huy:radius_eduroam_howto
Table of Contents
установка flrs
установка сервера национального уровня roaming.eduroam.by
В примере будет использоваться виртуальный сервер под openvz. Прежде всего, создадим виртуальный сервер.
vzctl create 803 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 803 --save --onboot "yes" vzctl set 803 --save --kmemsize "104239923:114663915" vzctl set 803 --save --lockedpages "5089:5089" vzctl set 803 --save --privvmpages "152695:167964" vzctl set 803 --save --shmpages "15269:15269" vzctl set 803 --save --numproc "4000:4000" vzctl set 803 --save --physpages "0:9223372036854775807" vzctl set 803 --save --vmguarpages "152695:9223372036854775807" vzctl set 803 --save --oomguarpages "152695:9223372036854775807" vzctl set 803 --save --numtcpsock "4000:4000" vzctl set 803 --save --numflock "1000:1100" vzctl set 803 --save --numpty "400:400" vzctl set 803 --save --numsiginfo "1024:1024" vzctl set 803 --save --tcpsndbuf "18362641:34746641" vzctl set 803 --save --tcprcvbuf "18362641:34746641" vzctl set 803 --save --othersockbuf "9181320:25565320" vzctl set 803 --save --dgramrcvbuf "9181320:9181320" vzctl set 803 --save --numothersock "4000:4000" vzctl set 803 --save --dcachesize "22762625:23445504" vzctl set 803 --save --numfile "40704:40704" vzctl set 803 --save --avnumproc "1272:1272" vzctl set 803 --save --numiptent "200:200" vzctl set 803 --save --diskspace "1163682:1280051" vzctl set 803 --save --diskinodes "421490:463640" vzctl set 803 --save --quotatime "0" vzctl set 803 --save --cpuunits "100050" vzctl set 803 --save --ipadd "80.94.174.231" vzctl set 803 --save --hostname "roaming.eduroam.by" vzctl set 803 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
настройка системы
запуск виртуальной машины
vzctl start 803
вход на сервер
vzctl enter 803
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
апдейт системы, установка vim
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
установка freeradius
yum install freeradius2.x86_64 freeradius2-utils.x86_64 rpm -Uvh freeradius2-2.1.7-7.el5.src.rpm cd /usr/src/redhat/SOURCES tar jxfv freeradius-server-2.1.7.tar.bz2 wget https://raw.github.com/mcnewton/freeradius-server/089c108c472a6a9d2a21ae86b41343b06274f95d/src/modules/rlm_linelog/rlm_linelog.c mv rlm_linelog.c ./freeradius-server-2.1.7/src/modules/rlm_linelog/rlm_linelog.c tar cjf freeradius-server-2.1.7.tar.bz2 freeradius-server-2.1.7 cd /usr/src/redhat/ yum install autoconf gdbm-devel libtool libtool-ltdl-devel openssl-devel pam-devel zlib-devel \ net-snmp-devel readline-devel libpcap-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel rpm-build rpmbuild -bb SPECS/freeradius2.spec cd RPMS/ cd x86_64/ rpm -Uvh --force freeradius2-2.1.7-7.x86_64.rpm freeradius2-mysql-2.1.7-7.x86_64.rpm freeradius2-utils-2.1.7-7.x86_64.rpm
настройка freeradius
/etc/raddb/proxy.conf
realm eduroam.by {
nostrip
authhost = 80.94.174.233
accthost = 80.94.174.233
secret = [secret-of-eduroam.by-here]
}
realm basnet.by {
nostrip
authhost = 80.94.174.234
accthost = 80.94.174.234
secret = [secret-of-basnet.by-here]
}
home_server etlr1-v4 {
type = auth+acct
ipaddr = 192.87.106.34
port = 1812
secret = [secret-of-etlr1-v4-here]
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server etlr2-v4 {
type = auth+acct
ipaddr = 130.225.242.109
port = 1812
secret = [secret-of-etlr2-v4-here]
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool EDUROAM-ETLR {
type = fail-over
home_server = etlr1-v4
home_server = etlr2-v4
}
realm DEFAULT {
pool = EDUROAM-ETLR
nostrip
}
/etc/raddb/eap.conf
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
/etc/raddb/clients.conf
client descriptivename {
ipaddr = 212.98.162.58
netmask = 32
secret = [passwordforeapoltest]
require_message_authenticator = no
shortname = eduroam-ap-v4
nastype = other
virtual_server = eduroam
}
client idp.eduroam.by {
ipaddr = 80.94.174.233
netmask = 32
secret = [passwordofidpeduroam]
require_message_authenticator = no
shortname = idp-eduroam
nastype = other
virtual_server = eduroam
}
client idp.basnet.by {
