Differences

This shows you the differences between two versions of the page.

--- siteadmin:basic_freeradius_orps_and_idp_configuration [2022/12/02 14:26] – admin
+++ siteadmin:basic_freeradius_orps_and_idp_configuration [2023/04/05 11:58] (current) – admin
@@ Line 1: / Line 1: @@
 ======IN PROGRESS======
+====Prerequesites====
+The winbind package must be installed and working.
 ===Changed files===
@@ Line 7: / Line 11: @@
   * sites-available/govroam
   * sites-available/govroam-inner-tunnel
+  * mods-available/eap
   * mods-available/govroam_logs
@@ Line 49: / Line 54: @@
 # Realms that don't match any other listed send to the pool of govroam servers
-realm "~^[^@.]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
+realm "~^[^@\. ]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
     auth_pool = govroam
     nostrip
@@ Line 94: / Line 99: @@
 </code>
-===sites-available->govroam:===
+===sites-available/govroam:===
 <code>
@@ Line 168: / Line 173: @@
 </code>
 And then create a symlink from sites-enabled/govroam to sites-available/govroam.
+===sites-available/govroam-inner-tunnel===
 <code>
@@ Line 188: / Line 195: @@
         authenticate {
-                 ntlm_auth
+                 ntlm_auth # Just for testing plain/non-EAP auth
                  files
                  Auth-Type PAP {
@@ Line 203: / Line 210: @@
                  reply_log
                  govroam_log
-                 f_ticks
                  Post-Auth-Type REJECT {
                          reply_log
                          govroam_log
-                         f_ticks
                  }
         }
@@ Line 214: / Line 219: @@
 And then create a symlink from sites-enabled/govroam-inner-tunnel to sites-available/govroam-inner-tunnel.
+===mods-available/eap===
+<code>
+eap {
+	default_eap_type = mschapv2
+	timer_expire     = 60
+	ignore_unknown_eap_types = no
+	cisco_accounting_username_bug = no
+	max_sessions = ${max_requests}
+	md5 {
+	}
+	tls-config tls-common {
+		# Generate and install a server cert and a CA ROOT.
+		private_key_password = whatever
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
+		dh_file = ${certdir}/dh
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		cipher_server_preference = no
+		ecdh_curve = "prime256v1"
+		cache {
+			enable = no
+			lifetime = 24 # hours
+		}
+		verify {
+		}
+		ocsp {
+			enable = no
+			override_cert_url = yes
+			url = "http://127.0.0.1/ocsp/"
+		}
+	}
+	tls {
+		tls = tls-common
+	}
+	# This is the config for PEAP/MSCHAPv2 i.e. username/password.
+	peap {
+		tls = tls-common
+		default_eap_type = mschapv2
+		copy_request_to_tunnel = no
+		use_tunneled_reply = no
+		virtual_server = "inner-tunnel" # Make sure that this points to the govroam inner tunnel
+	}
+	mschapv2 {
+	}
+}
+</code>
+And then create a symlink from mods-enabled/eap to mods-available/eap, if one doesn't already exist.
-===mods-available->govroam_logs:===
+===mods-available/govroam_logs:===
 <code>