Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » basic_freeradius_orps_and_idp_configuration
siteadmin:basic_freeradius_orps_and_idp_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:basic_freeradius_orps_and_idp_configuration [2022/12/02 14:13] adminsiteadmin:basic_freeradius_orps_and_idp_configuration [2023/04/05 11:58] (current) admin
Line 1: Line 1:
 ======IN PROGRESS====== ======IN PROGRESS======
 +
 +====Prerequesites====
 +
 +The winbind package must be installed and working. 
  
 ===Changed files=== ===Changed files===
Line 5: Line 9:
   * clients.conf   * clients.conf
   * proxy.conf   * proxy.conf
-  * sites-available -govroam +  * sites-available/govroam 
-  * mods-available -govroam_logs+  * sites-available/govroam-inner-tunnel 
 +  * mods-available/eap 
 +  * mods-available/govroam_logs
  
 Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems stating the RADIUS server. Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems stating the RADIUS server.
Line 48: Line 54:
  
 # Realms that don't match any other listed send to the pool of govroam servers # Realms that don't match any other listed send to the pool of govroam servers
-realm "~^[^@.]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {+realm "~^[^@\. ]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
     auth_pool = govroam     auth_pool = govroam
     nostrip     nostrip
Line 93: Line 99:
 </code> </code>
  
-===sites-available->govroam:===+===sites-available/govroam:===
  
 <code> <code>
Line 110: Line 116:
                 auth_log                 auth_log
                 suffix # Identifies the realm                 suffix # Identifies the realm
-                files +                files 
 +                cui 
 +                mschap # used for plain/non-eap ntlm_auth testing 
 +                eap { 
 +                        ok = return 
 +                }
  
         }         }
  
         authenticate {         authenticate {
 +                ntlm_auth
 +                Auth-Type MS-CHAP {
 +                        mschap
 +                }
 +                eap
         }         }
  
Line 134: Line 150:
  }  }
                 govroam_log                 govroam_log
 +                cui
                 Post-Auth-Type REJECT {                 Post-Auth-Type REJECT {
                         attr_filter.access_reject                         attr_filter.access_reject
Line 142: Line 159:
         pre-proxy {         pre-proxy {
                 pre_proxy_log                 pre_proxy_log
 +                cui
                 if("%{Packet-Type}" != "Accounting-Request") {                 if("%{Packet-Type}" != "Accounting-Request") {
                         attr_filter.pre-proxy                         attr_filter.pre-proxy
Line 156: Line 174:
 And then create a symlink from sites-enabled/govroam to sites-available/govroam. And then create a symlink from sites-enabled/govroam to sites-available/govroam.
  
-===mods-available->govroam_logs:===+===sites-available/govroam-inner-tunnel=== 
 + 
 +<code> 
 +server inner-tunnel { 
 +  
 +        authorize { 
 +                 preprocess 
 +                 auth_log 
 +                 suffix 
 +                 update control { 
 +                          Proxy-To-Realm := LOCAL 
 +                 } 
 +                 eap { 
 +                          ok = return 
 +                 } 
 +                 files 
 +          pap 
 +                 mschap 
 +        } 
 +   
 +        authenticate { 
 +                 ntlm_auth # Just for testing plain/non-EAP auth 
 +                 files 
 +                 Auth-Type PAP { 
 +                          pap 
 +                 } 
 +                 Auth-Type MS-CHAP { 
 +                          mschap 
 +                 } 
 +                 eap 
 +        } 
 +  
 +        post-auth { 
 +                 cui 
 +                 reply_log 
 +                 govroam_log 
 +                 Post-Auth-Type REJECT { 
 +                         reply_log 
 +                         govroam_log 
 +                 } 
 +        } 
 +
 +</code> 
 +And then create a symlink from sites-enabled/govroam-inner-tunnel to sites-available/govroam-inner-tunnel. 
 + 
 +===mods-available/eap=== 
 + 
 +<code> 
 +eap { 
 + default_eap_type = mschapv2 
 + timer_expire     = 60 
 + ignore_unknown_eap_types = no 
 + cisco_accounting_username_bug = no 
 + max_sessions = ${max_requests} 
 + 
 + md5 { 
 +
 + 
 + tls-config tls-common { 
 + # Generate and install a server cert and a CA ROOT. 
 + private_key_password = whatever 
 + private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key 
 + certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem 
 + ca_file = /etc/ssl/certs/ca-certificates.crt 
 + dh_file = ${certdir}/dh 
 + ca_path = ${cadir} 
 + cipher_list = "DEFAULT" 
 + cipher_server_preference = no 
 + ecdh_curve = "prime256v1" 
 + 
 + cache { 
 + enable = no 
 + lifetime = 24 # hours 
 +
 + 
 + verify { 
 +
 + 
 + ocsp { 
 + enable = no 
 + override_cert_url = yes 
 + url = "http://127.0.0.1/ocsp/" 
 +
 +
 + 
 + tls { 
 + tls = tls-common 
 + 
 +
 + 
 + # This is the config for PEAP/MSCHAPv2 i.e. username/password. 
 + peap {  
 + tls = tls-common 
 + default_eap_type = mschapv2 
 + copy_request_to_tunnel = no 
 + use_tunneled_reply = no 
 + virtual_server = "inner-tunnel" # Make sure that this points to the govroam inner tunnel 
 +
 + 
 + mschapv2 { 
 +
 + 
 +
 +</code> 
 +And then create a symlink from mods-enabled/eap to mods-available/eap, if one doesn't already exist. 
 + 
 +===mods-available/govroam_logs:===
  
 <code> <code>
siteadmin/basic_freeradius_orps_and_idp_configuration.1669990400.txt.gz · Last modified: by admin