Upgrade sa FreeRADIUS2 na FreeRADIUS3 verziju - CentOS7 (Davalac Identiteta)¶

Verzija FreeRadius softvera: 3.2.0
Operativni sistem: CentOS 7

FreeRADIUS (www.freeradius.org) predstavlja softversku platformu za RADIUS server. Aktuelne verzije možete da pogledate na starnici http://freeradius.org/download.html. U ovom uputstvu prikazan je postupak prelaska sa verzije 2.x na verziju 3.2.0 FreeRADIUS servera za potrebe institucije (Davaoca Identiteta) u okviru AMRES eduroam servisa.

Provera verzije FreeRADIUS paketa:

radiusd -v

Najpre je potrebno prekinuti rad radiusd procesa

ps aux | grep radiusd

killall radiusd

ps aux | grep radiusd

Otvoriti portove 1812, 1813 i 1814 prema novom monitoru

To se može uraditi na sledeći način:

vim /etc/sysconfig/iptables

Otvoriti navedene portove dodavanjem sledećih linija u fajl:

#147.91.56.177 (monitor2.eduroam.ac.rs)
-A INPUT -m state -s 147.91.56.177/32 --state NEW -m udp -p udp --dport 1812 -j ACCEPT
-A INPUT -m state -s 147.91.56.177/32 --state NEW -m udp -p udp --dport 1813 -j ACCEPT
-A INPUT -m state -s 147.91.56.177/32 --state NEW -m udp -p udp --dport 1814 -j ACCEPT

Napomena: Navedene linije je potrebno uneti bavezno iznad linije: -A INPUT -j REJECT --reject-with icmp-host-prohibited

iptables-restore < /etc/sysconfig/iptables

iptables-save

systemctl restart iptables

iptables -L

Source instalacija nove verzije FreeRADIUS softvera¶

Otići na putanju /opt:

cd /opt

Preuzeti najnoviju verziju FreeRADIUS-a (3.2.0)

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.2.0.tar.gz

Otpakovati preuzeti paket:

tar xf freeradius-server-3.2.0.tar.gz

Da bi instalacija bila uspešna potrebno je obrisati direktorijum /usr/local/etc/raddb/certs, jer se prilikom instalacije nove verzije freeradius softvera generišu novi radius ključevi

rm -Ir /usr/local/etc/raddb/certs

Zatim se pređe u freeradius-server-3.2.0 direktorijum:

cd freeradius-server-3.2.0

./configure --with-openssl --with-ldap

make

make install

Konfiguracioni fajlovi se nalaze na putanji: /usr/local/etc/raddb

Izmene konfiguracije FreeRADIUS servera¶

Kada kopirate delove konfiguracije u konfiguracione fajlove u nastavku uputstva možete da koristite nano editor, jer vim editor prepoznaje oznaku za komentar u nekom delu konfiguracije i ponavlja tu oznaku u svim narednim redovima kopirane konfiguracije.

Izmene fajla radiusd.conf¶

Potrebno je izvršiti nekoliko izmena u konfiguracionom fajlu /usr/local/etc/raddb/radiusd.conf.

vim /usr/local/etc/raddb/radiusd.conf

Ispod linije radacctdir = ${logdir}/radacct dodati sledeće linije:

modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs

Ispod dela # Core dumps are a bad thing. This should only be set to 'yes' zakomentarisati opciju :

allow_core_dumps = no

U okviru security podsekcije potrebno je dodati linije:

        allow_core_dumps = no
        allow_vulnerable_openssl = 'CVE-2016-6304'

U okviru modules podsekcije:

Zakomentarisati liniju $INCLUDE ${confdir}/modules/, jer u novoj verziji FreeRADIUS-a, direktorijum /usr/local/etc/raddb/modules/ više nije u upotrebi!
Ispod te linije dodati liniju:

        $INCLUDE mods-enabled/

Zakomentarisati linije :

        $INCLUDE eap.conf
        $INCLUDE sql.conf
        $INCLUDE mods-enabled/sql

Ispod dela # Policies that can be applied in multiple places are listed, zakomentarisati opciju $INCLUDE policy.conf i zatim ispod nje dodati sledeće linije:

policy {
        $INCLUDE policy.d/
}

Fajl radiusd.conf nakon svih potrebnih izmena:

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs

name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
#  Core dumps are a bad thing.  This should only be set to 'yes'
#  if you're debugging a problem with the server.
#
#  allowed values: {no, yes}
#
#allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes

        allow_core_dumps = no
        allow_vulnerable_openssl = 'CVE-2016-6304'
}

# PROXY CONFIGURATION

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

# MODULE CONFIGURATION

modules {

#       $INCLUDE ${confdir}/modules/
        $INCLUDE mods-enabled/

#       $INCLUDE eap.conf
#       $INCLUDE sql.conf
#       $INCLUDE mods-enabled/sql

}

instantiate {
        exec
        expr
        expiration
        logintime
}

######################################################################
#
#       Policies that can be applied in multiple places are listed
#       globally.  That way, they can be defined once, and referred
#       to multiple times.
#
######################################################################

#$INCLUDE policy.conf

policy {
        $INCLUDE policy.d/
}

######################################################################
#
#       Load virtual servers.
#
#       This next $INCLUDE line loads files in the directory that
#       match the regular expression: /[a-zA-Z0-9_.]+/
#
#       It allows you to define new virtual servers simply by placing
#       a file into the raddb/sites-enabled/ directory.
#

$INCLUDE sites-enabled/

Izmena fajla eduroam¶

Potrebno je izvršiti nekoliko izmena u konfiguracionom fajlu /usr/local/etc/raddb/sites-available/eduroam

cd /usr/local/etc/raddb/sites-available/

vim eduroam

Sledi detaljan prikaz svih izmena fajla eduroam po koracima.

Izmene authorize podsekcije:

Pre izmene Nakon izmene

Zakomentarisati linije cui_authorize i cui
Ukoliko ne želite da se beleže autentifikacione poruke sa našeg monitoring sistema (monitor 1 i monitor 2) treba da se dodaju sledeće linije:

        if (Client-IP-Address != 147.91.3.12) {
        auth_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        auth_log
        }

authorize {

        preprocess
        cui_authorize
        cui

#       auth_log
        #chap
        #mschap
        #digest

        suffix
        eap {
                ok = return
        }
        files
#       sql
#       ldap
#       pap

        expiration
        logintime
#       Autz-Type Status-Server {
#
#       }
}

authorize {

        preprocess
        if (Client-IP-Address != 147.91.3.12) {
        auth_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

#        cui_authorize
#        cui

#       auth_log
        #chap
        #mschap
        #digest

        suffix
        eap {
                ok = return
        }
        files
#       sql
#       ldap
#       pap

        expiration
        logintime
#       Autz-Type Status-Server {
#
#       }
}

Izmene authenticate podsekcije:

U okviru authenticate podsekcije, zakomentarisati liniju unix

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }
        digest

#zakomentarisano v3
#       unix

        eap
}

Izmene preacct podsekcije:

U okviru preacct podsekcije, zakomentarisati liniju acct_unique

preacct {
        preprocess

#zakomentarisano v3
#       acct_unique

        suffix
        files
}

Izmene post-auth podsekcije:

U okviru post-auth podsekcije, zakomentarisati sledeće linije:

         update outer.control {
         Class !* ANY
         AMRES-Attribute-mail !* ANY
         AMRES-Attribute-cn !* ANY
         AMRES-Attribute-uid !* ANY
         AMRES-Attribute-gn !* ANY
         AMRES-Attribute-sn !* ANY
         AMRES-Attribute-o !* ANY
         AMRES-Attribute-entitlement !* ANY
        }

U okviru post-auth podsekcije, dodati novi monitor pored postojećeg unosom sledećih linija:

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

U okviru post-auth podsekcije, dodati sledeće linije:

        #  For EAP-TTLS and PEAP, add the cached attributes to the reply.
        #  The "session-state" attributes are automatically cached when
        #  an Access-Challenge is sent, and automatically retrieved
        #  when an Access-Request is received.
        #
        #  The session-state attributes are automatically deleted after
        #  an Access-Reject or Access-Accept is sent.
        #
        #  If both session-state and reply contain a User-Name attribute, remove
        #  the one in the reply if it is just a copy of the one in the request, so
        #  we don't end up with two User-Name attributes.

        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        update {
                &reply: += &session-state:
        }

Fajl eduroam sa svim potrebnim izmenama:

server eduroam {
authorize {

        preprocess
        if (Client-IP-Address != 147.91.3.12) {
        auth_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        auth_log
        }

#zakomentarisano za v3
#       cui_authorize
#       cui

#       auth_log
        #chap
        #mschap
        #digest

        suffix
        eap {
                ok = return
        }
        files
#       sql
#       ldap
#       pap
        expiration
        logintime

#       Autz-Type Status-Server {
#
#       }
}

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }
        digest

#zakomentarisano v3
#       unix

        eap
}


preacct {
        preprocess

#zakomentarisano v3
#       acct_unique

        suffix
        files
}

accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response

}

session {
        radutmp
}

post-auth {

#zakomentarisan deo za v3
#       update outer.control {
#       Class !* ANY
#       AMRES-Attribute-mail !* ANY
#       AMRES-Attribute-cn !* ANY
#       AMRES-Attribute-uid !* ANY
#       AMRES-Attribute-gn !* ANY
#       AMRES-Attribute-sn !* ANY
#       AMRES-Attribute-o !* ANY
#       AMRES-Attribute-entitlement !* ANY
#       }

        if (Client-IP-Address != 147.91.3.12) {
        reply_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }


#dodato v3
        #  For EAP-TTLS and PEAP, add the cached attributes to the reply.
        #  The "session-state" attributes are automatically cached when
        #  an Access-Challenge is sent, and automatically retrieved
        #  when an Access-Request is received.
        #
        #  The session-state attributes are automatically deleted after
        #  an Access-Reject or Access-Accept is sent.
        #
        #  If both session-state and reply contain a User-Name attribute, remove
        #  the one in the reply if it is just a copy of the one in the request, so
        #  we don't end up with two User-Name attributes.

        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        update {
                &reply: += &session-state:
        }
#dodato v3

        exec

        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}

pre-proxy {

}

post-proxy {
        eap

}
}

Izmena fajla eduroam-inner-tunnel¶

Potrebno je izvršiti nekoliko izmena u konfiguracionom fajlu /usr/local/etc/raddb/sites-available/eduroam-inner-tunnel

cd /usr/local/etc/raddb/sites-available/

vim eduroam-inner-tunnel

Sledi detaljan prikaz svih izmena fajla eduroam-inner-tunnel po koracima.

Izmene authorize podsekcije:

Ukoliko ne želite da se beleže autentifikacione poruke sa našeg monitoring sistema (monitor 1 i monitor 2) treba da se dodaju sledeće linije:

        if (Client-IP-Address != 147.91.3.12) {
        reply_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

Izmene authenticate podsekcije:

U okviru authenticate podsekcije, zakomentarisati liniju unix

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

#zakmentarisano v3
#       unix

        eap
}

Izmene post-auth podsekcije:

U okviru post-auth podsekcije, zakomentarisati liniju: dynamic.vlan i ispod nje dodati liniju:

dynamic-vlan

Napomena: Potrebno je definisati novi dynamic-vlan policy, što je objašnjeno u nastavku nakon izmena i konfiguracije CUI fajla

U okviru post-auth podsekcije, zakomentarisati liniju: cui_postauth i ispod nje dodati linije:

        cui-inner
        cui_inner_log

U okviru post-auth podsekcije, ukoliko ne želite da se beleže autentifikacione poruke sa našeg monitoring sistema (monitor 1 i monitor 2) treba da se dodaju sledeće linije:

        if (Client-IP-Address != 147.91.3.12) {
        reply_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

U okviru post-auth podsekcije, dodati sledeće linije:

        #  Instead of "use_tunneled_reply", change this "if (0)" to an
        #  "if (1)".
        #
        if (1) {
                #
                #  These attributes are for the inner-tunnel only,
                #  and MUST NOT be copied to the outer reply.
                #
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                }

                #
                #  Copy the inner reply attributes to the outer
                #  session-state list.  The post-auth policy will take
                #  care of copying the outer session-state list to the
                #  outer reply.
                #
                update {
                        &outer.session-state: += &reply:
                }
        }

Prikaz fajla eduroam-inner-tunnel sa svim potrebnim izmenama:

server eduroam-inner-tunnel {

authorize {
        chap
        mschap

        if (Client-IP-Address != 147.91.3.12) {
        auth_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

        suffix
        eap {
                ok = return
        }

        files
        ldap
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

#zakmentarisano v3
#       unix

        eap
}

session {
        radutmp
}

post-auth {

#zakomentarisno za v3
        #dynamic.vlan
#dodatno za v3
        dynamic-vlan

#zakomentarisano za v3
        #cui_postauth
#dodato za v3
        cui-inner
        cui_inner_log

        update reply {
        Class !* ANY
        AMRES-Attribute-mail !* ANY
        AMRES-Attribute-cn !* ANY
        AMRES-Attribute-uid !* ANY
        AMRES-Attribute-gn !* ANY
        AMRES-Attribute-sn !* ANY
        AMRES-Attribute-o !* ANY
        AMRES-Attribute-entitlement !* ANY
        AMRES-Attribute-displayName !* ANY
        AMRES-Attribute-StaffCategory !* ANY
        }

        if (Client-IP-Address != 147.91.3.12) {
        reply_log
        }

        if (Client-IP-Address != 147.91.56.177) {
        reply_log
        }

# dodato za v3
        #  Instead of "use_tunneled_reply", change this "if (0)" to an
        #  "if (1)".
        #
        if (1) {
                #
                #  These attributes are for the inner-tunnel only,
                #  and MUST NOT be copied to the outer reply.
                #
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                }

                #
                #  Copy the inner reply attributes to the outer
                #  session-state list.  The post-auth policy will take
                #  care of copying the outer session-state list to the
                #  outer reply.
                #
                update {
                        &outer.session-state: += &reply:
                }
        }
# dodato za v3


        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}

pre-proxy {

}

post-proxy {
        eap

}

Korišćenje modula¶

U okviru ovog uputstva biće predstavljena dva načina u konfiguraciji modula, od kojih možete da izaberete princip koji vam više odgovara.

Prvi način je da se linkuju svi dostupni moduli pa da se naknadno odlinkuju oni koji nisu u upotrebi.

Ovaj način je sigurniji ukoliko, prilikom pokretanja radius debug moda bi svi nepotrebni moduli ili neadekvatno konfigurisani moduli prikazali grešku. U ovom uputstvu koristiće se ovakav princip.

cd mods-enabled/ ; ll

ln -s ../mods-available/* .

Drugi način je da se linkuju samo potrebni moduli.

Unlink nepotrebnih modula¶

cd mods-enabled/

unlink sql

unlink moonshot-targeted-ids

unlink dhcp_sqlippool

unlink README.rst

unlink dhcp_sql

unlink sqlippool

unlink cui

unlink sqlcounter

unlink perl

unlink redis

unlink python3

unlink unbound

unlink couchbase

unlink abfab_psk_sql

unlink rediswho

unlink counter

Spisak linkovanih modula

cd /usr/local/etc/raddb/mods-available/

lrwxrwxrwx 1 root root 24 Jan 22 12:28 always -> ../mods-available/always
lrwxrwxrwx 1 root root 29 Jan 22 12:28 attr_filter -> ../mods-available/attr_filter
lrwxrwxrwx 1 root root 23 Jan 22 12:28 cache -> ../mods-available/cache
lrwxrwxrwx 1 root root 27 Jan 22 12:28 cache_eap -> ../mods-available/cache_eap
lrwxrwxrwx 1 root root 22 Jan 22 12:28 chap -> ../mods-available/chap
lrwxrwxrwx 1 root root 22 Jan 22 12:28 date -> ../mods-available/date
lrwxrwxrwx 1 root root 24 Jan 22 12:28 detail -> ../mods-available/detail
lrwxrwxrwx 1 root root 36 Jan 22 12:28 detail.example.com -> ../mods-available/detail.example.com
lrwxrwxrwx 1 root root 28 Jan 22 12:28 detail.log -> ../mods-available/detail.log
lrwxrwxrwx 1 root root 22 Jan 22 12:28 dhcp -> ../mods-available/dhcp
lrwxrwxrwx 1 root root 28 Jan 22 12:28 dhcp_files -> ../mods-available/dhcp_files
lrwxrwxrwx 1 root root 26 Jan 22 13:52 dhcp_sql -> ../mods-available/dhcp_sql
lrwxrwxrwx 1 root root 32 Jan 22 13:52 dhcp_sqlippool -> ../mods-available/dhcp_sqlippool
lrwxrwxrwx 1 root root 24 Jan 22 12:28 digest -> ../mods-available/digest
lrwxrwxrwx 1 root root 33 Jan 22 12:28 dynamic_clients -> ../mods-available/dynamic_clients
lrwxrwxrwx 1 root root 21 Jan 22 12:28 eap -> ../mods-available/eap
lrwxrwxrwx 1 root root 22 Jan 22 12:28 echo -> ../mods-available/echo
lrwxrwxrwx 1 root root 27 Jan 22 12:28 etc_group -> ../mods-available/etc_group
lrwxrwxrwx 1 root root 22 Jan 22 12:28 exec -> ../mods-available/exec
lrwxrwxrwx 1 root root 28 Jan 22 12:28 expiration -> ../mods-available/expiration
lrwxrwxrwx 1 root root 22 Jan 22 12:28 expr -> ../mods-available/expr
lrwxrwxrwx 1 root root 23 Jan 22 12:28 files -> ../mods-available/files
lrwxrwxrwx 1 root root 22 Jan 22 12:28 krb5 -> ../mods-available/krb5
lrwxrwxrwx 1 root root 22 Jan 22 12:28 ldap -> ../mods-available/ldap
lrwxrwxrwx 1 root root 25 Jan 22 12:28 linelog -> ../mods-available/linelog
lrwxrwxrwx 1 root root 27 Jan 22 12:28 logintime -> ../mods-available/logintime
lrwxrwxrwx 1 root root 24 Jan 22 12:28 mschap -> ../mods-available/mschap
lrwxrwxrwx 1 root root 27 Jan 22 12:28 ntlm_auth -> ../mods-available/ntlm_auth
lrwxrwxrwx 1 root root 21 Jan 22 12:28 otp -> ../mods-available/otp
lrwxrwxrwx 1 root root 21 Jan 22 12:28 pam -> ../mods-available/pam
lrwxrwxrwx 1 root root 21 Jan 22 12:28 pap -> ../mods-available/pap
lrwxrwxrwx 1 root root 24 Jan 22 12:28 passwd -> ../mods-available/passwd
lrwxrwxrwx 1 root root 28 Jan 22 12:28 preprocess -> ../mods-available/preprocess
lrwxrwxrwx 1 root root 25 Jan 22 12:28 radutmp -> ../mods-available/radutmp
lrwxrwxrwx 1 root root 23 Jan 22 12:28 realm -> ../mods-available/realm
lrwxrwxrwx 1 root root 27 Jan 22 12:28 replicate -> ../mods-available/replicate
lrwxrwxrwx 1 root root 21 Jan 22 12:28 soh -> ../mods-available/soh
lrwxrwxrwx 1 root root 27 Jan 22 12:28 sometimes -> ../mods-available/sometimes
lrwxrwxrwx 1 root root 21 Jan 22 13:52 sql -> ../mods-available/sql
lrwxrwxrwx 1 root root 28 Jan 22 13:52 sqlcounter -> ../mods-available/sqlcounter
lrwxrwxrwx 1 root root 27 Jan 22 13:52 sqlippool -> ../mods-available/sqlippool
lrwxrwxrwx 1 root root 25 Jan 22 12:28 sql_map -> ../mods-available/sql_map
lrwxrwxrwx 1 root root 26 Jan 22 12:28 sradutmp -> ../mods-available/sradutmp
lrwxrwxrwx 1 root root 22 Jan 22 12:28 totp -> ../mods-available/totp
lrwxrwxrwx 1 root root 22 Jan 22 12:28 unix -> ../mods-available/unix
lrwxrwxrwx 1 root root 24 Jan 22 12:28 unpack -> ../mods-available/unpack
lrwxrwxrwx 1 root root 22 Jan 22 12:28 utf8 -> ../mods-available/utf8
lrwxrwxrwx 1 root root 23 Jan 22 12:28 wimax -> ../mods-available/wimax
lrwxrwxrwx 1 root root 25 Jan 22 12:28 yubikey -> ../mods-available/yubikey

eap modul¶

U verziji 3 FreeRADIUS-a, direktorijum /usr/local/etc/raddb/modules/ , koji je korišćen u ranijim verzijama, nije više u upotrebi!

U FreeRADIUS 3.0.x verzijama, svi moduli su premešteni u poddirektorijum /usr/local/etc/raddb/mods-available. Moduli koji mogu biti od interesa su ldap, ntlm_auth, cui, eap, sql itd... Aktiviranje željenih modula se postiže tako što se pravi soft link za taj modul u okviru poddirektorijuma /usr/local/etc/raddb/mods-enabled/

Napraviti rezervnu kopiju fajla eap.

cd /usr/local/etc/raddb/mods-available

cp eap eap_default

Izmeniti fajl eap.

vim eap

Modul eap je potrebno izmeniti da bude isti kao u nastavku.

Željeni metod autentifikacije se podešava na samom početku eap modula (default_eap_type). U ovom uputstvu dat je primer za EAP-TTLS autentifikaciju. Nakon što se u prvoj liniji definiše metod autentifikacije, potrebno je u odgovarajućoj sekciji (ttls ili peap) promeniti parametar virtual_server tako da njegova vrednost bude jednaka eduroam-inner-tunnel. Ukoliko želite da kao sekundarni metod autentifikacije omogućite i PEAP, tada je potrebno u peap sekciji eap modula, takođe promeniti vrednost parametra virtual_server na eduroam-inner-tunnel.

Najpre je potrebno izmeniti metod autentifikacije.

Izmena metoda autentifikacije: Nakon izmena

Potrebno je izmeniti metod autentifikacije tako što se zakomentariše linija default_eap_type = md5 i ispod nje se doda linija:

        default_eap_type = ttls

eap {
#        default_eap_type = md5
        default_eap_type = ttls

Sledeći koraci se odnose na tls-config tls-common sekciju.

Izmene tls-config tls-common sekcije : Nakon izmena

Sledi specifikacija privatnog ključa i sertifikata koji su kreirani na početku:
Zakomentarisati liniju private_key_file = ${certdir}/server.pem i ispod nje dobiti liniju:

                private_key_file = ${certdir}/institucija.ac.rs.key

Zakomentarisati liniju certificate_file = ${certdir}/server.pem i ispod nje dobiti liniju:

                certificate_file = ${certdir}/institucija.ac.rs.crt

Zakomentarisati liniju ca_file = ${cadir}/ca.pem i ispod nje dobiti liniju:

                ca_file = ${cadir}/GEANT_OV_RSA_CA_4.crt

Izmeniti minimalnu verziju TLS mehanizma tako što se zakomentariše linija tls_min_version = "1.2" i ispod nje dobiti liniju:

                tls_min_version = "1.0"

Napomena: TLS 1.0 je verzija koja prestaje da se koristi za većinu korisničkih uređaja i polako se prelazi na minimalnu vreziju 1.2. Ukoliko želite možete da odmah postavite da minimalna verzija bude TLS 1.2."

U ttls podsekciji potrebno je zakomentarisati liniju virtual_server = "inner-tunnel" i ispod nje dobiti liniju:

                virtual_server = "eduroam-inner-tunnel"

        tls-config tls-common {
                private_key_password = whatever
#               private_key_file = ${certdir}/server.pem
                private_key_file = ${certdir}/institucija.ac.rs.key
#               certificate_file = ${certdir}/server.pem
                certificate_file = ${certdir}/institucija.ac.rs.crt
#               ca_file = ${cadir}/ca.pem
                ca_file = ${cadir}/GEANT_OV_RSA_CA_4.crt
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
#               tls_min_version = "1.2"
                tls_min_version = "1.0"
                tls_max_version = "1.2"
                ecdh_curve = "prime256v1"

                cache {
                        enable = no
#                       lifetime = 24 # hours
                        store {
                                Tunnel-Private-Group-Id
                        }
                }
                verify {
                }
                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }
        tls {
                tls = tls-common
        }
        ttls {
                tls = tls-common
                default_eap_type = md5
                copy_request_to_tunnel = no
                use_tunneled_reply = no
#               virtual_server = "inner-tunnel"
                virtual_server = "eduroam-inner-tunnel"
        }

        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }

        mschapv2 {
                }
}

Prikaz fajla eap sa svim potrebnim izmenama:

eap {
#        default_eap_type = md5
        default_eap_type = ttls
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        md5 {
        }
        gtc {
                auth_type = PAP
        }
        tls-config tls-common {
                private_key_password = whatever
#               private_key_file = ${certdir}/server.pem
                private_key_file = ${certdir}/institucija.ac.rs.key
#               certificate_file = ${certdir}/server.pem
                certificate_file = ${certdir}/institucija.ac.rs.crt
#               ca_file = ${cadir}/ca.pem
                ca_file = ${cadir}/GEANT_OV_RSA_CA_4.crt
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
#               tls_min_version = "1.2"
                tls_min_version = "1.0"
                tls_max_version = "1.2"
                ecdh_curve = "prime256v1"

                cache {
                        enable = no
#                       lifetime = 24 # hours
                        store {
                                Tunnel-Private-Group-Id
                        }
                }
                verify {
                }
                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }
        tls {
                tls = tls-common
        }
        ttls {
                tls = tls-common
                default_eap_type = md5
                copy_request_to_tunnel = no
                use_tunneled_reply = no
#               virtual_server = "inner-tunnel"
                virtual_server = "eduroam-inner-tunnel"
        }

        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }

        mschapv2 {
                }
}

Kada je završena konfiguracija eap modula, potrebno je preći u poddirektorijum /usr/local/etc/raddb/mods-enabled i napraviti soft link ka eap modulu iz poddirektorijuma /usr/local/etc/raddb/mods-available:

cd ../mods-enabled/

ln -s ../mods-available/eap

ldap modul¶

Sledeći korak podrazumeva konfigurisanje FreeRADIUS servera da autentifikuje korisnike preko ldap modula.

Preći u poddirektorijum /usr/local/etc/raddb/mods-available:

cd /usr/local/etc/raddb/mods-available

Napraviti rezervnu kopiju fajla ldap.

cp ldap ldap_default

Izmeniti fajl ldap.

vim ldap

Sledi prikaz postupka konfiguracije ldap modula sa jednim konektorom. Ukoliko je potrebno konfigurisati više konektora, pratiti uputstvo za konfiguraciju jednog i zatim nastaviti po narednim koracima.

Potrebno je:

Zakomentarisati liniju ldap { i ispod nje dodati liniju ldap konektor{ gde je umesto konektor potrebno navesti naziv LDAP konektora:

ldap konektor{

Specificirati LDAP server, ukoliko se LDAP baza nalazi na istoj ovoj VM ostaje linija server = 'localhost', a ukoliko se LDAP baza nalazi na drugom serveru (ldap.institucija.ac.rs) potrebno je zakomentarisati liniju server = 'localhost' i ispod nje dodati liniju koja specificira ili domen udaljene mašine ili IP adresu:

        server = 'ldap.institucija.ac.rs'

Navesti DN naloga putem koga se vrši integracija sa LDAP bazom podataka. Ispod linije #identity = 'cn=admin,dc=example,dc=org' dodati liniju:

        identity = 'cn=admin,dc=institucija,dc=local'

Navesti lozinku naloga putem koga se vrši integracija sa LDAP bazom podataka (npr. mojaLozinka123). Ispod linije #password = mypass dodati liniju:

        password = mojaLozinka123

Navesti deo LDAP baze u kom se nalaze nalozi koji se autentifikuju (npr. ou=People,dc=test1,dc=institucija,dc=local). Zakomentarisati liniju base_dn = 'dc=example,dc=org' i zatim ispod nje dodati liniju:

        base_dn = 'ou=People,dc=test1,dc=institucija,dc=local'

U okviru update podsekcije potrebno je uneti sledeće izmene:

Ispod linije control:Password-With-Header += 'userPassword', a iznad linije control: += 'radiusControlAttribute' dodati navedene linije:

                control:Stripped-User-Name      := 'uid'

                reply:AMRES-Attribute-sn        := 'sn'
                reply:AMRES-Attribute-gn        := 'givenName'
                reply:AMRES-Attribute-uid       := 'uid'
                reply:AMRES-Attribute-cn        := 'cn'
                reply:AMRES-Attribute-mail      += 'mail'
                reply:AMRES-Attribute-o         := 'o'
                reply:AMRES-Attribute-entitlement   += 'eduPersonEntitlement'
                reply:AMRES-Attribute-displayName   := 'displayName'
                reply:AMRES-Attribute-Affiliation   := 'rsEduPersonAffiliation'
                reply:AMRES-Attribute-StaffCategory   := 'rsEduPersonStaffCategory'
                reply:Class                     := 'rsEduPersonPrimaryAffiliation'

Napomena: Atributi (tipovi podataka) sn, givenName, cn, mail, o, eduPersonEntitlement, displayName, rsEduPersonAffiliation, rsEduPersonStaffCategory i rsEduPersonPrimaryAffiliation se koriste za potrebe AMRES VPN usluge i iAMRES Federacije.

Prikaz fajla ldap sa svim potrebnim izmenama:

#ldap {
ldap konektor{
        server = 'localhost'
#       identity = 'cn=admin,dc=example,dc=org'
        identity = 'cn=admin,dc=institucija,dc=local'
#       password = mypass
        password = mojaLozinka123
        base_dn = 'ou=People,dc=test1,dc=institucija,dc=local'
        sasl {

        }
        update {
                control:Password-With-Header    += 'userPassword'
                control:Stripped-User-Name      := 'uid'

                reply:AMRES-Attribute-sn        := 'sn'
                reply:AMRES-Attribute-gn        := 'givenName'
                reply:AMRES-Attribute-uid       := 'uid'
                reply:AMRES-Attribute-cn        := 'cn'
                reply:AMRES-Attribute-mail      += 'mail'
                reply:AMRES-Attribute-o         := 'o'
                reply:AMRES-Attribute-entitlement   += 'eduPersonEntitlement'
                reply:AMRES-Attribute-displayName   := 'displayName'
                reply:AMRES-Attribute-Affiliation   := 'rsEduPersonAffiliation'
                reply:AMRES-Attribute-StaffCategory   := 'rsEduPersonStaffCategory'
                reply:Class                     := 'rsEduPersonPrimaryAffiliation'

                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
        user_dn = "LDAP-UserDn"

        user {
                base_dn = "${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }

        }

        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }

        profile {
        }

        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'


                template {

                }

                attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
                }
        }


        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"

                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }

                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }

                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }

        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }

        options {

                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        tls {

        }


        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}

Ukoliko je potrebno definisati više LDAP konektora, prekopirati čitav sadržaj fajla koji je dat iznad, ispod već konfigurisanog prvog ldap konektora i izmeniti sve potrebne parametre označenih bojom.

Kada kopirate delove konfiguracije u konfiguracione fajlove možete da koristite nano editor, jer vim editor prepoznaje oznaku za komentar u nekom delu konfiguracije i ponavlja tu oznaku u svim narednim redovima kopirane konfiguracije.

nano ldap

Sledi prikaz fajla ldap sa konfigurisana dva LDAP konektora ( konektor1 i konektor2):

#ldap {
ldap konektor1{
        server = 'localhost'
#       identity = 'cn=admin,dc=example,dc=org'
        identity = 'cn=admin,dc=institucija,dc=local'
#       password = mypass
        password = mojaLozinka123
        base_dn = 'ou=People,dc=test1,dc=institucija,dc=local'
        sasl {

        }
        update {
                control:Password-With-Header    += 'userPassword'
                control:Stripped-User-Name      := 'uid'

                reply:AMRES-Attribute-sn        := 'sn'
                reply:AMRES-Attribute-gn        := 'givenName'
                reply:AMRES-Attribute-uid       := 'uid'
                reply:AMRES-Attribute-cn        := 'cn'
                reply:AMRES-Attribute-mail      += 'mail'
                reply:AMRES-Attribute-o         := 'o'
                reply:AMRES-Attribute-entitlement   += 'eduPersonEntitlement'
                reply:AMRES-Attribute-displayName   := 'displayName'
                reply:AMRES-Attribute-Affiliation   := 'rsEduPersonAffiliation'
                reply:AMRES-Attribute-StaffCategory   := 'rsEduPersonStaffCategory'
                reply:Class                     := 'rsEduPersonPrimaryAffiliation'

                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
        user_dn = "LDAP-UserDn"

        user {
                base_dn = "${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }

        }

        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }

        profile {
        }

        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'


                template {

                }

                attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
                }
        }


        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"

                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }

                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }

                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }

        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }

        options {

                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        tls {

        }


        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}

ldap konektor2{
        server = 'localhost'
#       identity = 'cn=admin,dc=example,dc=org'
        identity = 'cn=admin,dc=institucija,dc=local'
#       password = mypass
        password = mojaLozinka123
        base_dn = 'ou=People,dc=test2,dc=institucija,dc=local'
        sasl {

        }
        update {
                control:Password-With-Header    += 'userPassword'
                control:Stripped-User-Name      := 'uid'

                reply:AMRES-Attribute-sn        := 'sn'
                reply:AMRES-Attribute-gn        := 'givenName'
                reply:AMRES-Attribute-uid       := 'uid'
                reply:AMRES-Attribute-cn        := 'cn'
                reply:AMRES-Attribute-mail      += 'mail'
                reply:AMRES-Attribute-o         := 'o'
                reply:AMRES-Attribute-entitlement   += 'eduPersonEntitlement'
                reply:AMRES-Attribute-displayName   := 'displayName'
                reply:AMRES-Attribute-Affiliation   := 'rsEduPersonAffiliation'
                reply:AMRES-Attribute-StaffCategory   := 'rsEduPersonStaffCategory'
                reply:Class                     := 'rsEduPersonPrimaryAffiliation'

