
                # more byte than it should.
                #
                # We can work around it by configurably adding an extra
                # zero byte.
                cisco_accounting_username_bug = no

                # Supported EAP-types
		leap {
		}

        ## EAP-TLS
        #
        #  To generate ctest certificates, run the script
        #
        #       ../scripts/certs.sh
        #
        #  The documents on http://www.freeradius.org/doc
        #  are old, but may be helpful.
        #
        #  See also:
        #
        #  http://www.dslreports.com/forum/remark,9286052~mode=flat
        #
        # you need to configure this section if you want to use TTLS
        # and / or peap
        tls {
                        # private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/server-cert.key

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        certificate_file = ${raddbdir}/certs/serve-cert.crt

                        #  Trusted Root CA list
                        CA_file = ${raddbdir}/certs/my-ca.crt

                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
  
  
                       #  Check the Certificate Revocation List
                       
                       #  1) Copy CA certificates and CRLs to same directory.
                       #  2) Execute 'c_rehash '.
                       #    'c_rehash' is OpenSSL's command.
                       #  3) Add 'CA_path='
                       #      to radiusd.conf's tls section.
                       #  4) uncomment the line below.
                       #  5) Restart radiusd
                       #       check_crl = yes

                       #
                       #  If check_cert_cn is set, the value will
                       #  be xlat'ed and checked against the CN
                       #  in the client certificate.  If the values
                       #  do not match, the certificate verification
                       #  will fail rejecting the user.
                       #
                       #       check_cert_cn = %{User-Name}
                }

      ttls {
                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.                                  
              .         #  If the request does not contain an EAP
                        #  conversation, then this configuration entry
                        #  is ignored.

                        default_eap_type = md5

                }

      peap {
                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2
   
   
   
      }


clients.conf

In this file you describe which device can contact your server.

client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 31 characters in length.
#
secret = your_secret

#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost

#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#

#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types

#
nastype = other # localhost isn't usually a NAS...

#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}

client some.host.org {
secret = testing123
shortname = some.host.org
}