[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 4 commits: Rework Samba configuration to match 'standalone server' role and to ease freeRADIUS setup
Wolfgang Schweer
gitlab at salsa.debian.org
Tue Jan 12 09:44:41 GMT 2021
Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
cb3b436f by Wolfgang Schweer at 2021-01-12T00:03:01+01:00
Rework Samba configuration to match 'standalone server' role and to ease freeRADIUS setup
etc/samba/smb-debian-edu.conf: Use TJENER instead of SKOLELINUX as workgroup
name to match the Samba server 'standalone' role; this way TJENER will be used
as domain name for freeRADIUS automatically. As an additional benefit the
wbinfo command is working to check users.
Move the 'ntlm auth' entry from share/debian-edu-config/smb.conf.edu-site
to etc/samba/smb-debian-edu.conf (and enable it) to avoid a possible
pitfall in case manual adjustment is forgotten.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
7ab86cf3 by Wolfgang Schweer at 2021-01-12T00:10:54+01:00
Improve the share/debian-edu-config/tools/setup-freeradius-server tool
Configure EAP-TTLS/PAP authentication (via Kerberos) in addition to PEAP-MSCHAPV2
to provide EAP methods for various end user devices.
Keep all configuration adjustments inside the tool to itself so that it can be
used standalone.
Add/improve inline documentation.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
4bac1b20 by Wolfgang Schweer at 2021-01-12T00:14:10+01:00
Drop files previously needed for freeRADIUS configuration
All configuration is now done modifying related files directly instead of using
share/debian-edu-config/freeradius-* template files.
Adjust Makefile and debian/debian-edu-config.postinst accordingly.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
8bd91908 by Wolfgang Schweer at 2021-01-12T00:19:38+01:00
Add changelog entries for last commits
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
10 changed files:
- Makefile
- debian/changelog
- debian/debian-edu-config.postinst
- etc/samba/smb-debian-edu.conf
- − share/debian-edu-config/freeradius-authorize
- − share/debian-edu-config/freeradius-clients.conf
- − share/debian-edu-config/freeradius-eap.conf
- − share/debian-edu-config/freeradius-mschap.conf
- share/debian-edu-config/smb.conf.edu-site
- share/debian-edu-config/tools/setup-freeradius-server
Changes:
=====================================
Makefile
=====================================
@@ -336,10 +336,6 @@ install: install-testsuite
share/debian-edu-config/debian-edu.ldapscripts.passwd \
share/debian-edu-config/debian-edu-timesyncd.conf \
share/debian-edu-config/passwords_stub.dat \
- share/debian-edu-config/freeradius-authorize \
- share/debian-edu-config/freeradius-clients.conf \
- share/debian-edu-config/freeradius-eap.conf \
- share/debian-edu-config/freeradius-mschap.conf \
share/debian-edu-config/gosa.conf.template \
share/debian-edu-config/lightdm-gtk-greeter.conf \
share/debian-edu-config/sudo-ldap.conf \
=====================================
debian/changelog
=====================================
@@ -1,3 +1,24 @@
+debian-edu-config (2.11.44) UNRELEASED; urgency=medium
+
+ * Improve freeRADIUS server setup:
+ - etc/samba/smb-debian-edu.conf: Use TJENER instead of SKOLELINUX as
+ workgroup name to match the Samba server 'standalone' role; this way
+ TJENER will be used as domain name for freeRADIUS automatically. As an
+ additional benefit the wbinfo command is working to check users.
+ - Move the 'ntlm auth' entry from share/debian-edu-config/smb.conf.edu-site
+ to etc/samba/smb-debian-edu.conf (and enable it) to avoid a possible
+ pitfall in case manual adjustment is forgotten.
+ - share/debian-edu-config/tools/setup-freeradius-server:
+ + Configure EAP-TTLS/PAP authentication (via Kerberos) in addition to
+ PEAP-MSCHAPV2 to provide EAP methods for various end user devices.
+ + Keep all configuration adjustments inside the tool to itself so that it
+ can be used standalone.
+ + Add/improve inline documentation.
+ - Drop no longer needed files (share/debian-edu-config/freeradius-*), adjust
+ Makefile and debian/debian-edu-config.postinst accordingly.
+
+ -- Wolfgang Schweer <wschweer at arcor.de> Fri, 08 Jan 2021 17:49:20 +0100
+
debian-edu-config (2.11.43) unstable; urgency=medium
[ Wolfgang Schweer ]
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -218,6 +218,13 @@ configure)
if dpkg --compare-versions "$2" le "2.11.42" ; then
rm -rf /usr/lib/systemd/cups.service.d
fi
+ # Remove no longer used freeradius setup template files.
+ if dpkg --compare-versions "$2" le "2.11.44" ; then
+ rm -rf /usr/share/debian-edu-config/freeradius-eap.conf
+ rm -rf /usr/share/debian-edu-config/freeradius-mschap.conf
+ rm -rf /usr/share/debian-edu-config/freeradius-authorize
+ rm -rf /usr/share/debian-edu-config/freeradius-clients.conf
+ fi
;;
esac
=====================================
etc/samba/smb-debian-edu.conf
=====================================
@@ -4,7 +4,7 @@
# Wolfgang Schweer <wschweer at arcor.de>
# First edited: 2020-10-21
-# Last edited: 2020-10-27
+# Last edited: 2021-01-08
# NOTE: Don't edit this file. If you want to change settings, copy
# /usr/share/debian-edu-config/smb.conf.edu-site to the /etc/samba dir.
@@ -58,7 +58,7 @@
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
- workgroup = SKOLELINUX
+ workgroup = TJENER
netbios name = tjener
#### Networking ####
@@ -126,6 +126,15 @@
printcap name = /dev/null
disable spoolss = yes
+############ Debian Edu specific freeRADIUS ############
+
+# The ntlm auth entry is needed for freeRADIUS with PEAP-MSCHAPv2; the related
+# /etc/freeradius/3.0/mods-available/mschap file must contain this long line:
+# ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
+# --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
+# --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm auth = mschapv2-and-ntlmv2-only
+
############ Misc ############
# Using the following line enables you to customise your configuration
=====================================
share/debian-edu-config/freeradius-authorize deleted
=====================================
@@ -1,212 +0,0 @@
-#
-# Configuration file for the rlm_files module.
-# Please see rlm_files(5) manpage for more information.
-#
-# This file contains authentication security and configuration
-# information for each user. Accounting requests are NOT processed
-# through this file. Instead, see 'accounting', in this directory.
-#
-# The first field is the user's name and can be up to
-# 253 characters in length. This is followed (on the same line) with
-# the list of authentication requirements for that user. This can
-# include password, comm server name, comm server port number, protocol
-# type (perhaps set by the "hints" file), and huntgroup name (set by
-# the "huntgroups" file).
-#
-# If you are not sure why a particular reply is being sent by the
-# server, then run the server in debugging mode (radiusd -X), and
-# you will see which entries in this file are matched.
-#
-# When an authentication request is received from the comm server,
-# these values are tested. Only the first match is used unless the
-# "Fall-Through" variable is set to "Yes".
-#
-# A special user named "DEFAULT" matches on all usernames.
-# You can have several DEFAULT entries. All entries are processed
-# in the order they appear in this file. The first entry that
-# matches the login-request will stop processing unless you use
-# the Fall-Through variable.
-#
-# Indented (with the tab character) lines following the first
-# line indicate the configuration values to be passed back to
-# the comm server to allow the initiation of a user session.
-# This can include things like the PPP configuration values
-# or the host to log the user onto.
-#
-# You can include another `users' file with `$INCLUDE users.other'
-
-#
-# For a list of RADIUS attributes, and links to their definitions,
-# see: http://www.freeradius.org/rfc/attributes.html
-#
-# Entries below this point are examples included in the server for
-# educational purposes. They may be deleted from the deployed
-# configuration without impacting the operation of the server.
-#
-
-#
-# Deny access for a specific user. Note that this entry MUST
-# be before any other 'Auth-Type' attribute which results in the user
-# being authenticated.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#lameuser Auth-Type := Reject
-# Reply-Message = "Your account has been disabled."
-
-#
-# Deny access for a group of users.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#DEFAULT Group == "disabled", Auth-Type := Reject
-# Reply-Message = "Your account has been disabled."
-#
-
-############## Debian Edu specific example #########################
-# Uncomment next two lines to only allow LDAP group 'teachers'.
-#DEFAULT Group != "teachers", Auth-Type := Reject
-# Reply-Message = "Accessing wireless network is not allowed."
-####################################################################
-
-#
-# This is a complete entry for "steve". Note that there is no Fall-Through
-# entry so that no DEFAULT entry will be used, and the user will NOT
-# get any attributes in addition to the ones listed here.
-#
-#steve Cleartext-Password := "testing"
-# Service-Type = Framed-User,
-# Framed-Protocol = PPP,
-# Framed-IP-Address = 172.16.3.33,
-# Framed-IP-Netmask = 255.255.255.0,
-# Framed-Routing = Broadcast-Listen,
-# Framed-Filter-Id = "std.ppp",
-# Framed-MTU = 1500,
-# Framed-Compression = Van-Jacobsen-TCP-IP
-
-#
-# The canonical testing user which is in most of the
-# examples.
-#
-#bob Cleartext-Password := "hello"
-# Reply-Message := "Hello, %{User-Name}"
-#
-
-#
-# This is an entry for a user with a space in their name.
-# Note the double quotes surrounding the name. If you have
-# users with spaces in their names, you must also change
-# the "filter_username" policy to allow spaces.
-#
-# See raddb/policy.d/filter, filter_username {} section.
-#
-#"John Doe" Cleartext-Password := "hello"
-# Reply-Message = "Hello, %{User-Name}"
-
-#
-# Dial user back and telnet to the default host for that port
-#
-#Deg Cleartext-Password := "ge55ged"
-# Service-Type = Callback-Login-User,
-# Login-IP-Host = 0.0.0.0,
-# Callback-Number = "9,5551212",
-# Login-Service = Telnet,
-# Login-TCP-Port = Telnet
-
-#
-# Another complete entry. After the user "dialbk" has logged in, the
-# connection will be broken and the user will be dialed back after which
-# he will get a connection to the host "timeshare1".
-#
-#dialbk Cleartext-Password := "callme"
-# Service-Type = Callback-Login-User,
-# Login-IP-Host = timeshare1,
-# Login-Service = PortMaster,
-# Callback-Number = "9,1-800-555-1212"
-
-#
-# user "swilson" will only get a static IP number if he logs in with
-# a framed protocol on a terminal server in Alphen (see the huntgroups file).
-#
-# Note that by setting "Fall-Through", other attributes will be added from
-# the following DEFAULT entries
-#
-#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
-# Framed-IP-Address = 192.0.2.65,
-# Fall-Through = Yes
-
-#
-# If the user logs in as 'username.shell', then authenticate them
-# using the default method, give them shell access, and stop processing
-# the rest of the file.
-#
-#DEFAULT Suffix == ".shell"
-# Service-Type = Login-User,
-# Login-Service = Telnet,
-# Login-IP-Host = your.shell.machine
-
-
-#
-# The rest of this file contains the several DEFAULT entries.
-# DEFAULT entries match with all login names.
-# Note that DEFAULT entries can also Fall-Through (see first entry).
-# A name-value pair from a DEFAULT entry will _NEVER_ override
-# an already existing name-value pair.
-#
-
-# Sample defaults for all framed connections.
-#
-#DEFAULT Service-Type == Framed-User
-# Framed-IP-Address = 255.255.255.254,
-# Framed-MTU = 576,
-# Service-Type = Framed-User,
-# Fall-Through = Yes
-
-#
-# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
-# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
-# by the terminal server in which case there may not be a "P" suffix.
-# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
-#
-DEFAULT Framed-Protocol == PPP
- Framed-Protocol = PPP,
- Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
-#
-DEFAULT Hint == "CSLIP"
- Framed-Protocol = SLIP,
- Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for SLIP: dynamic IP address, SLIP mode.
-#
-DEFAULT Hint == "SLIP"
- Framed-Protocol = SLIP
-
-#
-# Last default: rlogin to our main server.
-#
-#DEFAULT
-# Service-Type = Login-User,
-# Login-Service = Rlogin,
-# Login-IP-Host = shellbox.ispdomain.com
-
-# #
-# # Last default: shell on the local terminal server.
-# #
-# DEFAULT
-# Service-Type = Administrative-User
-
-
-# On no match, the user is denied access.
-
-
-#########################################################
-# You should add test accounts to the TOP of this file! #
-# See the example user "bob" above. #
-#########################################################
-
=====================================
share/debian-edu-config/freeradius-clients.conf deleted
=====================================
@@ -1,276 +0,0 @@
-# -*- text -*-
-##
-## clients.conf -- client configuration directives
-##
-## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $
-
-#######################################################################
-#
-# Define RADIUS clients (usually a NAS, Access Point, etc.).
-
-#
-# Defines a RADIUS client.
