User Tools

Site Tools


huy:radius_eduroam_howto

установка flrs

установка сервера национального уровня roaming.eduroam.by

В примере будет использоваться виртуальный сервер под openvz. Прежде всего, создадим виртуальный сервер.

vzctl create 803 --ostemplate centos-5-x86_64

настройка лимитов виртуальной машины

vzctl set 803 --save --onboot "yes"
vzctl set 803 --save --kmemsize "104239923:114663915"
vzctl set 803 --save --lockedpages "5089:5089"
vzctl set 803 --save --privvmpages "152695:167964"
vzctl set 803 --save --shmpages "15269:15269"
vzctl set 803 --save --numproc "4000:4000"
vzctl set 803 --save --physpages "0:9223372036854775807"
vzctl set 803 --save --vmguarpages "152695:9223372036854775807"
vzctl set 803 --save --oomguarpages "152695:9223372036854775807"
vzctl set 803 --save --numtcpsock "4000:4000"
vzctl set 803 --save --numflock "1000:1100"
vzctl set 803 --save --numpty "400:400"
vzctl set 803 --save --numsiginfo "1024:1024"
vzctl set 803 --save --tcpsndbuf "18362641:34746641"
vzctl set 803 --save --tcprcvbuf "18362641:34746641"
vzctl set 803 --save --othersockbuf "9181320:25565320"
vzctl set 803 --save --dgramrcvbuf "9181320:9181320"
vzctl set 803 --save --numothersock "4000:4000"
vzctl set 803 --save --dcachesize "22762625:23445504"
vzctl set 803 --save --numfile "40704:40704"
vzctl set 803 --save --avnumproc "1272:1272"
vzctl set 803 --save --numiptent "200:200"
vzctl set 803 --save --diskspace "1163682:1280051"
vzctl set 803 --save --diskinodes "421490:463640"
vzctl set 803 --save --quotatime "0"
vzctl set 803 --save --cpuunits "100050"
vzctl set 803 --save --ipadd "80.94.174.231"
vzctl set 803 --save --hostname "roaming.eduroam.by"
vzctl set 803 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \
              --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \
              --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \
              --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

настройка системы

запуск виртуальной машины

vzctl start 803

вход на сервер

vzctl enter 803

настройка днс

echo nameserver "80.94.160.3" > /etc/resolv.conf

апдейт системы, установка vim

yum update
yum install vim-enhanced
cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc 
vim ~/.vimrc

установка freeradius

yum install freeradius2.x86_64 freeradius2-utils.x86_64
rpm -Uvh freeradius2-2.1.7-7.el5.src.rpm
cd /usr/src/redhat/SOURCES
tar jxfv freeradius-server-2.1.7.tar.bz2
wget https://raw.github.com/mcnewton/freeradius-server/089c108c472a6a9d2a21ae86b41343b06274f95d/src/modules/rlm_linelog/rlm_linelog.c
mv rlm_linelog.c ./freeradius-server-2.1.7/src/modules/rlm_linelog/rlm_linelog.c
tar cjf freeradius-server-2.1.7.tar.bz2 freeradius-server-2.1.7
cd /usr/src/redhat/
yum install autoconf gdbm-devel libtool libtool-ltdl-devel openssl-devel pam-devel zlib-devel \
    net-snmp-devel readline-devel libpcap-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel rpm-build
rpmbuild  -bb SPECS/freeradius2.spec
cd RPMS/
cd x86_64/
rpm -Uvh --force freeradius2-2.1.7-7.x86_64.rpm freeradius2-mysql-2.1.7-7.x86_64.rpm freeradius2-utils-2.1.7-7.x86_64.rpm

настройка freeradius

/etc/raddb/proxy.conf

realm eduroam.by {
          nostrip
          authhost = 80.94.174.233
          accthost = 80.94.174.233
          secret   = [secret-of-eduroam.by-here]
}

realm basnet.by {
          nostrip
          authhost = 80.94.174.234
          accthost = 80.94.174.234
          secret   = [secret-of-basnet.by-here]
}

home_server etlr1-v4 {
        type                    = auth+acct
        ipaddr                  = 192.87.106.34
        port                    = 1812
        secret                  = [secret-of-etlr1-v4-here]
        response_window         = 20
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}
home_server etlr2-v4 {
        type                    = auth+acct
        ipaddr                  = 130.225.242.109
        port                    = 1812
        secret                  = [secret-of-etlr2-v4-here]
        response_window         = 20
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server_pool EDUROAM-ETLR {
        type                    = fail-over
        home_server             = etlr1-v4
        home_server             = etlr2-v4
}

realm DEFAULT {
        pool                    = EDUROAM-ETLR
        nostrip
}

/etc/raddb/eap.conf

ttls {
           default_eap_type = mschapv2
           copy_request_to_tunnel = yes
           use_tunneled_reply = yes
}

peap {

           default_eap_type = mschapv2
           copy_request_to_tunnel = yes
           use_tunneled_reply = yes
           virtual_server = "inner-tunnel"
}

/etc/raddb/clients.conf

client descriptivename {
            ipaddr                             = 212.98.162.58
            netmask                            = 32
            secret                             = [passwordforeapoltest]
            require_message_authenticator      = no
            shortname                          = eduroam-ap-v4
            nastype                            = other
            virtual_server                     = eduroam
}


client idp.eduroam.by {
            ipaddr                             = 80.94.174.233
            netmask                            = 32
            secret                             = [passwordofidpeduroam]
            require_message_authenticator      = no
            shortname                          = idp-eduroam
            nastype                            = other
            virtual_server                     = eduroam
}

client idp.basnet.by {
            ipaddr                             = 80.94.174.234
            netmask                            = 32
            secret                             = [passwordofidpbasnet]
            require_message_authenticator      = no
            shortname                          = idp-basnet
            nastype                            = other
            virtual_server                     = eduroam
}

/etc/raddb/sites-enabled/eduroam

rm -rf /etc/raddb/sites-enabled/*
vim /etc/raddb/sites-enabled/eduroam
server eduroam {
authorize {
        preprocess
        auth_log
        suffix
        eap
}
authenticate {
}
preacct {
        preprocess
        acct_unique
        suffix
}
accounting {
        detail
}
session {
}
post-auth {
        reply_log
        f_ticks
        Post-Auth-Type REJECT {
                reply_log
                f_ticks
                attr_filter.access_reject
        }
}
pre-proxy {
        pre_proxy_log
}
post-proxy {
        post_proxy_log
}

}

/etc/raddb/modules/f_ticks

linelog f_ticks {
       filename = syslog
       syslog_facility = local7
       format = ""
       reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
       f_ticks {
#              Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=OK#"
#              Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=FAIL#"
              Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=OK#"
              Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=FAIL#"

       }
}

radius autostart

chkconfig radiusd on

/etc/syslog.conf

...
local7.*                                                @ip.address.of.stat.server.for.f_ticks

/etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011
*mangle
:PREROUTING ACCEPT [1239:134578]
:INPUT ACCEPT [1239:134578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:78700]
:POSTROUTING ACCEPT [270:78700]
COMMIT
# Completed on Mon Apr 18 12:02:16 2011
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011
*filter
:INPUT DROP [966:55207]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:78700]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 212.98.162.58 -j ACCEPT
-A INPUT -s 80.94.174.233 -j ACCEPT
-A INPUT -s 80.94.174.234 -j ACCEPT
-A INPUT -s 192.87.106.34 -j ACCEPT
-A INPUT -s 130.225.242.109 -j ACCEPT
COMMIT
# Completed on Mon Apr 18 12:02:16 2011
chkconfig iptables on
/etc/init.d/iptables restart

установка сервера idrs (radius/ldap/eap/ttls/pap)

установка виртуального сервера idp.eduroam.by

В примере будет использоваться виртуальный сервер под openvz с виртуальным сетевым интерфейсом типа veth. Прежде всего, создадим виртуальный сервер.

vzctl create 903 --ostemplate centos-5-x86_64

настройка лимитов виртуальной машины

vzctl set 903 --save --onboot "yes"
vzctl set 903 --save --kmemsize "104239923:114663915"
vzctl set 903 --save --lockedpages "5089:5089"
vzctl set 903 --save --privvmpages "152695:167964"
vzctl set 903 --save --shmpages "15269:15269"
vzctl set 903 --save --numproc "4000:4000"
vzctl set 903 --save --physpages "0:9223372036854775807"
vzctl set 903 --save --vmguarpages "152695:9223372036854775807"
vzctl set 903 --save --oomguarpages "152695:9223372036854775807"
vzctl set 903 --save --numtcpsock "4000:4000"
vzctl set 903 --save --numflock "1000:1100"
vzctl set 903 --save --numpty "400:400"
vzctl set 903 --save --numsiginfo "1024:1024"
vzctl set 903 --save --tcpsndbuf "18362641:34746641"
vzctl set 903 --save --tcprcvbuf "18362641:34746641"
vzctl set 903 --save --othersockbuf "9181320:25565320"
vzctl set 903 --save --dgramrcvbuf "9181320:9181320"
vzctl set 903 --save --numothersock "4000:4000"
vzctl set 903 --save --dcachesize "22762625:23445504"
vzctl set 903 --save --numfile "40704:40704"
vzctl set 903 --save --avnumproc "1272:1272"
vzctl set 903 --save --numiptent "200:200"
vzctl set 903 --save --diskspace "1163682:1280051"
vzctl set 903 --save --diskinodes "421490:463640"
vzctl set 903 --save --quotatime "0"
vzctl set 903 --save --cpuunits "100050"
vzctl set 903 --save --hostname "idp.eduroam.by"
vzctl set 903 --netif_add eth0 --save
vzctl set 903 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \
              --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \
              --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \
              --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

Для корректной работы veth создадим файл /etc/vz/conf/903.mount

#!/bin/bash
# This script source VPS configuration files in the same order as vzctl does

# if one of these files does not exist then something is really broken
[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1

# source both files. Note the order, it is important
. /etc/vz/vz.conf
. $VE_CONFFILE

# Configure veth with IP after VPS has started
{
  IP=80.94.174.233
  DEV=veth903.0
  while sleep 1; do
    /sbin/ifconfig $DEV 0 >/dev/null 2>&1
    if [ $? -eq 0 ]; then
      /sbin/ip route add $IP dev $DEV
      break
    fi
  done
} &

сделаем исполняемым:

chmod +x /etc/vz/conf/903.mount

настройка системы

запуск виртуальной машины

vzctl start 903

вход на сервер

vzctl enter 903

настройка днс

echo nameserver "80.94.160.3" > /etc/resolv.conf

настройка сети

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=80.94.174.233
NETMASK=255.255.255.255
BROADCAST=0.0.0.0

Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth

# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then
    ip route replace 169.254.0.0/16 dev ${REALDEVICE}
    ip route add 80.94.174.193 dev eth0
    ip route add default via 80.94.174.193
fi

рестаруем сеть

/etc/init.d/network restart

апдейт системы

yum update
yum install vim-enhanced
cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc 
vim ~/.vimrc

установка openldap

yum install openldap-servers openldap-clients

сгенерируем хэш пароля (в примере пароль будет test)

slappasswd
New password:
Re-enter new password:
{SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m

правим /etc/openldap/slapd.conf

database        bdb
suffix          "dc=eduroam,dc=by"
rootdn          "cn=root,dc=eduroam,dc=by"
rootpw                  {SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m

копируем стандартные настройки базы и стартуем ldap

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
/etc/init.d/ldap start

делаем тестовые ldif-файлы для наполнения ldap.

base.ldif

dn: dc=eduroam,dc=by
objectClass: dcObject
objectClass: organization
objectClass: top
dc:eduroam
o:eduroam

people.ldif

## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=eduroam,dc=by
ou: people
description: All people in organisation
objectclass: organizationalunit

slayer.ldif

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name
dn: cn=Valery Ciareszka,ou=people,dc=eduroam,dc=by
objectclass: inetOrgPerson
cn: Valery Ciareszka
cn: Valery J Ciareszka
sn: Ciareszka
uid: slayer
userpassword: test123
carlicense: HISCAR 123
homephone: 555-111-2222
mail: [email protected]
mail: [email protected]
description: swell guy
ou: Human Resources

Добавляем все это в ldap

ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f base.ldif
ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f people.ldif
ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f slayer.ldif

добавляем ldap в автозагрузку

chkconfig ldap on

установка и настройка mysql

ставим и запускаем mysql, добавляем в автозагрузку

yum install mysql-server
/etc/init.d/mysqld start
chkconfig mysqld on

создаем базу, таблицы, пользователя

create database radius;
grant all privileges on radius.* to [email protected] identified by 'radpasswd';
 
USE radius;
CREATE TABLE ACCOUNTING (
  `User-Name` varchar(100) NOT NULL default '',
  `Calling-Station-Id` varchar(100) NOT NULL default '',
  `Client-IP-Address` varchar(100) NOT NULL default '',
  `Called-Station-Id` varchar(100) NOT NULL default '',
  `NAS-IP-Address` varchar(100) NOT NULL default '',
  `NAS-Port` int(10) unsigned NOT NULL default '0',
  `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00',
  `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00',
  `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00',
  `Acct-Unique-Session-Id` varchar(100) NOT NULL default '',
  `Acct-Session-Time` int(10) unsigned NOT NULL default '0',
  `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Terminate-Cause` varchar(100) NOT NULL default ''
) TYPE=MyISAM;
 
create table access_points (
    `IP address` varchar(100) PRIMARY KEY NOT NULL,
    `snmp secret` varchar(100) NOT NULL default '',
    `radius secret` varchar(100) NOT NULL default '',
    `root username` varchar(100) NOT NULL default '',
    `root password` varchar(100) NOT NULL default ''
) TYPE=MyISAM;
 
CREATE TABLE denied (
  `User-Name` varchar(100) NOT NULL default '',
  `Calling-Station-Id` varchar(100) NOT NULL default '',
  `NAS-Shortname` varchar(100) NOT NULL default '',
  `NAS-Port` int(10) unsigned NOT NULL default '0',
  `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00',
  `Cause` varchar(100) NOT NULL default ''
) TYPE=MyISAM;

установка freeradius

ставим freeradius, и модули ldap,mysql к нему

yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-ldap freeradius2-mysql

/etc/raddb/proxy.conf

proxy server {
        default_fallback = yes
}


realm LOCAL {
}

realm eduroam.by {
          nostrip
}
home_server roaming.eduroam.by {
        type                    = auth+acct
        ipaddr                  = 80.94.174.231
        port                    = 1812
        secret                  = [secrethere]
        response_window         = 20
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server_pool EDUROAM-FTLR-BY {
        type                    = fail-over
        home_server             = roaming.eduroam.by
}

realm DEFAULT {
        pool                    = EDUROAM-FTLR-BY
        nostrip
}

/etc/raddb/eap.conf

        eap {
                default_eap_type = md5

                timer_expire     = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                max_sessions = 2048

                md5 {
                }

                leap {
                }

                gtc {

                        auth_type = PAP
                }

                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs

                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem

                        certificate_file = ${certdir}/server.pem

                        CA_file = ${cadir}/ca.pem

                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random

                        cipher_list = "DEFAULT"

                        make_cert_command = "${certdir}/bootstrap"

                        cache {
                              enable = no

                              max_entries = 255
                        }
                }

                ttls {
                        default_eap_type = mschapv2

                        copy_request_to_tunnel = yes

                        use_tunneled_reply = yes

                        virtual_server = "eduroam-inner-tunnel"

                }

                peap {
                        default_eap_type = mschapv2

                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes

                        virtual_server = "eduroam-inner-tunnel"
                }

                mschapv2 {
                }
        }

/etc/raddb/clients.conf

client roaming.eduroam.by {
            ipaddr                             = 80.94.174.231
            netmask                            = 32
            secret                             = [password-of-flrs-roaming-eduroam-by]
            require_message_authenticator      = no
            shortname                          = eduroam-flrs
            nastype                            = other
            virtual_server                     = eduroam
}

client eapoltest {
            ipaddr                             = 212.98.162.58
            netmask                            = 32
            secret                             = [passwordforeapoltest]
            require_message_authenticator      = no
            shortname                          = eduroam-ap-v4
            nastype                            = other
            virtual_server                     = eduroam
}

/etc/raddb/modules/pap

pap {
        auto_header = yes
}

/etc/raddb/modules/ldap

ldap {
        server = "127.0.0.1"
        identity = "cn=root,dc=eduroam,dc=by"
        password = test
        basedn = "dc=eduroam,dc=by"
        filter = "(mail=%{User-Name})"
        base_filter = "(objectclass=inetOrgPerson)"

        ldap_connections_number = 5

        timeout = 4

        timelimit = 3

        net_timeout = 1

        tls {
                start_tls = no

        }

        profile_attribute = "eduPersonPrincipalName"

        dictionary_mapping = ${confdir}/ldap.attrmap

        password_attribute = userPassword

        edir_account_policy_check = no

}

sites-enabled/eduroam

rm -rf /etc/raddb/sites-enabled/*
vim /etc/raddb/sites-enabled/eduroam
server eduroam {

        authorize {
          auth_log
          suffix
          if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.eduroam.by$/)) {
            update control {
                  Proxy-To-Realm := NULL
            }
          }
        eap
        }

        authenticate {
          Auth-Type EAP {
                eap
          }
        }

        preacct {
          suffix
          acct_unique
          if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.eduroam.by$/)) {
            update control {
                  Proxy-To-Realm := NULL
            }
          }
        }

        accounting {
          detail
          sql
        }

        post-auth {
          reply_log
          Post-Auth-Type REJECT {
                    attr_filter.access_reject
                    reply_log
          }
        }

        pre-proxy {
                attr_filter.pre-proxy
                pre_proxy_log
        }

        post-proxy {
                post_proxy_log
                attr_filter.post-proxy
        }
}

server eduroam-inner-tunnel {
        authorize {
             auth_log
             ldap
             eap
        }
        authenticate {
                Auth-Type LDAP {
                        ldap
                }
             eap
        }
        preacct {
        }
        accounting {
        }
        session {
        }
        post-auth {
          update outer.reply {
                User-Name = "%{User-Name}"
          }

              reply_log
              Post-Auth-Type REJECT {
                        attr_filter.access_reject
                        reply_log
              }
        }
        pre-proxy {
        }
        post-proxy {
        }
}

/etc/raddb/radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = /usr/lib64/freeradius

pidfile = ${run_dir}/${name}.pid

user = radiusd
group = radiusd

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {
        type = auth
        ipaddr = *
        port = 0

}

listen {
        ipaddr = *
        port = 0
        type = acct
}

hostname_lookups = no

allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no

}

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf

$INCLUDE clients.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {

        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
        $INCLUDE sql.conf
        $INCLUDE sql/mysql/counter.conf

}

instantiate {
        exec
        expr
        expiration
        logintime

}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/sql.conf

sql {
    database = "mysql"
    driver = "rlm_sql_${database}"
    server = "localhost"
    login = "radiusd"
    password = "radpasswd"
    radius_db = "radius"

    num_sql_socks = 5
    connect_failure_retry_delay = 60

    # Eduroam specific logging of Accounting start and stop records

    accounting_start_query = "INSERT into ACCOUNTING SET\
        `User-Name` = '%{User-Name}',\
        `Calling-Station-Id` = '%{Calling-Station-Id}',\
        `Called-Station-Id` = '%{Called-Station-Id}',\
        `NAS-IP-Address` = '%{NAS-IP-Address}',\
        `NAS-Port` = '%{NAS-Port}',\
        `Timestamp Start` = NOW(),\
        `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'"

    accounting_update_query = "UPDATE ACCOUNTING SET\
        `Acct-Session-Time` = '%{Acct-Session-Time}',\
        `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}'  << 32 | '%{%{Acct-Input-Octets}:-0}',\
        `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}'  << 32 | '%{%{Acct-Output-Octets}:-0}',\
        `Acct-Input-Packets` = '%{Acct-Input-Packets}',\
        `Acct-Output-Packets` = '%{Acct-Output-Packets}'\
    WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
    LIMIT 1"


    accounting_stop_query = "UPDATE ACCOUNTING SET\
        `Timestamp Stop` = NOW(),\
        `Acct-Session-Time` = '%{Acct-Session-Time}',\
        `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}'  << 32 | '%{%{Acct-Input-Octets}:-0}',\
        `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}'  << 32 | '%{%{Acct-Output-Octets}:-0}',\
        `Acct-Input-Packets` = '%{Acct-Input-Packets}',\
        `Acct-Output-Packets` = '%{Acct-Output-Packets}',\
        `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\
    WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
    LIMIT 1"
}

добавляем freedadius в автозагрузку

chkconfig radiusd on

/etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011
*mangle
:PREROUTING ACCEPT [1054:112214]
:INPUT ACCEPT [1054:112214]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [213:66193]
:POSTROUTING ACCEPT [213:66193]
COMMIT
# Completed on Mon Apr 18 12:00:21 2011
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011
*filter
:INPUT DROP [772:40258]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [213:66193]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 212.98.162.58 -j ACCEPT
-A INPUT -s 80.94.174.231 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Mon Apr 18 12:00:21 2011
chkconfig iptables on
/etc/init.d/iptables restart

scripts

cd 
wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz
cd /
tar zxfv /root/eduroam_monitor-20090509.tar.gz
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum install perl-File-Tail
yum install  perl-Net-SNMP
touch /var/log/dhcpd.log
vim /usr/sbin/eduroam_monitor.pl
vim /vim var/eduroam/etc/sys_db
/usr/sbin/eduroam_monitor.pl
echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local

установка idprs2(radius/AD/eap/peap/mschap)

установка виртуального сервера idp.basnet.by

создание виртуального сервера

vzctl create 904 --ostemplate centos-5-x86_64

настройка лимитов виртуальной машины

vzctl set 904 --save --onboot "yes"
vzctl set 904 --save --kmemsize "104239923:114663915"
vzctl set 904 --save --lockedpages "5089:5089"
vzctl set 904 --save --privvmpages "152695:167964"
vzctl set 904 --save --shmpages "15269:15269"
vzctl set 904 --save --numproc "4000:4000"
vzctl set 904 --save --physpages "0:9223372036854775807"
vzctl set 904 --save --vmguarpages "152695:9223372036854775807"
vzctl set 904 --save --oomguarpages "152695:9223372036854775807"
vzctl set 904 --save --numtcpsock "4000:4000"
vzctl set 904 --save --numflock "1000:1100"
vzctl set 904 --save --numpty "400:400"
vzctl set 904 --save --numsiginfo "1024:1024"
vzctl set 904 --save --tcpsndbuf "18362641:34746641"
vzctl set 904 --save --tcprcvbuf "18362641:34746641"
vzctl set 904 --save --othersockbuf "9181320:25565320"
vzctl set 904 --save --dgramrcvbuf "9181320:9181320"
vzctl set 904 --save --numothersock "4000:4000"
vzctl set 904 --save --dcachesize "22762625:23445504"
vzctl set 904 --save --numfile "40704:40704"
vzctl set 904 --save --avnumproc "1272:1272"
vzctl set 904 --save --numiptent "200:200"
vzctl set 904 --save --diskspace "1163682:1280051"
vzctl set 904 --save --diskinodes "421490:463640"
vzctl set 904 --save --quotatime "0"
vzctl set 904 --save --cpuunits "100050"
vzctl set 904 --save --hostname "idp.basnet.by"
vzctl set 904 --netif_add eth0 --save
vzctl set 904 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \
              --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \
              --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \
              --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

Для корректной работы veth создадим файл /etc/vz/conf/904.mount

#!/bin/bash
# This script source VPS configuration files in the same order as vzctl does

# if one of these files does not exist then something is really broken
[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1

# source both files. Note the order, it is important
. /etc/vz/vz.conf
. $VE_CONFFILE

# Configure veth with IP after VPS has started
{
  IP=80.94.174.234
  DEV=veth904.0
  while sleep 1; do
    /sbin/ifconfig $DEV 0 >/dev/null 2>&1
    if [ $? -eq 0 ]; then
      /sbin/ip route add $IP dev $DEV
      break
    fi
  done
} &

сделаем исполняемым

chmod +x /etc/vz/conf/904.mount

настройка системы

запуск виртуальной машины

vzctl start 904

вход на сервер

vzctl enter 904

настройка днс

echo nameserver "80.94.160.3" > /etc/resolv.conf

настройка сети

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=80.94.174.234
NETMASK=255.255.255.255
BROADCAST=0.0.0.0

Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth

# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then
    ip route replace 169.254.0.0/16 dev ${REALDEVICE}
    ip route add 80.94.174.193 dev eth0
    ip route add default via 80.94.174.193
fi

апдейт системы

yum update
yum install vim-enhanced
cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc
vim ~/.vimrc

установка samba

ставим kerberos

yum install krb5-workstation

файл конфига /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = BASNET.BY
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 BASNET.BY = {
  kdc = 80.94.174.204:88
  admin_server = 80.94.174.204:749
  default_domain = basnet.by
 }

[domain_realm]
 .basnet.by = BASNET.BY
 basnet.by = BASNET.BY

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Получаем тикет

/usr/kerberos/bin/kinit administrator@BASNET.BY

конфиг самбы /etc/samba/smb.conf

[global]

        workgroup = BASNET
        server string = Samba Server Version %v

        netbios name = idp

        security = ads

printcap name = /etc/printcap
load printers = no
printing =

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   password server = 80.94.174.204
   realm = BASNET.BY

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

меняем резолвер на контроллер домена

echo nameserver 80.94.174.204 > /etc/resolv.conf

в файле /etc/nsswitch.conf изменяем строчки:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
protocols:  files winbind
services:   files winbind
netgroup:   nisplus winbind
automount:  files nisplus winbind

добавляем сервер в домен

net join  -U Administrator%PASSWORDHERE

стартуем samba/winbind

/etc/init.d/smb start
/etc/init.d/winbind start

добавляем в автозапуск

chkconfig smb on
chkconfig winbind on

установка и настройка mysql

ставим и запускаем mysql, добавляем в автозагрузку

yum install mysql-server
/etc/init.d/mysqld start
chkconfig mysqld on

создаем базу, таблицы, пользователя

create database radius;
grant all privileges on radius.* to [email protected] identified by 'radpasswd';
 
USE radius;
CREATE TABLE ACCOUNTING (
  `User-Name` varchar(100) NOT NULL default '',
  `Calling-Station-Id` varchar(100) NOT NULL default '',
  `Client-IP-Address` varchar(100) NOT NULL default '',
  `Called-Station-Id` varchar(100) NOT NULL default '',
  `NAS-IP-Address` varchar(100) NOT NULL default '',
  `NAS-Port` int(10) unsigned NOT NULL default '0',
  `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00',
  `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00',
  `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00',
  `Acct-Unique-Session-Id` varchar(100) NOT NULL default '',
  `Acct-Session-Time` int(10) unsigned NOT NULL default '0',
  `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0',
  `Acct-Terminate-Cause` varchar(100) NOT NULL default ''
) TYPE=MyISAM;
 
create table access_points (
    `IP address` varchar(100) PRIMARY KEY NOT NULL,
    `snmp secret` varchar(100) NOT NULL default '',
    `radius secret` varchar(100) NOT NULL default '',
    `root username` varchar(100) NOT NULL default '',
    `root password` varchar(100) NOT NULL default ''
) TYPE=MyISAM;
 
CREATE TABLE denied (
  `User-Name` varchar(100) NOT NULL default '',
  `Calling-Station-Id` varchar(100) NOT NULL default '',
  `NAS-Shortname` varchar(100) NOT NULL default '',
  `NAS-Port` int(10) unsigned NOT NULL default '0',
  `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00',
  `Cause` varchar(100) NOT NULL default ''
) TYPE=MyISAM;

установка freeradius

ставим freeradius, и модуль mysql к нему

yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-mysql

/etc/raddb/proxy.conf

proxy server {

        default_fallback = yes

}


realm LOCAL {
}

realm basnet.by {
          nostrip
}
home_server roaming.eduroam.by {
        type                    = auth+acct
        ipaddr                  = 80.94.174.231
        port                    = 1812
        secret                  = [passwordhere]
        response_window         = 20
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server_pool EDUROAM-FTLR-BY {
        type                    = fail-over
        home_server             = roaming.eduroam.by
}

realm DEFAULT {
        pool                    = EDUROAM-FTLR-BY
        nostrip
}

/etc/raddb/eap.conf

        eap {
                default_eap_type = md5
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }

                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                }

                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-inner-tunnel"

                }

                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-inner-tunnel"
                }

                mschapv2 {
                }
        }

/etc/raddb/clients.conf

client roaming.eduroam.by {
            ipaddr                             = 80.94.174.231
            netmask                            = 32
            secret                             = [password-of-flrs-roaming-eduroam-by]
            require_message_authenticator      = no
            shortname                          = eduroam-flrs
            nastype                            = other
            virtual_server                     = eduroam
}

client eapoltest {
            ipaddr                             = 212.98.162.58
            netmask                            = 32
            secret                             = [passwordforeapoltest]
            require_message_authenticator      = no
            shortname                          = eduroam-ap-v4
            nastype                            = other
            virtual_server                     = eduroam
}
pap {
        auto_header = yes
}

/etc/raddb/modules/mschap

mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes
        ntlm_auth = "/usr/bin/ntlm_auth.sh --request-nt-key --username=%{Stripped-User-Name:-%{mschap:User-Name}} \
                    --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}

ntlm_auth не умеет авторизировать по юзернейму вида –[email protected], только –user=user –domain=domain.org. Stripped-User-Name почему-то отдает пустоту, а mschap:User-Name - [email protected] Поэтому используем workaround в виде скрипта /usr/bin/ntlm_auth.sh

#!/bin/sh
USERNAME=`echo $2|sed -e 's/@basnet.by//g'`
/usr/bin/ntlm_auth $1 $USERNAME $3 $4

делаем исполняемым

chmod +x /usr/bin/ntlm_auth.sh

sites-enabled/eduroam

rm -rf /etc/raddb/sites-enabled/*
vim /etc/raddb/sites-enabled/eduroam
server eduroam {

        authorize {
          auth_log
          suffix
          if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.basnet.by$/)) {
            update control {
                  Proxy-To-Realm := NULL
            }
          }
        eap
        }

        authenticate {
          Auth-Type EAP {
                eap
          }
        }

        preacct {
          suffix
          acct_unique
          if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.basnet.by$/)) {
            update control {
                  Proxy-To-Realm := NULL
            }
          }
        }

        accounting {
          detail
          sql
        }

        post-auth {
          reply_log
          Post-Auth-Type REJECT {
                    attr_filter.access_reject
                    reply_log
          }
        }

        pre-proxy {
                attr_filter.pre-proxy
                pre_proxy_log
        }

        post-proxy {
                post_proxy_log
                attr_filter.post-proxy
        }
}

server eduroam-inner-tunnel {
        authorize {
             auth_log
             mschap
             eap
        }
        authenticate {
               Auth-Type MS-CHAP {
                         mschap
                }
             eap
        }
        preacct {
        }
        accounting {
        }
        session {
        }
        post-auth {
          update outer.reply {
                User-Name = "%{User-Name}"
          }

              reply_log
              Post-Auth-Type REJECT {
                        attr_filter.access_reject
                        reply_log
              }
        }
        pre-proxy {
        }
        post-proxy {
        }
}

/etc/raddb/radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = /usr/lib64/freeradius

pidfile = ${run_dir}/${name}.pid

user = radiusd
group = radiusd

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {
        type = auth

        ipaddr = *

        port = 0

}

listen {
        ipaddr = *
        port = 0
        type = acct
}

hostname_lookups = no

allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files

        file = ${logdir}/radius.log

        syslog_facility = daemon

        stripped_names = no

        auth = yes

        auth_badpass = no
        auth_goodpass = no

}

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200

        reject_delay = 1

        status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf

$INCLUDE clients.conf

thread pool {
        start_servers = 5

        max_servers = 32

        min_spare_servers = 3
        max_spare_servers = 10

        max_requests_per_server = 0
}

modules {

        $INCLUDE ${confdir}/modules/

        $INCLUDE eap.conf

        $INCLUDE sql.conf

        $INCLUDE sql/mysql/counter.conf

}

instantiate {
        exec

        expr

        expiration
        logintime

}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

/etc/raddb/sql.conf

sql {
    database = "mysql"
    driver = "rlm_sql_${database}"
    server = "localhost"
    login = "radiusd"
    password = "radpasswd"
    radius_db = "radius"

    num_sql_socks = 5
    connect_failure_retry_delay = 60

    # Eduroam specific logging of Accounting start and stop records

    accounting_start_query = "INSERT into ACCOUNTING SET\
        `User-Name` = '%{User-Name}',\
        `Calling-Station-Id` = '%{Calling-Station-Id}',\
        `Called-Station-Id` = '%{Called-Station-Id}',\
        `NAS-IP-Address` = '%{NAS-IP-Address}',\
        `NAS-Port` = '%{NAS-Port}',\
        `Timestamp Start` = NOW(),\
        `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'"

    accounting_update_query = "UPDATE ACCOUNTING SET\
        `Acct-Session-Time` = '%{Acct-Session-Time}',\
        `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}'  << 32 | '%{%{Acct-Input-Octets}:-0}',\
        `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}'  << 32 | '%{%{Acct-Output-Octets}:-0}',\
        `Acct-Input-Packets` = '%{Acct-Input-Packets}',\
        `Acct-Output-Packets` = '%{Acct-Output-Packets}'\
    WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
    LIMIT 1"


    accounting_stop_query = "UPDATE ACCOUNTING SET\
        `Timestamp Stop` = NOW(),\
        `Acct-Session-Time` = '%{Acct-Session-Time}',\
        `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}'  << 32 | '%{%{Acct-Input-Octets}:-0}',\
        `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}'  << 32 | '%{%{Acct-Output-Octets}:-0}',\
        `Acct-Input-Packets` = '%{Acct-Input-Packets}',\
        `Acct-Output-Packets` = '%{Acct-Output-Packets}',\
        `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\
    WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
    LIMIT 1"
}

Чтобы радиус мог авторизоваться в самбе

chgrp radiusd /var/cache/samba/winbindd_privileged

стартуем radius

/etc/init.d/radiusd start

добавляем в автозагрузку

chkconfig radiusd on

/etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011
*mangle
:PREROUTING ACCEPT [3182:259335]
:INPUT ACCEPT [3182:259335]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3233:320119]
:POSTROUTING ACCEPT [3233:320119]
COMMIT
# Completed on Mon Apr 18 11:01:02 2011
# Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011
*filter
:INPUT DROP [539:30177]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3233:320119]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 212.98.162.58 -j ACCEPT
-A INPUT -s 80.94.174.231 -j ACCEPT
-A INPUT -s 80.94.164.26 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 80.94.174.204 -j ACCEPT
COMMIT
# Completed on Mon Apr 18 11:01:02 2011
chkconfig iptables on
/etc/init.d/iptables restart

scripts

cd
wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz
cd /
tar zxfv /root/eduroam_monitor-20090509.tar.gz
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum install perl-File-Tail
yum install  perl-Net-SNMP
touch /var/log/dhcpd.log
vim /usr/sbin/eduroam_monitor.pl
vim /var/eduroam/etc/sys_db
/usr/sbin/eduroam_monitor.pl
echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local

testing

тестируем всю полученную конструкцию. Для этого будем использовать эмулятор точки доступа eapol тестировать будем с хоста 212.98.162.58 (мы для него создавали запись в clients.conf)

wget thesuki.org/scripts/eduroam/eapol/eapol_test
chmod +x eapol_test

Конфиг для теста EAP/TTLS/PAP (eduroam.by) ttlspap.conf

network={
  ssid="eduroam"
  key_mgmt=IEEE8021X
  eap=TTLS
  pairwise=CCMP TKIP
  group=CCMP TKIP WEP104 WEP40
  phase2="auth=PAP"
  identity="[email protected]"
  password="test123"
}

Конфиг для теста EAP/PEAP/MSCHAP (basnet.by) peapmschap.conf

network={
  ssid="eduroam"
  key_mgmt=IEEE8021X
  eap=PEAP
  pairwise=CCMP TKIP
  group=CCMP TKIP WEP104 WEP40
  phase2="auth=MSCHAPV2"
  identity="[email protected]"
  password="test123"
}

Тестируем вход в родной домен eduroam.by (на сервере idp.eduroam.by 80.94.174.233)

./eapol_test  -c ttlspap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]

Тестируем вход в чужой домен eduroam.by (на сервере idp.basnet.by 80.94.174.234, при этом запрос должен проксироваться через flrs roaming.eduroam.by)

./eapol_test  -c ttlspap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]

Тестируем вход в родной домен basnet.by (на сервере idp.basnet.by 80.94.174.234)

./eapol_test  -c peapmschap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]

Тестируем вход в чужой домен basnet.by (на сервере idp.basnet.by 80.94.174.233, при этом запрос должен проксироваться через flrs roaming.eduroam.by)

./eapol_test  -c peapmschap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]

Если все настроено корректно, должны получить везде SUCCESS.

Для отладки можно запускать radius с дополнительными ключами в foreground

/etc/init.d/radiusd stop
radiusd -Xxx
huy/radius_eduroam_howto.txt · Last modified: 2012/02/23 09:30 by slayer