Differences

This shows you the differences between two versions of the page.

--- siteadmin:basic_freeradius_orps_configuration [2021/04/28 10:50] – admin
+++ siteadmin:basic_freeradius_orps_configuration [2024/11/21 15:00] (current) – admin
@@ Line 6: / Line 6: @@
   * mods-available -> govroam_logs
-Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems stating the RADIUS server.
+Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems starting the RADIUS server.
 ===clients.conf:===
 <code>
-# Configure the JISC NRPS as a client as it will be sending request from your people abroad.
+# Configure a Network Access Server (e.g. wireless controller) to accept traffic from.
 client  NAS {
@@ Line 17: / Line 17: @@
         ipaddr = 10.10.20.1
 }
+# Configure the JISC NRPS as a client as it will be sending request from your people abroad.
 client roaming0 {
         secret = something
         ipaddr = 192.168.0.1
+        operator = "NRPS"
 }
@@ Line 27: / Line 31: @@
         secret = something
         ipaddr = 10.10.10.31
+        operator = "1localnet"
 }
@@ Line 41: / Line 46: @@
 # Realms that don't match any other listed send to the pool of govroam servers
-realm "~.+$" {
+realm "~^[^@\. ]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
     auth_pool = govroam
     nostrip
@@ Line 59: / Line 64: @@
     secret = something
     status_check = status-server # Checks status of govroam server
+    operator = "NRPS"
 }
@@ Line 78: / Line 85: @@
         port = 1812
         type = auth
+        operator = "1localnet"
 }
@@ Line 94: / Line 103: @@
         authorize {
                 preprocess
                 update request {
-                        Operator-Name := 1your.domain # Adds the Operator Name attribute to the request.
+                        Operator-Name = 1your.domain # Adds the Operator Name attribute to the request, if it doesn't already exist.
                 }
                 auth_log
@@ Line 118: / Line 127: @@
                 # Lots of logging
                 reply_log
-                f_ticks
+                # Only send F-TICKS to Jisc when proxying between sites.
+		if ( "%{home_server:operator}" != "NRPS" && "%{client:operator}" != "NRPS" && "%{request:Called-Station-Id}" =~ /:govroam$/) {
+  		  f_ticks
+		}
                 govroam_log
                 Post-Auth-Type REJECT {
                         attr_filter.access_reject
                         reply_log
-                        f_ticks
                 }
         }
@@ Line 146: / Line 157: @@
 <code>
-# F-TICKS
+# F-TICKS - only appropriate for Regional Federation Operators
 linelog f_ticks {
         filename = syslog
         format = ""
         reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
-f_ticks {
+        f_ticks {
-              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#"
+              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#FEDID=XX#" # Replace XX with your supplied ID,
-              Access-Reject ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL#" # Remove when sending to Jisc NRPS
-       }
-}
+        }
@@ Line 166: / Line 174: @@
     govroam_log {
         Access-Accept = "govroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#"
-        Access-Reject ="govroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reaso
+        Access-Reject ="govroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#"
-n}#RESULT=FAIL#"
     }
 }
@@ Line 173: / Line 180: @@
 And then create a symlink from mods-enabled/govroam_logs to mods-available/govroam_logs.
+Use the **details.log** file in mods-available to configure how the local logs are formatted and stored. The format below stores the logs by date and time making it easier to use logrotate or similiar to archive off older logs.
+<code>
+detail auth_log {
+        detailfile = ${radacctdir}/%Y%m%d/request-detail-%H:00
+        header = "%{Packet-Src-IP-Address} - %t"
+        detailperm = 0600
+        suppress {
+                User-Password
+        }
+}
+detail reply_log {
+        detailfile = ${radacctdir}/%Y%m%d/reply-detail-%H:00
+        header = "%{Packet-Src-IP-Address} - %t"
+        detailperm = 0600
+}
+detail pre_proxy_log {
+        detailfile = ${radacctdir}/%Y%m%d/pre-proxy-detail-%H:00
+        header = "%{Packet-Src-IP-Address} - %t"
+        log_packet_header = yes
+        detailperm = 0600
+        suppress {
+                 User-Password
+        }
+}
+detail post_proxy_log {
+        detailfile = ${radacctdir}/%Y%m%d/post-proxy-detail-%H:00
+        header = "%{Packet-Src-IP-Address} - %t"
+        detailperm = 0600
+}
+</code>
+Once configured you can test using [[public:Testing Tools|eapol_test]]