# /opt/eduroam/radiusd.conf # Complete FreeRADIUS 3.2.7 configuration for eduroam # Minimal single-file configuration # Let's keep everything in /opt/eduroam (assigned to confdir parameter). # The eduroam has two local domains: # 1) username@eduroam.camk.edu.pl # 2) username@camk.bartycka18 # Everything with different domains should be proxied to ${nask_address} and use the password "${nask_secret}" # # If the user is identified, assign a vlan # # The user of @eduroam.camk.edu.pl and @camk.bartycka18 should have a # copy of ca.pem and use it to verify the requests # The user should use Protected EAP (PEAP) and MSCHAPv2 for authentication. ########################## # Global Configuration ########################## prefix = /usr sbindir = /usr/bin localstatedir = /var logdir = ${localstatedir}/log/radius radacctdir = ${logdir}/radacct confdir = /opt/eduroam tlsdir = ${confdir}/ssl run_dir = /run # Character sets for safe usernames ### safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:" # Server name name = radiusd # Include secrets (passwords, keys) $INCLUDE ${confdir}/secrets.conf ########################## # Server Configuration ########################## server_signature = no # commented out deprecated option: allow_core_dumps = no regular_expressions = yes extended_expressions = yes # commented out deprecated option: log_stripped_names = no # commented out deprecated option: log_auth = yes # commented out deprecated option: log_auth_badpass = no # commented out deprecated option: log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = ${run_dir}/radiusd.pid checkrad = ${sbindir}/checkrad debug_level = 0 ########################## # Security ########################## security { allow_core_dumps = no ### max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } ########################## # Thread Pool ########################## thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } ########################## # Logging ########################## log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } ########################## # Listening Sockets ########################## listen { type = auth ipaddr = * port = 1812 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } server = default } listen { type = acct ipaddr = * port = 1813 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } server = default } ########################## # RADIUS Clients (Access Points) ########################## client local_APs { ipaddr = 192.168.18.0/24 secret = ${AP_secret} shortname = "bartycka18_APs" require_message_authenticator = true nas_type = other } ########################## # Modules ########################## modules { # Always module - for unconditional actions always reject { rcode = reject } always fail { rcode = fail } always ok { rcode = ok } always handled { rcode = handled } always invalid { rcode = invalid } always userlock { rcode = userlock } always notfound { rcode = notfound } always noop { rcode = noop } always updated { rcode = updated } # Files module for user authentication files { filename = ${confdir}/users acctusersfile = ${confdir}/acct_users } # Realm module for parsing @domain.com realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # Preprocess module preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascent_hack = no ascent_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Detail logging for accounting detail { filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d header = "%t" permissions = 0600 locking = no escape_filenames = no log_packet_header = no } # EAP module for 802.1X authentication eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} # TLS configuration for EAP-TLS, PEAP, EAP-TTLS tls-config tls-common { certificate_file = ${tlsdir}/server.pem private_key_file = ${tlsdir}/server.key ca_file = ${tlsdir}/ca.pem private_key_password = ${server_rsa_password} ca_path = ${tlsdir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.0" tls_max_version = "1.2" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # EAP-TLS tls { tls = tls-common } # EAP-TTLS ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } # EAP-PEAP peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } # EAP-MSCHAPv2 mschapv2 { send_errors = yes } # EAP-MD5 md5 { } } # Unix password checking (if needed) unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } # Attribute manipulation attr_filter attr_filter.post-proxy { filename = ${confdir}/attrs } attr_filter attr_filter.access_reject { filename = ${confdir}/attrs.access_reject key = %{User-Name} } attr_filter attr_filter.access_challenge { filename = ${confdir}/attrs.access_challenge key = %{User-Name} } attr_filter attr_filter.accounting_response { filename = ${confdir}/attrs.accounting_response key = %{User-Name} } # Expression evaluation module (useful for conditions) expr { } # Expiration module (for account expiration) expiration { } # Login time restrictions logintime { } # Commenting the module out, I don't think it would be needed # # Exec module (for running external programs) # exec { # wait = no # program = "/bin/echo %{User-Name}" # input_pairs = no # output_pairs = no # packet_type = "" # shell_escape = yes # } mschap { } } ########################## # Instantiate Modules ########################## instantiate { expr expiration logintime } ########################## # Proxy Configuration ########################## proxy server { default_fallback = no } # Upstream eduroam server (NASK) home_server eduroam_nask { type = auth+acct ipaddr = ${nask_address} port = 1812 secret = ${nask_secret} response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } # Pool for remote eduroam authentication home_server_pool eduroam_remote { type = fail-over home_server = eduroam_nask } # Realm configuration for proxying realm LOCAL { } realm "~.+$" { pool = eduroam_remote nostrip } realm eduroam.camk.edu.pl { nostrip } realm camk.bartycka18 { nostrip } ########################## # Policy Configuration ########################## policy { # VLAN assignment policy assign_vlan { if (&Realm == "eduroam.camk.edu.pl") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "1003" } } elsif (&Realm == "camk.bartycka18") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 # Both VLAN-s are 1003 but it will change one day Tunnel-Private-Group-Id := "1003" } } else { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "1003" } } } # Check if user should be proxied to remote server check_realm_and_proxy { if (&User-Name =~ /^([^@]+)@(.+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{2}" } } # Local realms - don't proxy if (&Realm == "eduroam.camk.edu.pl") { noop } elsif (&Realm == "camk.bartycka18") { noop } # All other realms should be proxied else { update control { Proxy-To-Realm := "%{Realm}" } } } # Remove reply message if EAP is in use remove_reply_message_if_eap { if (&reply:EAP-Message) { update reply { Reply-Message !* ANY } } } } ########################## # Virtual Servers ########################## # Main server server default { authorize { # Basic request preprocessing preprocess # Parse realm from username suffix # Check realm and set up proxying if needed check_realm_and_proxy # If this is a local realm, check local users file if (!&control:Proxy-To-Realm) { files } files eap { ok = return updated = return } reject } authenticate { # EAP authentication Auth-Type EAP { eap } Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix } accounting { detail } post-auth { # Assign VLAN after successful authentication assign_vlan # Handle EAP post-auth if (&reply:EAP-Message) { eap } Post-Auth-Type REJECT { attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } # Inner tunnel server for PEAP/TTLS server inner-tunnel { authorize { suffix # Update inner tunnel identity update control { &Proxy-To-Realm := LOCAL } # Check local users for inner authentication files eap { ok = return } } authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { mschap } } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } }