Changes between Version 79 and Version 80 of WikiStart

Timestamp:

Jul 31, 2013, 4:40:07 PM (11 years ago)

Author:

walter

Comment:

freeradius gedeelte opschonen

WikiStart

@@ -840 +840 @@
 De rol van deze machine is het centraal afhandelen/doorzetten van het radius verkeer van verschillende eduroam AP's uit het wireless Leiden netwerk, daarnaast functioneert deze machine als internet gateway/concentrator van het verkeer van diezelfde eduroam AP's. De verbinding(en) tussen de eduroam AP's en deze centrale machine worden met openvpn tunnels over het Wireless Leiden netwerk tot stand gebracht. Als hardware gebruiken we een via-epia m met twee bedraade netwerk interfaces. De eerste netwerk interface is gekoppeld aan de gateway waarvan het externe ip gewhitelist moet zijn voor contact met de eduroam Surf Foundation radius proxy. De tweede netwerk interface hangt aan de Wireless Leiden infrastructuur. De plaatsing van deze machine komt het meest tot z'n recht op een locatie waar al het eduroam gerelateerde internetverkeer een daarvoor aangewezen internet verbinding van een educatieve i.s.p. (Surfnet) in kan. De surfnet aansluiting van Universiteit Leiden in de Pieterskerk is daarvoor uitstekend geschikt en geoorloofd! Na de installatie van het OS FREEBSD/DEBIAN, word de benodigde software freeradius, isc-dhcp-server, openvpn en syslog-ng geladen en geconfigureerd. Tenslotte moet er een nat/gateway met bijbehorende firewall rules worden opgezet en heeft het pakket openvpn keys/certificates nodig zie 3 certnode van deze handleiding!
 
-==== 2.1a Install & configure FreeBSD 8.3 ====
+==== 2.1 Install & configure FreeBSD 8.3 ====
 TODO:Ligt een kant en klare FREEBSD 8.3 disk klaar hoe verder te configureren?
 
-==== 2.1b Install & configure debian 7 wheezy ====
+==== 2.2a Install & configure debian 7 wheezy ====
 Voor het OS is debian 7 wheezy i386 gekozen, dit omdat de VIA-EPIA-m geen 5/686 cmov cpu instructieset ondersteunt! De definitieve setup zal op ubuntu 12.04 lts server of freebsd draaien. Met een minimale install inclusief "SSH server" en "standaard tools" word deze debian 7 installatie later uitgebouwd en geconfigureerd. Installeer eerst debian op betreffende machine, download hiervoor de cd/usb image, plaats deze op usbstick en start de installatie. Opmerking, onthoud dat de machine tijdens de installatie en daarna toegang tot internet nodig heeft om alle pakketten te installeren en dus de configuratie te voltooien!
 
@@ -908 +908 @@
         netmask 255.255.255.0 #! bigger subnet for more clients/AP's? <---
 }}}
+
+Continue setting up isc-dhcp-server. Besides editing the conf file, the service also needs to be removed from its default boot routine because it starts to early before its openvpn interface is online!
+
+#example code# /etc/dhcp/dhcpd.conf
+{{{
+option domain-name "eduroam.org";
+option domain-name-servers 8.8.8.8; #! since no local dns server is running on this machine specify a correct one! <---
+default-lease-time 600;
+max-lease-time 7200;
+#subnet 192.168.4.0 netmask 255.255.255.0 {
+#       range 192.168.4.100 192.168.4.150;
+#       option routers 192.168.4.1;
+
+#ap's different lease
+class "ubntaps" {
+        match if (substring (hardware, 1, 3) = DC:9F:DB);
+}
+
+class "eduroamusers" {
+        match if not (substring (hardware, 1, 3) = DC:9F:DB);
+}
+
+subnet 192.168.4.0 netmask 255.255.255.0 {
+        option routers 192.168.4.1;
+
+pool {
+        allow members of "ubntaps";
+        range 192.168.4.3 192.168.4.66;
+}
+
+pool {
+        allow members of "eduroamusers";
+        range 192.168.4.150 192.168.4.250;
+}
+
+}
+
+
+}
+}}}
+
+Remove isc-dhcp-server from its normal startup instance!
+{{{
+update-rc.d isc-dhcp-server disable
+}}}
+
+Continue setting up openvpn. Remember that the openvpn server needs:'openvpn.conf', 'up.sh' (script that will initiate the isc-dhcp-server as soon as the openvpn tap0 interface is available) and offcourse server-certificate files (created in part 3.1 of this howto)!
+
+#example code# /etc/openvpn/openvpn.conf
+{{{
+port 1194 
+proto tcp #udp 
+dev tap0
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/eduradprox.crt #!check name <---
+key /etc/openvpn/eduradprox.key #!check name <---
+dh /etc/openvpn/dh1024.pem
+server-bridge 192.168.3.1 255.255.255.0 192.168.3.100 192.168.3.150 #! still not understood? <---
+mode server
+persist-key
+persist-tun
+verb 4
+log /var/log/openvpn.log
+script-security 2 #! Allows isc-dhcp-server as external program to be started by up.sh <---
+up /etc/openvpn/up.sh
+#duplicate-cn #! allowing this lowers security<---
+status /var/db/openvpn-status.log
+keepalive 10 180
+}}}
+
+#example code# /etc/openvpn/up.sh
+{{{
+#!/bin/sh
+ifup tap0 >/dev/null 2>&1 #allow-hotplug takes care of this?
+#/sbin/ifconfig $1 192.168.4.1/24 up | exit 0
+/bin/sleep 7
+service isc-dhcp-server restart >/dev/null 2>&1
+#/sbin/ifconfig bridge0 addm $1 | exit 0
+}}}
+
+Flag the up.sh script as executable other wise openvpn cannot run!
+{{{
+chmod +x /etc/openvpn/up.sh
+}}}
+
+
+Copy the following server/eduradprox files made on the certnode /etc/openvpn/ to the openvpn server directory.
+{{{
+cp eduradprox.key eduradprox.crt ca.crt dh1024.pem /etc/openvpn/
+}}}
+
+Setup syslog-ng, this will sort remote log files by hostname and day!
+
+#example code# /etc/syslog-ng/conf.d/00load-remote.conf
+{{{
+source s_net { udp(); };
+destination df_remote { file("/var/log/remote-log/AP$HOST/$DAY$MONTH$YEAR.log" owner(root) group(adm) perm(0600) create_dirs(yes) dir_perm(0700)); };
+log { source(s_net); destination(df_remote); };
+}}}
+
+To allow nat/routing and function as a local gateway/concentrator for the tunneld traffic from eduroam accesspoints (openvpn clients) the following config must be set every boot.
+{{{
+## add the following firewall masquerade code "quick and dirty" at the end of the rc.local file before exit0!
+nano /etc/rc.local
+}}}
+
+#example code# /etc/rc.local
+{{{
+
+#enable forwarding at ip level
+echo "1" > /proc/sys/net/ipv4/ip_forward
+
+#enable nat/routing from eth0
+/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+#enable nat/routing to eth0 directly
+/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+
+#enable nat/routing to tap0 openvpn
+/sbin/iptables -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
+
+#before exit 0
+}}}
+
+TODO firewall rules Lokaal netwerk nog afschermen!!! zodat eduroam alleen internet op kan en niet netwerk van anywi/katzy/radiusverkeer, wellicht bepaalde porten filteren eduroamcookbook?
+
+==== 2.2b Freeradius ====
 
 Continue setting up freeradius. See following 5 example config files for eduroam SP + idP setup.
@@ -1206 +1335 @@
 }}}
 
-===== 2.1bb Freeradius TTLS/PEAP certificates =====
-
-During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These are needed for the eduroam idP part to allow local authentication of the users we created with a "@wleiden.net" realm. However these certificates are made with a common/default credentials like "Freeradius CA etc" but they can also be customized "Wireless Leiden CA department et " by editing the *.cnf (ca, client, server)files and running the ./bootstrap command. See /usr/share/doc/freeradius/examples/certs/. Probably there is still some parameter in one of the *.cnf file that is common between the ca client and server, therefor it also writes the private key into the public certificate? 
-
-* Bootstrap will probably not run for a second time so move/delete all other files excepts these: bootstrap ca.cnf client.cnf README server.cnf xpextensions. 
-* For editing/customizing the *.cnf files make sure the "server.cnf" and "client.cnf" have a different "commonname" at the end of their files otherwise database TXTDB 2 error. 
-* Warning the *.pem file we will deploy among users needs to be stripped of bag attributes and PRIVATEKEY!!!!
-
- *Mac/Linux 
-The "server.pem" file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for safely logging in, for Mac and Linux. For Mac it works, only validating the origin of the certificate !ITSELF! gives a warning (red* mark), since we didn't use/bought a known verified root CA so Mac OSX cannot Validate the "WirelessLeiden CA department" with the certificates it already has from verizon/thawte/etc. We can buy a certificate or we need to supply our own ROOT CA in our case "ca.pem" file. Than the Mac operating systems thinks everything is fine and the red mark about a certificate from a possible unknown provider will be gone. After importing this "root" "ca.pem" it can be easily converted by Mac OSX to "ca.cer" to be usable by Windows XP-8, since windows systems only allows Root (dutch=basis) certificates "ca.cer" to match its radius supplicant instead of "server.pem".
-
- *Windows
-In Windows double click the ca.cer file and import it into the ROOT store! Than you will be able to select it in the PEAP / supplicant option when you setup the eduroam window in network settings! Freeradius by default creates a ca.der file which can be renamed to cer to be used by windows. If Freeradius/certs/ folder also contains a ca.cer it can be automatically be pushed to windows clients for installing!
-
-Convert a DER file (.crt .cer .der) to PEM
-openssl x509 -inform der -in certificate.cer -out certificate.pem
-
-Convert a PEM file to DER
-openssl x509 -outform der -in certificate.pem -out certificate.der
+===== 2.2c Freeradius TTLS/PEAP certificates =====
+
+During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These files are needed for the eduroam idP part to allow safe local authentication via ssl/ttls of the local users we created with a "@wleiden.net" realm. However these certificates are made with common/default credentials like "Freeradius CA etc" but they must be replaced by a certificates supplied from a official Root Certificate Authority Verisign/Comodo/etc to function in a enterprise environment. For testing purposes they can also be generated and customized for instance "Wireless Leiden CA department" by editing the *.cnf (ca, client, server)files and running the ./bootstrap command, see /usr/share/doc/freeradius/examples/certs/.
 
 {{{
@@ -1246 +1359 @@
 }}}
 
-Continue setting up isc-dhcp-server. Besides editing the conf file, the service also needs to be removed from its default boot routine because it starts to early before its openvpn interface is online!
-
-#example code# /etc/dhcp/dhcpd.conf
-{{{
-option domain-name "eduroam.org";
-option domain-name-servers 8.8.8.8; #! since no local dns server is running on this machine specify a correct one! <---
-default-lease-time 600;
-max-lease-time 7200;
-#subnet 192.168.4.0 netmask 255.255.255.0 {
-#       range 192.168.4.100 192.168.4.150;
-#       option routers 192.168.4.1;
-
-#ap's different lease
-class "ubntaps" {
-        match if (substring (hardware, 1, 3) = DC:9F:DB);
-}
-
-class "eduroamusers" {
-        match if not (substring (hardware, 1, 3) = DC:9F:DB);
-}
-
-subnet 192.168.4.0 netmask 255.255.255.0 {
-        option routers 192.168.4.1;
-
-pool {
-        allow members of "ubntaps";
-        range 192.168.4.3 192.168.4.66;
-}
-
-pool {
-        allow members of "eduroamusers";
-        range 192.168.4.150 192.168.4.250;
-}
-
-}
-
-
-}
-}}}
-
-Remove isc-dhcp-server from its normal startup instance!
-{{{
-update-rc.d isc-dhcp-server disable
-}}}
-
-Continue setting up openvpn. Remember that the openvpn server needs:'openvpn.conf', 'up.sh' (script that will initiate the isc-dhcp-server as soon as the openvpn tap0 interface is available) and offcourse server-certificate files (created in part 3.1 of this howto)!
-
-#example code# /etc/openvpn/openvpn.conf
-{{{
-port 1194 
-proto tcp #udp 
-dev tap0
-ca /etc/openvpn/ca.crt
-cert /etc/openvpn/eduradprox.crt #!check name <---
-key /etc/openvpn/eduradprox.key #!check name <---
-dh /etc/openvpn/dh1024.pem
-server-bridge 192.168.3.1 255.255.255.0 192.168.3.100 192.168.3.150 #! still not understood? <---
-mode server
-persist-key
-persist-tun
-verb 4
-log /var/log/openvpn.log
-script-security 2 #! Allows isc-dhcp-server as external program to be started by up.sh <---
-up /etc/openvpn/up.sh
-#duplicate-cn #! allowing this lowers security<---
-status /var/db/openvpn-status.log
-keepalive 10 180
-}}}
-
-#example code# /etc/openvpn/up.sh
-{{{
-#!/bin/sh
-ifup tap0 >/dev/null 2>&1 #allow-hotplug takes care of this?
-#/sbin/ifconfig $1 192.168.4.1/24 up | exit 0
-/bin/sleep 7
-service isc-dhcp-server restart >/dev/null 2>&1
-#/sbin/ifconfig bridge0 addm $1 | exit 0
-}}}
-
-Flag the up.sh script as executable other wise openvpn cannot run!
-{{{
-chmod +x /etc/openvpn/up.sh
-}}}
-
-
-Copy the following server/eduradprox files made on the certnode /etc/openvpn/ to the openvpn server directory.
-{{{
-cp eduradprox.key eduradprox.crt ca.crt dh1024.pem /etc/openvpn/
-}}}
-
-Setup syslog-ng, this will sort remote log files by hostname and day!
-
-#example code# /etc/syslog-ng/conf.d/00load-remote.conf
-{{{
-source s_net { udp(); };
-destination df_remote { file("/var/log/remote-log/AP$HOST/$DAY$MONTH$YEAR.log" owner(root) group(adm) perm(0600) create_dirs(yes) dir_perm(0700)); };
-log { source(s_net); destination(df_remote); };
-}}}
-
-To allow nat/routing and function as a local gateway/concentrator for the tunneld traffic from eduroam accesspoints (openvpn clients) the following config must be set every boot.
-{{{
-## add the following firewall masquerade code "quick and dirty" at the end of the rc.local file before exit0!
-nano /etc/rc.local
-}}}
-
-#example code# /etc/rc.local
-{{{
-
-#enable forwarding at ip level
-echo "1" > /proc/sys/net/ipv4/ip_forward
-
-#enable nat/routing from eth0
-/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-
-#enable nat/routing to eth0 directly
-/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-
-#enable nat/routing to tap0 openvpn
-/sbin/iptables -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
-
-#before exit 0
-}}}
-
-TODO firewall rules Lokaal netwerk nog afschermen!!! zodat eduroam alleen internet op kan en niet netwerk van anywi/katzy/radiusverkeer, wellicht bepaalde porten filteren eduroamcookbook?
+* Bootstrap will probably not run for a second time so move/delete all other files excepts these: bootstrap ca.cnf client.cnf README server.cnf xpextensions. 
+* For editing/customizing the *.cnf files make sure the "server.cnf" and "client.cnf" have a different "commonname" at the end of their files otherwise database TXTDB 2 error. 
+* Security Warning the *.pem file we will deploy among users needs to be stripped of bag attributes and PRIVATEKEY!!!!
+* server.pem must be in der format so that the certificate can be pushed to a windows machine?
+
+The "server.pem" file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for safely logging in, for Mac and Linux. Windows systems only allows Root (dutch=basis) certificates "ca.cer" to be matched against the "server.pem" supplied from the radius server supplicant instead of "server.pem" directly. Therefor windows users need the ca.cer file instead of the server.cer/der te be installed, freeradius can also push the certificate so it can be installed upon first authentication! 
+
+In Windows double click the ca.cer file and import it into the ROOT store! Than you will be able to select it in the PEAP / supplicant option when you setup the eduroam window in network settings! Freeradius by default creates a ca.der file which can be renamed to cer to be used by windows. If Freeradius/certs/ folder also contains a ca.cer it can be automatically be pushed to windows clients for installing or change the pem into der of server.pem?
+
+{{{
+#Convert a DER file (.crt .cer .der) to PEM
+openssl x509 -inform der -in certificate.cer -out certificate.pem
+
+#Convert a PEM file to DER
+openssl x509 -outform der -in certificate.pem -out certificate.der
+}}}
 
 === 3 certnode & easy-rsa ===