ipaddr = 80.94.174.234
netmask = 32
secret = [passwordofidpbasnet]
require_message_authenticator = no
shortname = idp-basnet
nastype = other
virtual_server = eduroam
}
/etc/raddb/sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam {
authorize {
preprocess
auth_log
suffix
eap
}
authenticate {
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
}
session {
}
post-auth {
reply_log
f_ticks
Post-Auth-Type REJECT {
reply_log
f_ticks
attr_filter.access_reject
}
}
pre-proxy {
pre_proxy_log
}
post-proxy {
post_proxy_log
}
}
/etc/raddb/modules/f_ticks
linelog f_ticks {
filename = syslog
syslog_facility = local7
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
f_ticks {
# Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=OK#"
# Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=FAIL#"
Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=OK#"
Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=FAIL#"
}
}
radius autostart
chkconfig radiusd on
/etc/syslog.conf
... local7.* @ip.address.of.stat.server.for.f_ticks
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011 *mangle :PREROUTING ACCEPT [1239:134578] :INPUT ACCEPT [1239:134578] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [270:78700] :POSTROUTING ACCEPT [270:78700] COMMIT # Completed on Mon Apr 18 12:02:16 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011 *filter :INPUT DROP [966:55207] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [270:78700] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.233 -j ACCEPT -A INPUT -s 80.94.174.234 -j ACCEPT -A INPUT -s 192.87.106.34 -j ACCEPT -A INPUT -s 130.225.242.109 -j ACCEPT COMMIT # Completed on Mon Apr 18 12:02:16 2011
chkconfig iptables on /etc/init.d/iptables restart
установка сервера idrs (radius/ldap/eap/ttls/pap)
установка виртуального сервера idp.eduroam.by
В примере будет использоваться виртуальный сервер под openvz с виртуальным сетевым интерфейсом типа veth. Прежде всего, создадим виртуальный сервер.
vzctl create 903 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 903 --save --onboot "yes" vzctl set 903 --save --kmemsize "104239923:114663915" vzctl set 903 --save --lockedpages "5089:5089" vzctl set 903 --save --privvmpages "152695:167964" vzctl set 903 --save --shmpages "15269:15269" vzctl set 903 --save --numproc "4000:4000" vzctl set 903 --save --physpages "0:9223372036854775807" vzctl set 903 --save --vmguarpages "152695:9223372036854775807" vzctl set 903 --save --oomguarpages "152695:9223372036854775807" vzctl set 903 --save --numtcpsock "4000:4000" vzctl set 903 --save --numflock "1000:1100" vzctl set 903 --save --numpty "400:400" vzctl set 903 --save --numsiginfo "1024:1024" vzctl set 903 --save --tcpsndbuf "18362641:34746641" vzctl set 903 --save --tcprcvbuf "18362641:34746641" vzctl set 903 --save --othersockbuf "9181320:25565320" vzctl set 903 --save --dgramrcvbuf "9181320:9181320" vzctl set 903 --save --numothersock "4000:4000" vzctl set 903 --save --dcachesize "22762625:23445504" vzctl set 903 --save --numfile "40704:40704" vzctl set 903 --save --avnumproc "1272:1272" vzctl set 903 --save --numiptent "200:200" vzctl set 903 --save --diskspace "1163682:1280051" vzctl set 903 --save --diskinodes "421490:463640" vzctl set 903 --save --quotatime "0" vzctl set 903 --save --cpuunits "100050" vzctl set 903 --save --hostname "idp.eduroam.by" vzctl set 903 --netif_add eth0 --save vzctl set 903 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
Для корректной работы veth создадим файл /etc/vz/conf/903.mount
#!/bin/bash
# This script source VPS configuration files in the same order as vzctl does
# if one of these files does not exist then something is really broken
[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1
# source both files. Note the order, it is important
. /etc/vz/vz.conf
. $VE_CONFFILE
# Configure veth with IP after VPS has started
{
IP=80.94.174.233
DEV=veth903.0
while sleep 1; do
/sbin/ifconfig $DEV 0 >/dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/ip route add $IP dev $DEV
break
fi
done
} &
сделаем исполняемым:
chmod +x /etc/vz/conf/903.mount
настройка системы
запуск виртуальной машины
vzctl start 903
вход на сервер
vzctl enter 903
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
настройка сети
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=80.94.174.233 NETMASK=255.255.255.255 BROADCAST=0.0.0.0
Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth
# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then
ip route replace 169.254.0.0/16 dev ${REALDEVICE}
ip route add 80.94.174.193 dev eth0
ip route add default via 80.94.174.193
fi
рестаруем сеть
/etc/init.d/network restart
апдейт системы
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
установка openldap
yum install openldap-servers openldap-clients
сгенерируем хэш пароля (в примере пароль будет test)
slappasswd New password: Re-enter new password: {SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m
правим /etc/openldap/slapd.conf
database bdb
suffix "dc=eduroam,dc=by"
rootdn "cn=root,dc=eduroam,dc=by"
rootpw {SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m
копируем стандартные настройки базы и стартуем ldap
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG /etc/init.d/ldap start
делаем тестовые ldif-файлы для наполнения ldap.
base.ldif
dn: dc=eduroam,dc=by objectClass: dcObject objectClass: organization objectClass: top dc:eduroam o:eduroam
people.ldif
## FIRST Level hierarchy - people ## uses mixed upper and lower case for objectclass # this is an ENTRY sequence and is preceded by a BLANK line dn: ou=people, dc=eduroam,dc=by ou: people description: All people in organisation objectclass: organizationalunit
slayer.ldif
## SECOND Level hierarchy ## ADD a single entry under FIRST (people) level # this is an ENTRY sequence and is preceded by a BLANK line # the ou: Human Resources is the department name dn: cn=Valery Ciareszka,ou=people,dc=eduroam,dc=by objectclass: inetOrgPerson cn: Valery Ciareszka cn: Valery J Ciareszka sn: Ciareszka uid: slayer userpassword: test123 carlicense: HISCAR 123 homephone: 555-111-2222 mail: slayer@eduroam.by mail: suka.slayer@eduroam.by description: swell guy ou: Human Resources
Добавляем все это в ldap
ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f base.ldif ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f people.ldif ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f slayer.ldif
добавляем ldap в автозагрузку
chkconfig ldap on
установка и настройка mysql
ставим и запускаем mysql, добавляем в автозагрузку
yum install mysql-server /etc/init.d/mysqld start chkconfig mysqld on
создаем базу, таблицы, пользователя
create database radius; grant all privileges on radius.* to radiusd@localhost identified by 'radpasswd'; USE radius; CREATE TABLE ACCOUNTING ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `Client-IP-Address` varchar(100) NOT NULL default '', `Called-Station-Id` varchar(100) NOT NULL default '', `NAS-IP-Address` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00', `Acct-Unique-Session-Id` varchar(100) NOT NULL default '', `Acct-Session-Time` int(10) unsigned NOT NULL default '0', `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Terminate-Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM; create table access_points ( `IP address` varchar(100) PRIMARY KEY NOT NULL, `snmp secret` varchar(100) NOT NULL default '', `radius secret` varchar(100) NOT NULL default '', `root username` varchar(100) NOT NULL default '', `root password` varchar(100) NOT NULL default '' ) TYPE=MyISAM; CREATE TABLE denied ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `NAS-Shortname` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00', `Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM;
установка freeradius
ставим freeradius, и модули ldap,mysql к нему
yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-ldap freeradius2-mysql
/etc/raddb/proxy.conf
proxy server {
default_fallback = yes
}
realm LOCAL {
}
realm eduroam.by {
nostrip
}
home_server roaming.eduroam.by {
type = auth+acct
ipaddr = 80.94.174.231
port = 1812