                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
        user_dn = "LDAP-UserDn"

        user {
                base_dn = "${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }

        }

        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }

        profile {
        }

        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'


                template {

                }

                attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
                }
        }


        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"

                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }

                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }

                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }

        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }

        options {

                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        tls {

        }


        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}

Kada je završena konfiguracija ldap modula, potrebno je preći u poddirektorijum /usr/local/etc/raddb/mods-enabled i napraviti soft link ka ldap modulu iz poddirektorijuma /usr/local/etc/raddb/mods-available:

cd /usr/local/etc/raddb/mods-enabled

ln -s ../mods-available/ldap

Fajl dictionary¶

Sledi postupak konfiguracije fajla dictionary.

Preći u poddirektorijum /usr/local/etc/raddb/

cd /usr/local/etc/raddb/

Izmeniti fajl dictionary.

vim dictionary

Na kraj fajla dodati sledeće linije:

VENDOR          AMRES           11067

BEGIN-VENDOR AMRES

ATTRIBUTE       AMRES-Attribute-sn           1       string
ATTRIBUTE       AMRES-Attribute-gn           2       string
ATTRIBUTE       AMRES-Attribute-uid          3       string
ATTRIBUTE       AMRES-Attribute-cn           4       string
ATTRIBUTE       AMRES-Attribute-mail         5       string
ATTRIBUTE       AMRES-Attribute-eduid        6       string
ATTRIBUTE       AMRES-Attribute-o            6       string
ATTRIBUTE       AMRES-Attribute-entitlement  7       string
ATTRIBUTE       AMRES-Attribute-displayName  8       string
ATTRIBUTE       AMRES-Attribute-Affiliation  9       string
ATTRIBUTE       AMRES-Attribute-StaffCategory   10      string
ATTRIBUTE       AMRES-Attribute-UniqueCode   11      string
ATTRIBUTE       AMRES-Attribute-LocalNumber  12      string

END-VENDOR AMRES

Sačuvati izmene fajla dictionary.

Direktorijum policyd¶

U novoj verziji FreeRADIUS-a postupkom instalacije kreiraće se direktorijum /usr/local/etc/raddb/policy.d .

Konfiguracija CUI atributa¶

Izmena fajla cui¶

Ako dođe do sigurnosnog incidenta u eduroam servisu, u najvećem broju slučajeva Davalac Resursa u svojim logovima može da pronađe samo anonimni identitet korisnika (anonymous@idp.ac.rs). U tom slučaju, dok se dotični korisnik ne identifikuje u bazi Davaoca Identiteta, Davalac Resursa jedino može da blokira ceo domen problematičnog korisnika. Rešenje ovog problema se postiže korišćenjem CUI atributa.

CUI (Chargeable User Identity) predstavlja jednistveni identifikator svakog eduroam korisnika, formira ga Davalac Identiteta i šalje Davaocu Resursa.

Ako je autentifikacija uspešna, Davalac Identiteta formira CUI atribut formiranjem MD5 hash-a koristeći UID korisnika, Operator-Name atribut iz zahteva i opciono ključa (u ovom primeru cui_hash_key). Ova vrednost se u Access-Accept poruci vraća Davaocu Resursa. Bitno je napomenuti da će vrednosti CUI atributa biti različita za istog korisnika, koji koristi eduroam resurse kod različitih Davaoca Resursa.

cd /usr/local/etc/raddb/policy.d

vim cui

Sledi prikaz fajla sa izvršenim izmenom.

1: u liniji (cui_hash_key = "L03ink@123!") umesto dela L03ink@123! dodati proizvoljnu lozinku.

cui_hash_key = "L03ink@123!"

cui_require_operator_name = "no"

cui.authorize {
        if ("%{client:add_cui}" == 'yes') {
                update request {
                        &Chargeable-User-Identity := 0x00
                }
        }
}

cui.pre-proxy {
        if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
                update proxy-request {
                        &Chargeable-User-Identity = 0x00
                }
        }
}

cui.post-auth {
        if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \
            (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
                update reply {
                        &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
                }
        }

        if (&reply:Chargeable-User-Identity) {
                update {
                        &reply:User-Name := &request:User-Name
                }
                cuisql
        }
}


cui-inner.post-auth {
        if (&outer.request:Chargeable-User-Identity && \
            (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
                update reply {
                        &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
                }
        }
}

cui.accounting {
        if (!&Chargeable-User-Identity) {
                update request {
                        &Chargeable-User-Identity := "%{cuisql:\
                                SELECT cui FROM cui \
                                WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
                                AND callingstationid = '%{Calling-Station-Id}' \
                                AND username = '%{User-Name}'}"
                }
        }

        if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
                cuisql
        }
}

Kreiranje fajla eduroam_cui_log¶

vim /usr/local/etc/raddb/mods-available/eduroam_cui_log

linelog cui_inner_log {
        filename = ${logdir}/cui_inner_log
        format = ""
        reference = "%{%{reply:Packet-Type}:-format}"
        Access-Accept ="Access-Accept: %t USER=%{User-Name} IdP=%{tolower:%{Realm}} MAC=%{outer.request:Calling-Station-Id} AP=%{outer.request:Called-Station-Id} RP=%{outer.request:Operator-Name}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#"
        Access-Reject ="Access-Reject: %t USER=%{User-Name} IdP=%{tolower:%{Realm}} MAC=%{outer.request:Calling-Station-Id} AP=%{outer.request:Called-Station-Id} RP=%{outer.request:Operator-Name}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#"

