Differences

This shows you the differences between two versions of the page.

--- siteadmin:basic_freeradius_orps_and_idp_configuration [2022/12/02 14:20] – admin
+++ siteadmin:basic_freeradius_orps_and_idp_configuration [2023/04/05 11:58] (current) – admin
@@ Line 1: / Line 1: @@
 ======IN PROGRESS======
+====Prerequesites====
+The winbind package must be installed and working.
 ===Changed files===
@@ Line 7: / Line 11: @@
   * sites-available/govroam
   * sites-available/govroam-inner-tunnel
+  * mods-available/eap
   * mods-available/govroam_logs
@@ Line 49: / Line 54: @@
 # Realms that don't match any other listed send to the pool of govroam servers
-realm "~^[^@.]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
+realm "~^[^@\. ]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
     auth_pool = govroam
     nostrip
@@ Line 94: / Line 99: @@
 </code>
-===sites-available->govroam:===
+===sites-available/govroam:===
 <code>
@@ Line 169: / Line 174: @@
 And then create a symlink from sites-enabled/govroam to sites-available/govroam.
-===mods-available->govroam_logs:===
+===sites-available/govroam-inner-tunnel===
+<code>
+server inner-tunnel {
+        authorize {
+                 preprocess
+                 auth_log
+                 suffix
+                 update control {
+                          Proxy-To-Realm := LOCAL
+                 }
+                 eap {
+                          ok = return
+                 }
+                 files
+	         pap
+                 mschap
+        }
+        authenticate {
+                 ntlm_auth # Just for testing plain/non-EAP auth
+                 files
+                 Auth-Type PAP {
+                          pap
+                 }
+                 Auth-Type MS-CHAP {
+                          mschap
+                 }
+                 eap
+        }
+        post-auth {
+                 cui
+                 reply_log
+                 govroam_log
+                 Post-Auth-Type REJECT {
+                         reply_log
+                         govroam_log
+                 }
+        }
+}
+</code>
+And then create a symlink from sites-enabled/govroam-inner-tunnel to sites-available/govroam-inner-tunnel.
+===mods-available/eap===
+<code>
+eap {
+	default_eap_type = mschapv2
+	timer_expire     = 60
+	ignore_unknown_eap_types = no
+	cisco_accounting_username_bug = no
+	max_sessions = ${max_requests}
+	md5 {
+	}
+	tls-config tls-common {
+		# Generate and install a server cert and a CA ROOT.
+		private_key_password = whatever
+		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+		ca_file = /etc/ssl/certs/ca-certificates.crt
+		dh_file = ${certdir}/dh
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		cipher_server_preference = no
+		ecdh_curve = "prime256v1"
+		cache {
+			enable = no
+			lifetime = 24 # hours
+		}
+		verify {
+		}
+		ocsp {
+			enable = no
+			override_cert_url = yes
+			url = "http://127.0.0.1/ocsp/"
+		}
+	}
+	tls {
+		tls = tls-common
+	}
+	# This is the config for PEAP/MSCHAPv2 i.e. username/password.
+	peap {
+		tls = tls-common
+		default_eap_type = mschapv2
+		copy_request_to_tunnel = no
+		use_tunneled_reply = no
+		virtual_server = "inner-tunnel" # Make sure that this points to the govroam inner tunnel
+	}
+	mschapv2 {
+	}
+}
+</code>
+And then create a symlink from mods-enabled/eap to mods-available/eap, if one doesn't already exist.
+===mods-available/govroam_logs:===
 <code>