Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A continuación se muestra el contenido de estos ficheros.

clients.conf

El "shortname" sólo aparece en el fichero log. No tiene otra significación.

...

Code Block
languagebash
themeEclipse
linenumberstrue
client 127.0.0.1

...

client wlan-switch: definición de los clientes de la home organización. Podría ser un Switch o los Access Points (AP).

client rediris_flrs: definición del servidor RADIUS de RedIRIS. La contraseña se acuerda con RedIRIS.

...

 {
  ipaddr = 127.0.0.1
  netmask = 32
  secret = CHANGE ME
  require_message_authenticator = no

...


  shortname = loopback

...


  nastype = other

...


}

...



client wlan-switch {

...


  ipaddr = IP Address wlan switch

...


  netmask = 32

...


  secret = CHANGE ME

...


  require_message_authenticator = no

...


  nastype = other

...


  shortname =

...

client rediris_flrs1 {
ipaddr = IP Address Servidor RADIUS RedIRIS
netmask = 32
secret = CHANGE ME
require_message_authenticator = no
shortname = rediris_flrs1
nastype = other
}

 wlan-switch
}

client rediris_flrs1 {
  ipaddr = IP Address Servidor RADIUS RedIRIS
  netmask = 32
  secret = CHANGE ME
  require_message_authenticator = no
  shortname = rediris_flrs1
  nastype = other
}

client rediris_flrs2 {
  ipaddr = IP Address Servidor RADIUS RedIRIS
  netmask = 32
  secret = CHANGE ME
  require_message_authenticator = no
  shortname = rediris_flrs2
  nastype = other
}
  • El "shortname" sólo aparece en el fichero log. No tiene otra significación.
  • client 127.0.0.1 se usa para troubleshooting. Sin esta entrada no se puede ejecutar el comando #radtestá desde el mismo servidor.
  • client wlan-switch: definición de los clientes de la home organización. Podría ser un Switch o los Access Points (AP).
  • client rediris_flrs: definición de los servidores RADIUS de RedIRIS. La contraseña se acuerda con RedIRIS.

eap.conf

Definiciones relacionadas con el Extended Authentification Protocol (EAP).
Para (T)TLS hay que configurar el certificado del servidor.

Code Block
languagebash
themeEclipse
linenumberstrue
eap {

...


  default_eap_type = tls

...


  timer_expire = 60

...


  ignore_unknown_eap_types = no

...


  cisco_accounting_username_bug = no

...


  max_sessions = 2048

...



  tls {

...


    certdir = ${confdir}/certs

...


    cadir = ${confdir}/certs

...


    private_key_password = CHANGE ME

...


    private_key_file = ${certdir}/server_crypt.key

...


    certificate_file = ${certdir}/server.pem

...


    CA_file = ${cadir}/ca_bundle.pem

...


    dh_file = ${certdir}/dh

...


    random_file = ${certdir}/random

...


    cipher_list = "DEFAULT"

...


    include_length = yes

...


    check_crl = no

...


    copy_request_to_tunnel = no

...


    use_tunneled_reply = no

...

}

...


  }

  ttls {
    default_eap_type = mschapv2

...


    copy_request_to_tunnel = no

...


    use_tunneled_reply = yes

...


  }

...


}

proxy.conf

Code Block
languagebash
themeEclipse
linenumberstrue
proxy server {

...


  default_fallback = yes

...


}

...



home_server rediris_flrs1 {

...


  type = auth+acct

...


  ipaddr = IP Address Servidor RADIUS RedIRIS

...


  port = 1812

...


  secret = CHANGE ME

...


  response_window = 20

...


  zombie_period = 40

...


  revive_interval = 60

...


  status_check = status-server

...


  check_interval = 30

...


  num_answers_to_alive = 3

...


}

...



home_server_pool EDUROAM-FTLR {

...


  type = fail-over

...


  home_server = rediris_flrs1

...


