Installation of a radius server for eduroam SP & IdP First step is to prepare the server. We suppose you already have a CentOS 7 server installed with configured network. Install ntp, and enable it as a daemon to run on startup: yum -y install ntp systemctl start ntpd systemctl enable ntpd Then install freeradius and some utilities we'll need later: yum -y install epel-release yum -y install freeradius freeradius-utils net-tools bind-utils Then update the system and reboot yum -y update reboot Now, let's start the configuration. Configure the radius daemon: cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.old > /etc/raddb/radiusd.conf vi /etc/raddb/radiusd.conf Copy and paste this config file to radiusd.conf ---------------## BEGIN ##---------------------------------------------- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid correct_escapes = true max_request_time = 30 cleanup_delay = 5 max_requests = 16384 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { user = radiusd group = radiusd allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE mods-enabled/ } instantiate { } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ -------------------## END ##------------------------------------------------ After, modify the clients.conf file, where we define the clients that authenticate against the radius server. vi /etc/raddb/clients.conf ---------------## BEGIN ##--------------------------- client localhost { ipaddr = 127.0.0.1 secret = testing123 } client eduroam_flr_server_1 { ipaddr = 196.200.131.17 secret = yourpasswordhere nastype = 'eduroam_flr' } # As above, only uncomment if there are two federation level servers #client eduroam_flr_server_2 { # ipaddr = # secret = # nastype = 'eduroam_flr' #} # Replace vv.zzz.dd.xx by your controller's IP address client wireless-controller { ipaddr = vv.zzz.dd.xx secret = passwordhere2 } ----------------## END ##---------------------------------- You can copy paste the file above and modify accordingly. Then modify the proxy.conf file, which contains proxies where the requests are sent. vi /etc/raddb/proxy.conf -----------------## BEGIN ##------------------------- home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth+acct secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } # Please modify this with your university's domain realm university.ac.ma { type = radius authhost = LOCAL accthost = LOCAL # nostrip } realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL # nostrip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL # nostrip } home_server eduroam_flr_server_1 { type = auth+acct ipaddr = 196.200.131.17 port = 1812 secret = passwordhere response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } # Only uncomment if there are two FLRS #home_server eduroam_flr_server_2 { # ipaddr = # secret = # status_check = status-server # response_window = 5 # check_interval = 10 # check_timeout = 5 #} home_server_pool eduroam_flr_pool { type = keyed-balance home_server = eduroam_flr_server_1 # Only uncomment if there are two FLRS # home_server = eduroam_flr_server_2 } realm "~.+$" { auth_pool = eduroam_flr_pool nostrip } -----------------## END ##------------------------------- You can copy paste the file above and modify accordingly. Next, configure the eap and ldap modules for authentication. For eap, you'll need a certificate for the server, the private key, and the certificate authority. Place these certs in the folder /etc/raddb/certs, then modify the eap conf file accordingly. vi /etc/raddb/mods-available/eap ----------------## BEGIN ##------------------------------- eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { certificate_file = ${certdir}/radius_university_ac_ma.crt private_key_file = ${certdir}/radius-university.key # If your private key has a password uncomment the following line and put it there # private_key_password = whatever ca_file = ${cadir}/DigiCertCA.crt # If your AP drops packets towards the client, try reducing this. fragment_size = 1024 # When issuing client certificates embed the OCSP URL in the # certificate if you want to be able to revoke them later. ocsp { enable = yes override_cert_url = no use_nonce = yes } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } ------------------## END ##---------------------------- You can copy paste the file above and modify accordingly. Verify that the eap module is hardlinked in mods-enabled (this is usually the default). If it isn't, run the command: "cd /etc/raddb; ln -s mods-available/eap mods-enabled/" For ldap, you'll need to install the module, then configure it according to your OpenLDAP/AD server. yum install freeradius-ldap vi /etc/raddb/mods-available/ldap -----------------## BEGIN ##----------------------------- ldap { server = 'ldap.university.ac.ma' identity = 'cn=manager,dc=university,dc=ac,dc=ma' password = yourpasswordhere base_dn= 'ou=people,dc=university,dc=ac,dc=ma' sasl { } update { control:Password-With-Header += 'userPassword' control:Stripped-User-Name := 'uid' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { # Set this to 'yes' to use TLS encrypted connections # start_tls = yes # ca_file = ${certdir}/cacert.pem # ca_path = ${certdir} # certificate_file = /path/to/radius.crt # private_key_file = /path/to/radius.key # random_file = /dev/urandom # require_cert = 'demand' } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } -----------------## END ##------------------------------------- You can copy paste the file above and modify accordingly. Then create a soft link to mods-enabled: cd /etc/raddb/mods-enabled ln -s ../mods-available/ldap ldap chown -ch radiusd:radiusd ldap The final step is to configure the sites that radius is going to connect to. In our case, those are going to be inner-tunnel -which is there by default- and eduroam. We will unlink the default site and add our eduroam to sites-enabled. First, configure the inner-tunnel for ldap authentication: vi /etc/raddb/sites-enabled/inner-tunnel -----------## BEGIN ##------------------------ server inner-tunnel { listen { type = auth ipaddr = 127.0.0.1 port = 18120 # Used for testing only. Requests proxied internally. } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } # # Read the 'users' file files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } session { } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject reply_log update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } ------------## END ##------------------------------------------ You can copy paste the file above. The final step is to create our eduroam site. Remove the default site from the enabled sites. cd /etc/raddb unlink sites-enabled/default Link your newly created eduroam site to sites-enabled, and modify it according to the template provided below: touch sites-available/eduroam cd /etc/raddb/sites-enabled/ ln -s ../sites-available/eduroam eduroam chown -ch radiusd:radiusd eduroam vi /etc/raddb/sites-available/eduroam --------------## BEGIN ##------------------------------------ # The domain users will add to their username to have their credentials # routed to your institution. You will also need to register this # and your RADIUS server addresses with your NRO. operator_name = "university.ac.ma" # The VLAN to assign eduroam visitors #eduroam_default_guest_vlan = "17" # The VLAN to assign your students/staff #eduroam_default_local_vlan = "14" server eduroam { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { preprocess filter_username auth_log suffix eap { ok = return updated = return } files ldap expiration logintime pap } pre-proxy { #attr_filter.pre-proxy #linelog_send_proxy_request } authenticate { Auth-Type PAP { pap ldap } Auth-Type CHAP { chap ldap } Auth-Type MS-CHAP { mschap #ldap } Auth-Type LDAP { ldap } eap } accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # Update the wtmp file # # If you don't use "radlast", you can delete this line. unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { reply_log exec #update reply { # Tunnel-Type := VLAN # Tunnel-Medium-Type := IEEE-802 #} #if (&control:Proxy-To-Realm) { # update reply { # Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan} # } #} #else { # update reply { # Tunnel-Private-Group-ID = ${eduroam_default_local_vlan} # } #} # We're sending a response to one of OUR network devices for one of # OUR users so provide it with the real user-identity. if (&session-state:Stripped-User-Name) { update reply { User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}" } } #linelog_send_accept Post-Auth-Type REJECT { attr_filter.access_reject # linelog_send_reject } } post-proxy { #attr_filter.post-proxy eap #linelog_recv_proxy_response } } ------------## END ##---------------------------------------- You can copy paste the file above and modify accordingly. That's it. To test your installation, open a new session and run the command: radiusd -X On your other session, try the following: radtest testaccount@university.ac.ma testaccoundpassword localhost 1812 testing123 testaccount@university.ac.ma: email account testaccoundpassword: password for the email account localhost: server you're connecting to (localhost in our case) 1812: radius port number of the server testing123: password to connect to the server (defined in clients.conf) radtest testaccount@university.ac.ma testaccoundpassword localhost 1812 testing123 It should return something like this: Sent Access-Request Id 4 from 0.0.0.0:40063 to 127.0.0.1:1812 length 86 User-Name = "testaccount@university.ac.ma" User-Password = "testaccoundpassword" NAS-IP-Address = 196.200.131.9 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "testaccoundpassword" Received Access-Accept Id 4 from 127.0.0.1:1812 to 0.0.0.0:0 length 36 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" If all goes well, *close the radius -X session*. Then start the radius service and enable it on startup. systemctl enable radiusd systemctl start radiusd