secret = [secrethere]
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool EDUROAM-FTLR-BY {
type = fail-over
home_server = roaming.eduroam.by
}
realm DEFAULT {
pool = EDUROAM-FTLR-BY
nostrip
}
/etc/raddb/eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
/etc/raddb/clients.conf
client roaming.eduroam.by {
ipaddr = 80.94.174.231
netmask = 32
secret = [password-of-flrs-roaming-eduroam-by]
require_message_authenticator = no
shortname = eduroam-flrs
nastype = other
virtual_server = eduroam
}
client eapoltest {
ipaddr = 212.98.162.58
netmask = 32
secret = [passwordforeapoltest]
require_message_authenticator = no
shortname = eduroam-ap-v4
nastype = other
virtual_server = eduroam
}
/etc/raddb/modules/pap
pap {
auto_header = yes
}
/etc/raddb/modules/ldap
ldap {
server = "127.0.0.1"
identity = "cn=root,dc=eduroam,dc=by"
password = test
basedn = "dc=eduroam,dc=by"
filter = "(mail=%{User-Name})"
base_filter = "(objectclass=inetOrgPerson)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
profile_attribute = "eduPersonPrincipalName"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
}
sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam {
authorize {
auth_log
suffix
if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.eduroam.by$/)) {
update control {
Proxy-To-Realm := NULL
}
}
eap
}
authenticate {
Auth-Type EAP {
eap
}
}
preacct {
suffix
acct_unique
if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.eduroam.by$/)) {
update control {
Proxy-To-Realm := NULL
}
}
}
accounting {
detail
sql
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
}
}
pre-proxy {
attr_filter.pre-proxy
pre_proxy_log
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
server eduroam-inner-tunnel {
authorize {
auth_log
ldap
eap
}
authenticate {
Auth-Type LDAP {
ldap
}
eap
}
preacct {
}
accounting {
}
session {
}
post-auth {
update outer.reply {
User-Name = "%{User-Name}"
}
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
}
}
pre-proxy {
}
post-proxy {
}
}
/etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/raddb/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radiusd"
password = "radpasswd"
radius_db = "radius"
num_sql_socks = 5
connect_failure_retry_delay = 60
# Eduroam specific logging of Accounting start and stop records
accounting_start_query = "INSERT into ACCOUNTING SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = '%{NAS-Port}',\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'"
accounting_update_query = "UPDATE ACCOUNTING SET\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
accounting_stop_query = "UPDATE ACCOUNTING SET\
`Timestamp Stop` = NOW(),\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}',\
`Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
}
добавляем freedadius в автозагрузку
chkconfig radiusd on
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011 *mangle :PREROUTING ACCEPT [1054:112214] :INPUT ACCEPT [1054:112214] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [213:66193] :POSTROUTING ACCEPT [213:66193] COMMIT # Completed on Mon Apr 18 12:00:21 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011 *filter :INPUT DROP [772:40258] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [213:66193] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.231 -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Mon Apr 18 12:00:21 2011
chkconfig iptables on /etc/init.d/iptables restart
scripts
cd wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz cd / tar zxfv /root/eduroam_monitor-20090509.tar.gz rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum install perl-File-Tail yum install perl-Net-SNMP touch /var/log/dhcpd.log vim /usr/sbin/eduroam_monitor.pl vim /vim var/eduroam/etc/sys_db /usr/sbin/eduroam_monitor.pl echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local
установка idprs2(radius/AD/eap/peap/mschap)
установка виртуального сервера idp.basnet.by
создание виртуального сервера