}

...



realm DOMINIO.ORG {

...


  nostrip

...


}

...



realm LOCAL {

...


  nostrip

...


}

...



realm

...

realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}

users

...

 NULL {
  nostrip
}

realm DEFAULT {
  pool = EDUROAM-FTLR
  nostrip
}


users

Aquí se configura un usuario básico de pruebas de RedIRIS (que rechazará la conexión) pero confirmará que el servidor responde.

Code Block
languagebash
themeEclipse
radius-test@DOMINIO.ORG Auth-Type := Reject
Reply-Message = "RADIUS OK"

radiusd.conf

Code Block
languagebash
themeEclipse
prefix = /usr/local

...


exec_prefix = ${prefix}

...


sysconfdir = ${prefix}/etc

...


localstatedir = ${prefix}/var

...


sbindir = ${exec_prefix}/sbin

...


logdir = ${localstatedir}/log/radius

...


raddbdir = ${sysconfdir}/raddb

...


radacctdir = ${logdir}/radacct

...



name = radiusd

...



confdir = ${raddbdir}

...


run_dir = ${localstatedir}/run/radiusd

...



db_dir = ${raddbdir}

...



libdir = ${exec_prefix}/lib

...



pidfile = ${run_dir}/${name}.pid

...



user = freerad

...


group = freerad

...



max_request_time = 30

...



cleanup_delay = 5

...



max_requests = 1024

...



listen {

...


type = auth

...


ipaddr = *

...


port = 1812

...


}

...



hostname_lookups = no

...



allow_core_dumps = no

...



regular_expressions = yes

...


extended_expressions = yes

...



log {

...


destination = files

...


file = ${logdir}/radius.log

...


syslog_facility = daemon

...


stripped_names = no

...


auth = no

...


auth_badpass = no

...


auth_goodpass = no

...


}

...



checkrad = ${sbindir}/checkrad

...



security {

...


max_attributes = 200

...


reject_delay = 1

...


status_server = yes

...


}

...



proxy_requests = yes

...


$INCLUDE proxy.conf

...


$INCLUDE clients.conf

...



thread pool {

...


start_servers = 5

...


max_servers = 32

...


min_spare_servers = 3

...


max_spare_servers = 10

...


max_requests_per_server = 0

...


}

...



modules {

...


$INCLUDE ${confdir}/modules/

...


$INCLUDE eap.conf

...


$INCLUDE sql.conf

...


$INCLUDE sql/mysql/counter.conf

...


}

...



instantiate {

...


exec

...


expr

...


expiration

...


logintime

...


}

...



$INCLUDE policy.conf

...


$INCLUDE sites-enabled/

modules/ldap

En este ejemplo se incluye el uso del atributo "mail" como identificador y también, comentado, un uso más adaptado al esquema "eduPerson".

...

  1. server = "ldaps://LDAP-SERVER.DOMINIO.ORG"
  2. port = 636
    identity="cn=CHANGE ME,dc=DOMINIO,dc=ORG"
    password="CHANGE ME"
    basedn = "ou=CHANGE ME,dc=DOMINIO,dc=ORG"
    filter = "(mail=%{User-Name})"
  3. filter = "(eduPersonPrincipalName=%{User-Name})"
    base_filter = ""
    access_attr = "mail"
  4. access_attr = "eduPersonPrincipalName"
    password_attribute = "userPassword"
    groupname_attribute = ""
    groupmembership_filter = ""
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
    tls {
    start_tls = no
    }
    dictionary_mapping = ${confdir}/ldap.attrmap
    edir_account_policy_check = no
    }

modules/pap

El parámetro "auto_header" es necesario para que discrimine de forma automática si las contraseñas se almacenan en el LDAP usando algún tipo de hash y "sepa" seleccionar el adecuado.

pap {
auto_header = yes
}

sites-available/eduroam

Reemplaza "DOMINIO.ORG" por tu dominio.

...