Kada je kreiran modul eduroam_cui_log, potrebno je preći u poddirektorijum /usr/local/etc/raddb/mods-enabled i napraviti soft link ka ldap modulu iz poddirektorijuma /usr/local/etc/raddb/mods-available:

cd /usr/local/etc/raddb/mods-enabled

ln -s ../mods-available/eduroam_cui_log

Konfiguracija dynamic-vlan servisa¶

U okviru post-auth sekcije u eduroam-inner-tunnel fajlu se po potrebi može definisati i VLAN u koji se smeštaju zahtevi na mreži. U okviru sekcije potrebno je otkomentaisati ili dodati parametar:

dynamic-vlan

Ovaj parametar poziva policy koji se definise u /usr/local/etc/raddb/policy.d/ folderu, a preporuka je da se doda u cui fajl:

dynamic-vlan.post-auth {

    if (request:User-Name =~ /^((.)+)@institucija\.ac\.rs$/ && reply:rsEduPersonStaffCategory != 'administrativno osoblje') {
        if (reply:Class == 'zaposleni' && (outer.request:Calling-Station-Id =~ /^10-xx-xx.+$/ || outer.request:Calling-Station-Id =~ /^60-xx-xx.+$/) || outer.request:Calling-Station-Id =~ /^88-xx-xx.+$/ || outer.request:Calling-Station-Id =~ /^a0-xx-xx.+$/) {
            # U poslednji "if" je dodato outer.request. Ovaj atribut se ne kopira u zahtev iz unutrasnjeg tunela.
            #  Drugo resenje bi bilo da se stavi u eap fajlu "copy_request_to_tunnel = yes" u ttls sekciji
            if (outer.request:NAS-IP-Address == 147.91.x.x || outer.request:NAS-IP-Address == 147.91.x.x || outer.request:NAS-IP-Address == 147.91.x.x) {
                update outer.reply {
                    Tunnel-Type:1 := "VLAN",
                    Tunnel-Medium-Type:1 := "IEEE-802",
                    Tunnel-Private-Group-ID:1 := "255"
                }
            }
        }
    }

}

Ukoliko je potrebno podesiti i druge pojedinačne slučajeve to se može uraditi i na neki od sledećih načina u okviru post-auth sekcije u eduroam-inner-tunnel fajlu, iznad parametara cui_inner i cui_inner_log. Primeri su dati u nastavku:

if (request:User-Name == 'user@institucija.ac.rs' && reply:rsEduPersonStaffCategory != 'administrativno osoblje') {
    update outer.reply {
        Tunnel-Type:1 := "VLAN",
        Tunnel-Medium-Type:1 := "IEEE-802",
        Tunnel-Private-Group-ID:1 := "252"
    }
}


if (request:User-Name =~ /^((.)+)@institucija\.ac\.rs$/) {
    if (reply:Class == 'gost' && (outer.request:NAS-IP-Address == 147.91.x.x || outer.request:NAS-IP-Address == 147.91.x.x || outer.request:NAS-IP-Address == 147.91.x.x)) {
        update outer.reply {
            Tunnel-Type:1 := "VLAN",
            Tunnel-Medium-Type:1 := "IEEE-802",
            Tunnel-Private-Group-ID:1 := "252"
        }
    }
}


if (request:User-Name == 'user@institucija.ac.rs' && outer.request:Calling-Station-Id == 'xx-xx-xx-xx-xx-xx') {
    update outer.reply {
        Tunnel-Type:1 := "VLAN",
        Tunnel-Medium-Type:1 := "IEEE-802",
        Tunnel-Private-Group-ID:1 := "255"
    }
}

Procedura kod izmene konfiguracije RADIUS servera¶

Pregled aktivnosti RADIUS procesa

ps aux | grep radiusd

Pre bilo kakve izmene u konfiguraciji RADIUS servera ili ukoliko se detektuje problem u njegovom funkcionisanju potrebno je najpre zaustaviti RADIUS proces ukoliko je aktivan

killall radiusd

Zatim možete da izvršite promene u konfiguraciji i istražite eventualni problem u funkcionisanju RADIUS servera

Za proveru konfiguracije preporuka je da se RADIUS proces pokrene prvo u debug modu, komandom radiusd -X

Preporuka je da se debug mod koristi samo u slučaju kada se prave izmene u konfiguraciji ili u slučaju kada neko od korisnika ima problem sa povezivanjem na eduroam, jer se u debug modu lozike prikazuju u clear-text formatu.

radiusd -X

Ukoliko je konfiguracija bez grešaka, na ekranu se ispisuje sledeće:

.
.
.
Listening on auth address * port 1812 bound to server eduroam
Listening on acct address * port 1813 bound to server eduroam
Listening on auth address :: port 1812 bound to server eduroam
Listening on acct address :: port 1813 bound to server eduroam
Listening on auth address 127.0.0.1 port 18120 bound to server eduroam-inner-tunnel
Listening on proxy address * port xxxxx
Listening on proxy address :: port xxxxx
Ready to process requests

Prekid rada RADIUS procesa u debug modu, se izvršava sa CTRL+C

RADIUS proces u standardnom modu se pokreće komandom radiusd

radiusd

Ukoliko se pojavi navedeno upozorenje prilikom startovanja radiusd procesa treba izmeniti fajl na LDAP serveru:

TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.

Otići na putanju /etc/openldap/ i editovati fajl ldap.conf:

vim /etc/openldap/ldap.conf

Da bi se izbeglo upozorenje o grešci prilikom startovanja radiusd procesa treba dodati sledeću liniju na kraj fajla ldap.conf:

TLS_MOZNSS_COMPATIBILITY off

Restartovati slapd proces:

systemctl restart slapd

Pregled logova¶

cd /usr/local/var/log/radius/

tail -f radius.log

Provera verzije FreeRADIUS paketa¶

radiusd -v