vzctl create 904 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 904 --save --onboot "yes" vzctl set 904 --save --kmemsize "104239923:114663915" vzctl set 904 --save --lockedpages "5089:5089" vzctl set 904 --save --privvmpages "152695:167964" vzctl set 904 --save --shmpages "15269:15269" vzctl set 904 --save --numproc "4000:4000" vzctl set 904 --save --physpages "0:9223372036854775807" vzctl set 904 --save --vmguarpages "152695:9223372036854775807" vzctl set 904 --save --oomguarpages "152695:9223372036854775807" vzctl set 904 --save --numtcpsock "4000:4000" vzctl set 904 --save --numflock "1000:1100" vzctl set 904 --save --numpty "400:400" vzctl set 904 --save --numsiginfo "1024:1024" vzctl set 904 --save --tcpsndbuf "18362641:34746641" vzctl set 904 --save --tcprcvbuf "18362641:34746641" vzctl set 904 --save --othersockbuf "9181320:25565320" vzctl set 904 --save --dgramrcvbuf "9181320:9181320" vzctl set 904 --save --numothersock "4000:4000" vzctl set 904 --save --dcachesize "22762625:23445504" vzctl set 904 --save --numfile "40704:40704" vzctl set 904 --save --avnumproc "1272:1272" vzctl set 904 --save --numiptent "200:200" vzctl set 904 --save --diskspace "1163682:1280051" vzctl set 904 --save --diskinodes "421490:463640" vzctl set 904 --save --quotatime "0" vzctl set 904 --save --cpuunits "100050" vzctl set 904 --save --hostname "idp.basnet.by" vzctl set 904 --netif_add eth0 --save vzctl set 904 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
Для корректной работы veth создадим файл /etc/vz/conf/904.mount
#!/bin/bash
# This script source VPS configuration files in the same order as vzctl does
# if one of these files does not exist then something is really broken
[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1
# source both files. Note the order, it is important
. /etc/vz/vz.conf
. $VE_CONFFILE
# Configure veth with IP after VPS has started
{
IP=80.94.174.234
DEV=veth904.0
while sleep 1; do
/sbin/ifconfig $DEV 0 >/dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/ip route add $IP dev $DEV
break
fi
done
} &
сделаем исполняемым
chmod +x /etc/vz/conf/904.mount
настройка системы
запуск виртуальной машины
vzctl start 904
вход на сервер
vzctl enter 904
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
настройка сети
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=80.94.174.234 NETMASK=255.255.255.255 BROADCAST=0.0.0.0
Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth
# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then
ip route replace 169.254.0.0/16 dev ${REALDEVICE}
ip route add 80.94.174.193 dev eth0
ip route add default via 80.94.174.193
fi
апдейт системы
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
установка samba
ставим kerberos
yum install krb5-workstation
файл конфига /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BASNET.BY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
BASNET.BY = {
kdc = 80.94.174.204:88
admin_server = 80.94.174.204:749
default_domain = basnet.by
}
[domain_realm]
.basnet.by = BASNET.BY
basnet.by = BASNET.BY
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Получаем тикет
/usr/kerberos/bin/kinit administrator@BASNET.BY
конфиг самбы /etc/samba/smb.conf
[global]
workgroup = BASNET
server string = Samba Server Version %v
netbios name = idp
security = ads
printcap name = /etc/printcap
load printers = no
printing =
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = 80.94.174.204
realm = BASNET.BY
[homes]
comment = Home Directories
browseable = no
writable = yes
меняем резолвер на контроллер домена
echo nameserver 80.94.174.204 > /etc/resolv.conf
в файле /etc/nsswitch.conf изменяем строчки:
passwd: files winbind shadow: files winbind group: files winbind protocols: files winbind services: files winbind netgroup: nisplus winbind automount: files nisplus winbind
добавляем сервер в домен
net join -U Administrator%PASSWORDHERE
стартуем samba/winbind
/etc/init.d/smb start /etc/init.d/winbind start
добавляем в автозапуск
chkconfig smb on chkconfig winbind on
установка и настройка mysql
ставим и запускаем mysql, добавляем в автозагрузку
yum install mysql-server /etc/init.d/mysqld start chkconfig mysqld on
создаем базу, таблицы, пользователя
create database radius; grant all privileges on radius.* to radiusd@localhost identified by 'radpasswd'; USE radius; CREATE TABLE ACCOUNTING ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `Client-IP-Address` varchar(100) NOT NULL default '', `Called-Station-Id` varchar(100) NOT NULL default '', `NAS-IP-Address` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00', `Acct-Unique-Session-Id` varchar(100) NOT NULL default '', `Acct-Session-Time` int(10) unsigned NOT NULL default '0', `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Terminate-Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM; create table access_points ( `IP address` varchar(100) PRIMARY KEY NOT NULL, `snmp secret` varchar(100) NOT NULL default '', `radius secret` varchar(100) NOT NULL default '', `root username` varchar(100) NOT NULL default '', `root password` varchar(100) NOT NULL default '' ) TYPE=MyISAM; CREATE TABLE denied ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `NAS-Shortname` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00', `Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM;
установка freeradius
ставим freeradius, и модуль mysql к нему
yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-mysql
/etc/raddb/proxy.conf
proxy server {
default_fallback = yes
}
realm LOCAL {
}
realm basnet.by {
nostrip
}
home_server roaming.eduroam.by {
type = auth+acct
ipaddr = 80.94.174.231
port = 1812
secret = [passwordhere]
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool EDUROAM-FTLR-BY {
type = fail-over
home_server = roaming.eduroam.by
}
realm DEFAULT {
pool = EDUROAM-FTLR-BY
nostrip
}
/etc/raddb/eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
/etc/raddb/clients.conf
client roaming.eduroam.by {
ipaddr = 80.94.174.231
netmask = 32
secret = [password-of-flrs-roaming-eduroam-by]
require_message_authenticator = no
shortname = eduroam-flrs
nastype = other
virtual_server = eduroam
}
client eapoltest {
ipaddr = 212.98.162.58
netmask = 32
secret = [passwordforeapoltest]
require_message_authenticator = no
shortname = eduroam-ap-v4
nastype = other
virtual_server = eduroam
}
pap {
auto_header = yes
}
/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth.sh --request-nt-key --username=%{Stripped-User-Name:-%{mschap:User-Name}} \
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ntlm_auth не умеет авторизировать по юзернейму вида –user=user@domain.org, только –user=user –domain=domain.org. Stripped-User-Name почему-то отдает пустоту, а mschap:User-Name - user@domain.org. Поэтому используем workaround в виде скрипта /usr/bin/ntlm_auth.sh
#!/bin/sh USERNAME=`echo $2|sed -e 's/@basnet.by//g'` /usr/bin/ntlm_auth $1 $USERNAME $3 $4
делаем исполняемым
chmod +x /usr/bin/ntlm_auth.sh
sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam {
authorize {
auth_log
suffix
if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.basnet.by$/)) {
update control {
Proxy-To-Realm := NULL
}
}
eap
}
authenticate {
Auth-Type EAP {
eap
}
}
preacct {
suffix
acct_unique
if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.basnet.by$/)) {
update control {
Proxy-To-Realm := NULL
}
}
}
accounting {
detail
sql
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
}
}
pre-proxy {
attr_filter.pre-proxy
pre_proxy_log
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
server eduroam-inner-tunnel {
authorize {
auth_log
mschap
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
}
accounting {
}
session {
}
post-auth {
update outer.reply {
User-Name = "%{User-Name}"
}
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
}
}
pre-proxy {
}
post-proxy {
}
}
/etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/raddb/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radiusd"
password = "radpasswd"
radius_db = "radius"
num_sql_socks = 5
connect_failure_retry_delay = 60
# Eduroam specific logging of Accounting start and stop records
accounting_start_query = "INSERT into ACCOUNTING SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = '%{NAS-Port}',\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'"
accounting_update_query = "UPDATE ACCOUNTING SET\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
accounting_stop_query = "UPDATE ACCOUNTING SET\
`Timestamp Stop` = NOW(),\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\
`Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}',\
`Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1"
}
Чтобы радиус мог авторизоваться в самбе
chgrp radiusd /var/cache/samba/winbindd_privileged
стартуем radius
/etc/init.d/radiusd start
добавляем в автозагрузку
chkconfig radiusd on
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011 *mangle :PREROUTING ACCEPT [3182:259335] :INPUT ACCEPT [3182:259335] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3233:320119] :POSTROUTING ACCEPT [3233:320119] COMMIT # Completed on Mon Apr 18 11:01:02 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011 *filter :INPUT DROP [539:30177] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3233:320119] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.231 -j ACCEPT -A INPUT -s 80.94.164.26 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 80.94.174.204 -j ACCEPT COMMIT # Completed on Mon Apr 18 11:01:02 2011
chkconfig iptables on /etc/init.d/iptables restart
scripts
cd wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz cd / tar zxfv /root/eduroam_monitor-20090509.tar.gz rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum install perl-File-Tail yum install perl-Net-SNMP touch /var/log/dhcpd.log vim /usr/sbin/eduroam_monitor.pl vim /var/eduroam/etc/sys_db /usr/sbin/eduroam_monitor.pl echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local
testing
тестируем всю полученную конструкцию. Для этого будем использовать эмулятор точки доступа eapol тестировать будем с хоста 212.98.162.58 (мы для него создавали запись в clients.conf)
wget thesuki.org/scripts/eduroam/eapol/eapol_test chmod +x eapol_test
Конфиг для теста EAP/TTLS/PAP (eduroam.by) ttlspap.conf
network={
ssid="eduroam"
key_mgmt=IEEE8021X
eap=TTLS
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
phase2="auth=PAP"
identity="slayer@eduroam.by"
password="test123"
}
Конфиг для теста EAP/PEAP/MSCHAP (basnet.by) peapmschap.conf
network={
ssid="eduroam"
key_mgmt=IEEE8021X
eap=PEAP
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
phase2="auth=MSCHAPV2"
identity="slayer@basnet.by"
password="test123"
}
Тестируем вход в родной домен eduroam.by (на сервере idp.eduroam.by 80.94.174.233)
./eapol_test -c ttlspap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в чужой домен eduroam.by (на сервере idp.basnet.by 80.94.174.234, при этом запрос должен проксироваться через flrs roaming.eduroam.by)
./eapol_test -c ttlspap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в родной домен basnet.by (на сервере idp.basnet.by 80.94.174.234)
./eapol_test -c peapmschap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в чужой домен basnet.by (на сервере idp.basnet.by 80.94.174.233, при этом запрос должен проксироваться через flrs roaming.eduroam.by)
./eapol_test -c peapmschap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]
Если все настроено корректно, должны получить везде SUCCESS.
Для отладки можно запускать radius с дополнительными ключами в foreground
/etc/init.d/radiusd stop radiusd -Xxx
links
http://www.eduroam.org/index.php?p=faq#setup
https://confluence.terena.org/display/H2eduroam/eduroam+IdP
https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+at+national+level
https://confluence.terena.org/display/H2eduroam/freeradius-sp
https://confluence.terena.org/display/H2eduroam/freeradius-idp
2do: single dhcp server for AP dhcp-relay inside VE
http://aai.arnes.si/eduroam/dhcp.html
http://aai.arnes.si/eduroam/statistika
http://aai.arnes.si/eduroam/belezenje-ip.html
http://aai.arnes.si/eduroam/mysql.html
http://osdir.com/ml/network.dhcp.isc.dhcp-server/2004-04/msg00129.html
huy/radius_eduroam_howto.txt · Last modified: 2012/02/23 09:30 by slayer
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
