- proxy.conf - Posredovanje zahtev RADIUS in določitev kraljestev
###############################################################
# Proxy configuration
###############################################################
proxy server {
default_fallback = no
}
###############################################################
# local realm configurations
# We handle requests for these domains
#
realm NULL {
}
realm LOCAL {
}
# handle all realms and sub-realms
realm "~^(.+\\.)*os-prva\\.si$" {
}
# handle only @os-prva.si
#realm os-prva.si {
#}
# handle only sub-realms in LDAP,
#realm "~^(.+\\.)?os-prva\\.si$" {
#}
###############################################################
# Catchall for unhandled realms
# redirect them to a blackhole server
#
home_server blackhole {
virtual_server = blackhole
}
home_server_pool blackhole_pool {
home_server = blackhole
name = blackhole
}
# Blackhole is needed if we use realms without regexp
# if you use regexp, comment this out.
# Usually needs to be one blackhole for each realm we handle.
realm "~.*\\.os-prva\\.si$" {
auth_pool = blackhole_pool
}
#realm "~.*\\.os-druga\\.si$" {
# auth_pool = blackhole_pool
#}
###############################################################
# Proxy realm requests to a specific server
# Only for connecting other RADIUS servers.
#realm "~^(.+\\.)?sub\\.os-prva\\.si$" {
# nostrip
# auth_pool = sub_pool
#}
#home_server sub_srv1 {
# type = auth
# ipaddr = 193.2.67.16
# port = 1812
# secret = <RadiusPasswordToSub&bg;
# response_window = 20
# zombie_period = 40
# revive_interval = 120
## status_check = none
# status_check = status-server
# check_interval = 30
# num_answers_to_alive = 3
#}
#home_server_pool sub_pool {
# name = sub_pool
# type = client-balance
# home_server = sub_srv1
#}
###############################################################
# TLD servers
# Send all requests we don't know how to handle here
#
home_server arnes_tld1 {
type = auth
ipaddr = 193.2.18.66
port = 1812
secret = <RadiusPasswordToTLD>
require_message_authenticator = yes
response_window = 30
zombie_period = 40
status_check = status-server
check_interval = 10
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server_pool arnes_tld_pool {
name = arnes_tld_pool
type = client-balance
home_server = arnes_tld1
}
realm DEFAULT {
nostrip
auth_pool = arnes_tld_pool
}
- clients.conf - Gesla za dostopovne točke in druge strežnike Radius
#######################
# APs and other devices
#######################
client <ime_ap1> {
ipaddr = <ip1>
secret = <geslo1>
shortname = <ap1>
nastype = cisco
}
client <ime_ap2> {
ipaddr = <ip2>
secret = <geslo2>
shortname = <ap2>
nastype = cisco
}
#######################
# RADIUS servers
#######################
client localhost {
ipaddr = 127.0.0.1
secret = <gesloLo>
require_message_authenticator = no
nastype = other
}
# ARNES top-level radius 1
client arnes-tld1 {
ipaddr = 193.2.18.66
pool = arnes_tld_pool # ustrezni pool v proxy.conf
secret = <gesloARNES1>
shortname = arnes-tld1
nastype = other
}
- eap.conf - Overjanje EAP
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = 4096
fragment_size = 1024
tls {
# $ openssl dhparam -check -text -5 2048 -out /etc/pki/radius/dh
dh_file = /etc/pki/radius/dh
private_key_file = /etc/pki/radius/os-prva.si_key.pem
certificate_file = /etc/pki/radius/os-prva.si_cert.pem
CA_file = /etc/pki/radius/cacert.pem
random_file = /dev/urandom
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 2048
}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
proxy_tunneled_request_as_eap = no
soh = no
# soh_virtual_server = "soh-server"
}
mschapv2 {
#send_error = yes
send_error = no
}
}
- users - Določanje tipa overjanja glede na zunanjo identiteto
########################################################
# Users with a NULL realm should be rejected
########################################################
DEFAULT Realm == NULL, Auth-Type := Reject
########################################################
# Check pGina users activate LDAP for them
# Only our LOCAL users are allowed!
# pGina is OFF by default, uncomment if needed
########################################################
## static entries (for testing)
#pgina Realm =~ "^(.*\\.|)os-prva\\.si$", NAS-Port-Type == Virtual, Service-Type == Login-User, Auth-Type := PAP, Cleartext-Password := "<pgina_test_password>"
#
## Query LDAP for pGina login
##DEFAULT Realm =~ "^(.*\\.|)os-prva\\.si$", NAS-Port-Type == Virtual, Service-Type == Login-User, Auth-Type := LDAP
#DEFAULT Realm =~ "^(.*\\.|)os-prva\\.si$", NAS-Port-Type == Virtual, Service-Type == Login-User, Autz-Type := LDAP
- inner_users - Splošne nastavitve in statična uporabniška imena
########################################################
# Staticly entered users, for testing only!
########################################################
test Realm == os-prva.si, Cleartext-Password := "<TestnoGeslo>"
########################################################
# Check LDAP directory for users
#######################################################
#DEFAULT Realm =~ "^(.*\\.|)os-prva\\.si$", Autz-Type:=LDAP2
DEFAULT Autz-Type:=LDAP
- postauth_users - Primer razvrščanja uporabnikov v omrežja, glede na domeno v uporabniškem imenu
#######################################################
# VLAN assignement over RADIUS
########################################################
#DEFAULT User-Name =~ "\\@os-prva\\.si$"
# Tunnel-Type = VLAN,
# Tunnel-Medium-Type = IEEE-802,
# Tunnel-Private-Group-Id = 2,
# Fall-Through = yes
- radiusd.conf - Splošne nastavitve radius strežnika
Datoteka se med različicami FreeRADIUS spreminja. Ohranite originalno datoteko, preverite samo, da je nastavljeno naslednje:
$INCLUDE sql.conf
- sql.conf - Beleženje dostopov (accounting) v bazo MySQL
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radiusd"
password = "$radiusd_geslo"
radius_db = "radius"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
# Eduroam specific logging of Accounting start and stop records
accounting_start_query = "INSERT into ACCOUNTING SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = '%{NAS-Port}',\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'"
accounting_update_query = "UPDATE ACCOUNTING SET\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
accounting_stop_query = "UPDATE ACCOUNTING SET\
`Timestamp Stop` = NOW(),\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}',\
`Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
}
- modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port, Calling-Station-Id, Called-Station-Id"
}
- modules/files
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
postauth_usersfile = ${confdir}/postauth_users
compat = no
}
files inner_files {
usersfile = ${confdir}/inner_users
compat = no
}
- modules/ldap - Nastavitve za dostop do LDAP imenika
ldap {
server = "localhost"
identity = "<ldap DN>"
password = "<ldap password>"
basedn = "dc=os-prva,dc=si"
filter = "(eduPersonPrincipalName=%{User-Name})"
#base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# chase_referrals = yes
# rebind = yes
# set_auth_type = yes
#ldap_debug = 0x0028
keepalive {
idle = 60
probes = 3
interval = 3
}
# Za preverjanje istovetnosti z LDAP nastavite spodnji parameter na yes
set_auth_type = no
}
- sites-available/blackhole - Strežnik za zavračanje zahtev
server blackhole {
authorize {
reject
}
}
- sites-available/default - Strežnik za obdelavo zunanje identitete
authorize {
# filter_username
preprocess
auth_log
suffix
files
eap
# Autz-Type Status-Server {
#
# }
# support for pGina
Autz-Type LDAP {
ldap
pap
}
}
authenticate {
# pGina -> LDAP or PAP
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
# eduroam -> EAP
Auth-Type EAP {
eap
}
}
preacct {
# Procesiraj accounting pakete le za zahteve, ki izvirajo iz domacih NAS-ov
if (!"%{Proxy-State}") {
preprocess
acct_unique
suffix
}
}
accounting {
# Procesiraj accounting pakete le za zahteve, ki izvirajo iz domacih NAS-ov
if (!"%{Proxy-State}") {
detail
sql
}
attr_filter.accounting_response
# Acct-Type Status-Server {
# }
}
post-auth {
# Procesiraj postauth_users le za zahteve iz domacih NAS-ov
if (!"%{Proxy-State}") {
files
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
# Split Horizon:
# Ce bo zahteva posredovana na isti pool streznikov,
# s katerega je bila sprejeta, zavrni zahtevo.
if ("%{home_server_pool:name}" == "%{client:pool}") {
update reply {
Reply-Message := "Radius proxy loop detected: requests for %{User-Name} from %{client:pool} loop back to itself."
}
reject
}
attr_filter.pre-proxy
files
detail
}
post-proxy {
attr_filter.post-proxy
}
- sites-available/inner-tunnel - Strežnik za obdelavo notranje identitete
server inner-tunnel {
authorize {
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
inner_files
pap
expiration
if ("arnes_tld_pool" != "%{client:pool}") {
# Only for requests from home NASes
logintime
}
eap
Autz-Type LDAP {
ldap
pap
expiration
if ("arnes_tld_pool" != "%{client:pool}") {
# Only for requests from home NASes
logintime
}
eap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type EAP {
eap
}
Auth-Type LDAP {
ldap
}
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
}
#copy inner User-Name to outer
update reply{
User-Name := "%{request:User-Name}"
}
}
} # inner-tunnel server block
- V ldap.attrmap dodajte:
# enable account expiration, login time check and password retrieval
checkItem Expiration schacExpiryDate
checkItem Login-Time radiusLoginTime
checkItem Cleartext-Password userPassword
- V attrs dodajte zapis za polje User-Name:
# Dodati je potrebno zapis za polje User-Name, ostale vrstice ohranimo nespremenjene.
DEFAULT
User-Name =* ANY,
[...]
- V attrs.pre-proxy dodajte zapis za polja NAS-Port, NAS-Port-Id, NAS-Port-Type, Calling-Station-Id:
# Dodati je potrebno naslednje zapise, ostale vrstice ohranimo nespremenjene.
DEFAULT
NAS-Port =* ANY,
NAS-Port-Id =* ANY,
NAS-Port-Type =* ANY,
Calling-Station-Id =* ANY,
[...]
- V mapi sites-enabled/ ustvarite simbolične povezave do datotek v sites-available/
cd sites-enabled/
ln -s ../sites-available/blackhole
ln -s ../sites-available/default
ln -s ../sites-available/inner-tunnel
Organizacije, ki so priključene v Eduroam.si in imajo tudi knjižnice lahko uredijo priklop za uporabnike Libroam z naslednjimi nastavitvami:
