Setting up a RADIUS at your space

The steps

  1. Apply for a realm
  2. Install Debian on a (virtual) machine
  3. Setting up FreeRADIUS
  4. Testing authentications
  5. Configure your access points
  6. Opening up the radius to internet
  7. Instruct your users

Apply for a realm

You can apply for a realm by sending an e-mail to apply@spacefed.net. You will need to prove that you are in the board of your local hackerspace, so we'll only reply to realm-admin@yourrealm.tld. Also send the public IPv4 address of your home server to us, we'll make sure your realm gets added to Spacenet and generate a secret for communication between the radius servers. We will also give you an account on the test realm to test authentications. Make sure that you remain reachable on this address when the realm is live, as root servers and delegations may need updating from time to time.

If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.

Install Debian on a (virtual) machine

The specifics fall outside the scope of this document. If you need help with this, consider using a hosted SSO package, which we will start supplying.

Setting up FreeRADIUS

The basics

FreeRADIUS basically works as authentication server and authentication proxy. On top of RADIUS several EAP protocols are implemented which should be used. To be able to support Windows clients natively it is benificial to support at least PEAPv0/EAP-MSCHAPv2. I'd really like to see an EAP-Kerberos method added to the clients, but until then, use EAP-TTLS or PEAPv0 with MS-CHAPv2 password authentication. If you don't mind the administrative burden of setting up a CA and using client certificates, that is also possible, just specify it in the tls block in eap.conf.

When doing PAP authentication or MSCHAPv1 it is important to install the server.pem from the freeradius certs directory as CA on the clients to prevent a man in the middle attack

The conffiles

Overview

You need the following configuration files. We also recommend setting up an OpenLDAP server, as you're going to need this for SAML and likely Kerberos later as well. These configuration files are for an OpenLDAP server, if you expressly do not want to do this, replace 'ldap' with 'files' in the configuration files.

eap.conf

This file configures the local EAP types and certificates. 
# -*- text -*-
eap {
        default_eap_type = ttls
        timer_expire     = 60    
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096

        tls {   
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs

                private_key_password = 
                private_key_file = ${certdir}/server.key
                certificate_file = ${certdir}/server.pem
                CA_file = ${cadir}/ca.pem
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                CA_path = ${cadir}
        }       
        ttls {  
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }       
        peap {  
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
}

sites-enabled/default

This file configures the initial unencrypted RADIUS session. It is important to reject requests without a realm, otherwise the user could run into trouble at another realm. 
# -*- text -*-
authorize {
        preprocess

        suffix
        if (Realm == NULL) {
                update reply {
                      Reply-Message := "Please specify a realm to authenticate with."
                }
                reject
        }

        eap
}

authenticate {
        eap
}


preacct {
        preprocess
        acct_unique
        suffix

}

accounting {
        detail
        radutmp
        exec
        attr_filter.accounting_response
}


session {
        radutmp
}

sites-enabled/inner-tunnel

# -*- text -*-
server inner-tunnel {
        listen {
               ipaddr = 127.0.0.1
               port = 18120
               type = auth
        }
        authorize {
                suffix
                if (Realm != "your-realm.tld") {
                        reject
                }
		pap
		mschap
                eap 
                ldap
 
                expiration
                logintime

        }
        authenticate {
                Auth-Type PAP {
                        pap
                }
                Auth-Type MS-CHAP {
                        mschap
                }
                eap
		ldap
        }
        session {
                radutmp
        }

        post-auth {
                Post-Auth-Type REJECT {
                        attr_filter.access_reject
                }
        }
        pre-proxy {
        }
        post-proxy {
                eap
        }
}

proxy.conf

# -*- text -*-

proxy server {
        default_fallback = no

}

home_server nlnode1.spacefed.net {
        type = auth+acct
        ipaddr = 192.42.117.138
        port = 1812
        secret = YOUR_SUPPLIED_SECRET
        require_message_authenticator = yes
        response_window = 5
        zombie_period = 60
        revive_interval = 120
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        coa {
                # Initial retransmit interval: 1..5
                irt = 2

                # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
                mrt = 16

                # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
                mrc = 5

                # Maximum Retransmit Duration: 5..60
                mrd = 30
        }
}

home_server_pool root_pool {
        type = client-balance

        # The members of the root delegation pool
        home_server = nlnode1.spacefed.net
        # home_server = ...


}

# Your realm should be local
realm your-realm.tld {
}

# These realms should always be handled locally
realm LOCAL {
}
realm NULL {
}

realm DEFAULT {
        nostrip
        auth_pool       = root_pool
}

clients.conf

This file configures all inbound connections, including those to the root nodes. 
# -*- text -*-
client localhost {
        ipaddr = 127.0.0.1
        secret          = CHOOSE_YOUR_OWN
        require_message_authenticator = no
        nastype     = other
}
client nlnode1.spacefed.net {
        secret          = YOUR_SUPPLIED_SECRET
        shortname       = nlnode1
}
client 1.2.3.4 {
        secret          = CHOOSE_YOUR_OWN
        shortname       = my_access_point
}

modules/ldap

This file contains the LDAP connection and filter information. You should add TLS information if your server does not run on localhost. 
# -*- text -*-
ldap {
        server = "127.0.0.1"
        identity = "cn=user_with_read_access,dc=your-realm,dc=tld"
        password = YOUR_SECRET
        basedn = "dc=your-realm,dc=tld"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        #base_filter = "(objectclass=radiusprofile)"
        ldap_connections_number = 5 
        timeout = 4 
        timelimit = 3 
        net_timeout = 1 
        tls {
                start_tls = no
                # cacertfile = /path/to/cacert.pem
                # cacertdir  = /path/to/ca/dir/
                # certfile   = /path/to/radius.crt
                # keyfile    = /path/to/radius.key
                # randfile   = /dev/urandom
        }   
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
}

Opening up the radius to the internet

Make sure you open up UDP and TCP ports 1812 and 1813 to the internet. This should be opened to every client configured in the clients.conf.

Testing authentications

It is convenient to use the eapol_test utility to test authentications against the local radius server using the key configured for localhost in clients.conf.

You can use it like:
./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN

The auth.conf should contain something like: 

network={
	ssid="spacenet"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="username@your-realm.tld"
        anonymous_identity="anonymous@your-realm.tld"
        password="MY_SUPER_SECRET_PASSWORD"
        phase2="auth=EAP-MSCHAPv2"
}

Configure your access points

Set up your access points to use WPA2 enterprise and point it to the IP of the radius server

Instruct your users

Instruct your users how to set up WPA2 enterprise, it is not hard, but there are a few rules: