Presentation is loading. Please wait.

Presentation is loading. Please wait.

Training Michal Procházka, Jan Oppolzer CESNET

Published byAlban Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "Training Michal Procházka, Jan Oppolzer CESNET"— Presentation transcript:

1 training Michal Procházka, Jan Oppolzer CESNET michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz jan.oppolzer@cesnet.cz

2 Agenda FLRS Requirements Preparation of the host Installation of radsecproxy IdP Requirements Preparation of the host Installation of freeRADIUS

3 Terms ETRLS – eduroam top level RADIUS server FLRS – federation level RADIUS server OT – eduroam operational team

4 National level RADIUS (FLRS) Proxy requests among IdPs or proxy request to the ETLRS Monitored by the eduroam monitoring infrastructure

5 Requirements Linux host for national-level RADIUS hosting X.509 certificate + private key (eduroam accredited) https://www.edupki.org/edupki-ca/get- certificates/ NTP radsecproxy

6 Preparation of the host Assign DNS name Generate X.509 certificate for the host Install these components: NTP radsecproxy (>1.6)

7 radsecproxy https://wiki.geant.org/display/H2eduroam/How+ to+deploy+eduroam+at+national+level#Howtod eployeduroamatnationallevel-radsecproxy

8 Install radsecproxy On Debian systems apt-get install radsecproxy Manually get sources from https://software.uninett.no/radsecproxy/

9 /etc/radsecproxy.conf # Server listen ports ListenUDP *:1812 ListenTLS *:2083

10 /etc/radsecproxy.conf # Logging LogLevel 3 LogDestination x-syslog:///LOG_LOCAL0 LoopPrevention On

11 /etc/radsecproxy.conf # FTIKS FTicksReporting Full FTicksMAC VendorKeyHashed FTicksKey arandomsalt

12 /etc/rsyslog.d/50-radsecproxy.conf # radsecproxy if ($programname == 'radsecproxy') and ($msg contains 'F-TICKS') \ then @192.0.2.204 & stop # Contact OT for syslog IP address

13 /etc/radsecproxy.conf # TLS configuration tls defaultClient { CACertificatePath /root/ CertificateFile /root/cert.pem CertificateKeyFile /root/key.pem # CertificateKeyPassword __CERT_PASS__ policyOID 1.3.6.1.4.1.25178.3.1.1 # CRLCheck On } tls defaultServer { CACertificatePath /root/ CertificateFile /root/cert.pem CertificateKeyFile /root/key.pem # CertificateKeyPassword __CERT_PASS__ policyOID 1.3.6.1.4.1.25178.3.1.2 # CRLCheck On }

14 /etc/radsecproxy.conf # Attribute filtering (remove VLAN definitions) rewrite defaultClient { removeAttribute 64 removeAttribute 65 removeAttribute 81 }

15 /etc/radsecproxy.conf # For debugging purposes only client 127.0.0.1 { type udp secret testing123 }

16 /etc/radsecproxy.conf # eduroam monitoring, negotiate with OT client SA3-monitoring-incoming { host a.b.c.d type UDP secret __MONITORING_SECRET__ } server SA3-monitoring-outgoing { host a.b.c.d type UDP secret __MONITORING_SECRET__ }

17 /etc/radsecproxy.conf # catch-all for RADIUS/TLS client incoming { host 0.0.0.0/0 type TLS tls defaultClient secret radsec }

18 /etc/radsecproxy.conf # Request forwarding – RADIUS/TLS server radius.asren.org { type TLS tls defaultServer secret radsec statusserver on }

19 /etc/radsecproxy.conf # Uplink to eduroam infrastructure server etlr1.eduroam.org { type TLS tls defaultServer secret radsec statusserver on } server etlr2.eduroam.org { type TLS tls defaultServer secret radsec statusserver on }

20 /etc/radsecproxy.conf # Filter bad realms, should be catched by the SP realm /myabc\.com$ { replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by." accountingresponse on } realm /^$/ { replymessage "Misconfigured client: empty realm! Rejected by." accountingresponse on }

21 /etc/radsecproxy.conf # Filter wrong realms from your TLD (e.g..edu.jo) realm /\.YOUR_TLD$ { replymessage "Misconfigured supplicant or downstream server: uses known- bad realm in federation!" }

22 /etc/radsecproxy.conf # Realms forwarding logins abc@asren.org realm /asren\.org$ { server radius.asren.org server radius2.asren.org }

23 /etc/radsecproxy.conf # Definition for eduroam monitoring realm /eduroam\.YOUR_TLD { server SA3-monitoring-outgoing }

24 /etc/radsecproxy.conf # Finally forward other realms upwards realm * { server etlr1.eduroam.org server etlr2.eduroam.org }

25 Testing and Debugging Run radsecproxy in debug mode: radsecproxy –d5 –f

26 Get the Testing Certificate Register your RA contact@edupki.org Request server certificate https://www.edupki.org/edupki-ca/tests- and-demos/

27 FLRS server Implements F-ticks monitoring Host properly monitored (e.g. Nagios) Synchronized time with GPS/NTP Must answer ICMP Ping requests

28 Summary Installed FLRS Configured to be connected to the ETLRS FLRS ready to be monitored

29 Homework Failover configuration Maintenance support Monitoring of the FLRS Backup (logs for 6 months)

30 Organization level RADIUS Provides authentication of the users Connected to the organizational IdM Usually works as a SP

31 Requirements Linux/Windows host for IdP RADIUS X.509 certificate NTP freeRADIUS

32 Preparation of the host Assign DNS name Generate X.509 certificate for the host Install these components: NTP freeRADIUS (>3)

33 Installation of freeRADIUS Complete instructions on: http://wiki.freeradius.org/building/Build#Building -Debian-packages

34 Installation of freeRADIUS on Debian 8 cd /usr/src/ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.gzftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.gz tar xvzf freeradius-server-3.0.9.tar.gz apt-get install dpkg-dev fakeroot build-essential debhelper quilt autotools-dev libpam0g-dev libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2- dev libkrb5-dev libperl-dev libpcap-dev python-dev libreadline-dev libsnmp-dev libpq-dev libssl-dev libtalloc-dev libyubikey-dev libsqlite3-dev libcurl4-openssl-dev libcap-dev libjson-c-dev libwbclient-dev ssl-cert cd freeradius-server-3.0.9 fakeroot dpkg-buildpackage -b -uc cd /opt/src/ dpkg -i freeradius_3.0.9+git_amd64.deb freeradius-common_3.0.9+git_all.deb freeradius-utils_3.0.9+git_amd64.deb libfreeradius3_3.0.9+git_amd64.deb freeradius-ldap_3.0.9+git_amd64.deb freeradius-config_3.0.9+git_amd64.deb

35 /etc/freeradius/proxy.conf # Setup proper proxying of the requests … realm LOCAL { … } realm asren.org { } …

36 Certificates Store/use X.509 certificates in /etc/freeradius/certs/ Setup proper owner chown freerad:freerad server.key chmod 0640 server.key

37 /etc/freeradius/mods-available/eap # Setup TLS eap { … tls-config tls-common { # Private key private_key_file = ${certdir}/radius.key … # Certificate certificate_file = ${certdir}/radius.crt … }

38 /etc/freeradius/clients.conf # Client definitions client ap_network { secret = shortname = aps ipaddr = 192.168.10.0/24 }

39 Enable radsec ln -s /etc/freeradius/sites-available/tls /etc/freeradius/sites-enables/tls

40 /etc/freeradius/sites-available/tls # For listen and home_server section private_key_file = radius.key certificate_file = radius.pem

41 /etc/freeradius/sites-available/tls # Connection to the FLRS clients radsec { client radius1.asren.org { ipaddr = a.b.c.d proto = tls secret = radsec } … } home_server tls { ipaddr = radius1.asren.org secret = radsec … } … realm DEFAULT { auth_pool = tls nostrip }

42 Additional steps Disable dhcp module rm /etc/freeradius/mods-enable/dhcp

43 Testing and debugging freeradius -fxx -l stdout eapol_test https://radius.ics.muni.cz/eduroam- test/eduroam-test.cgi

44 Create local test account Edit /etc/freeradius/users “test@asren.org“test@asren.org” Cleartext-Password := „abc123“ Fall-Through = Yes

45 Integration with LDAP Users login/password will be checked against LDAP Passwords must be stored in clear-text form in the LDAP

46 sites-enabled/inner-tunnel # Enable LDAP authentication authorize { … ldap … } … authenticate { … Auth-Type LDAP { ldap } … }

47 mods-available/ldap server = ‘ldaps://ldaphost.org’ # user with rights to read the passwords identity = ‘uid=,ou=Special Users,dc=asren,dc=org“ password = # Base DN, where to search the user base_dn = „ou=People,dc=asren,dc=org“ update { # LDAP atribute containing the password control:Cleartext-Password := 'radiusPassword’ } … tls { … ca_file = require_cert = ‘demand’ }

48 Activate LDAP module cd /etc/freeradius/mods-enabled ln -s../mods-available/ldap

49 Integration with AD http://wiki.freeradius.org/guide/FreeRADIUS- Active-Directory-Integration-HOWTO

50 Sources Automatic installer from CAF http://bit.ly/idpinstaller Slides and configuration files from the workshop https://devnull.cesnet.cz/asren/

Download ppt "Training Michal Procházka, Jan Oppolzer CESNET"

Similar presentations

RSDB Installation & Configuration

RSDB Installation & Configuration
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia, 19.06.2014.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
Configuring Linux Radius Server

Configuring Linux Radius Server
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Understanding Active Directory

Understanding Active Directory
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Similar presentations

Ads by Google