-#
-# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
-# to allow testing of the server after an initial installation. If you
-# are not going to be permitting RADIUS queries from localhost, we suggest
-# that you delete, or comment out, this entry.
-#
-#
-
-#
-# Each client has a "short name" that is used to distinguish it from
-# other clients.
-#
-# In version 1.x, the string after the word "client" was the IP
-# address of the client. In 2.0, the IP address is configured via
-# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
-# format is still accepted.
-#
-client localhost {
- # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
- # a client.
- #
- # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
- # notation '/<mask>' to specify ranges.
- #
- # ipaddr will accept domain names e.g. example.org resolving
- # them via DNS.
- #
- # If both A and AAAA records are found, A records will be
- # used in preference to AAAA.
- ipaddr = 127.0.0.1
-
- # Same as ipaddr but allows v4 addresses only. Requires A
- # record for domain names.
-# ipv4addr = * # any. 127.0.0.1 == localhost
-
- # Same as ipaddr but allows v6 addresses only. Requires AAAA
- # record for domain names.
-# ipv6addr = :: # any. ::1 == localhost
-
- #
- # A note on DNS: We STRONGLY recommend using IP addresses
- # rather than host names. Using host names means that the
- # server will do DNS lookups when it starts, making it
- # dependent on DNS. i.e. If anything goes wrong with DNS,
- # the server won't start!
- #
- # The server also looks up the IP address from DNS once, and
- # only once, when it starts. If the DNS record is later
- # updated, the server WILL NOT see that update.
- #
-
- #
- # The transport protocol.
- #
- # If unspecified, defaults to "udp", which is the traditional
- # RADIUS transport. It may also be "tcp", in which case the
- # server will accept connections from this client ONLY over TCP.
- #
- proto = *
-
- #
- # The shared secret use to "encrypt" and "sign" packets between
- # the NAS and FreeRADIUS. You MUST change this secret from the
- # default, otherwise it's not a secret any more!
- #
- # The secret can be any string, up to 8k characters in length.
- #
- # Control codes can be entered vi octal encoding,
- # e.g. "\101\102" == "AB"
- # Quotation marks can be entered by escaping them,
- # e.g. "foo\"bar"
- #
- # A note on security: The security of the RADIUS protocol
- # depends COMPLETELY on this secret! We recommend using a
- # shared secret that is composed of:
- #
- # upper case letters
- # lower case letters
- # numbers
- #
- # And is at LEAST 8 characters long, preferably 16 characters in
- # length. The secret MUST be random, and should not be words,
- # phrase, or anything else that is recognisable.
- #
- # The default secret below is only for testing, and should
- # not be used in any real environment.
- #
- secret = testing123
-
- #
- # Old-style clients do not send a Message-Authenticator
- # in an Access-Request. RFC 5080 suggests that all clients
- # SHOULD include it in an Access-Request. The configuration
- # item below allows the server to require it. If a client
- # is required to include a Message-Authenticator and it does
- # not, then the packet will be silently discarded.
- #
- # allowed values: yes, no
- require_message_authenticator = no
-
- #
- # The short name is used as an alias for the fully qualified
- # domain name, or the IP address.
- #
- # It is accepted for compatibility with 1.x, but it is no
- # longer necessary in >= 2.0
- #
-# shortname = localhost
-
- #
- # the following three fields are optional, but may be used by
- # checkrad.pl for simultaneous use checks
- #
-
- #
- # The nas_type tells 'checkrad.pl' which NAS-specific method to
- # use to query the NAS for simultaneous use.
- #
- # Permitted NAS types are:
- #
- # cisco
- # computone
- # livingston
- # juniper
- # max40xx
- # multitech
- # netserver
- # pathras
- # patton
- # portslave
- # tc
- # usrhiper
- # other # for all other types
-
- #
- nas_type = other # localhost isn't usually a NAS...
-
- #
- # The following two configurations are for future use.
- # The 'naspasswd' file is currently used to store the NAS
- # login name and password, which is used by checkrad.pl
- # when querying the NAS for simultaneous use.
- #
-# login = !root
-# password = someadminpas
-
- #
- # As of 2.0, clients can also be tied to a virtual server.
- # This is done by setting the "virtual_server" configuration
- # item, as in the example below.
- #
-# virtual_server = home1
-
- #
- # A pointer to the "home_server_pool" OR a "home_server"
- # section that contains the CoA configuration for this
- # client. For an example of a coa home server or pool,
- # see raddb/sites-available/originate-coa
-# coa_server = coa
-
- #
- # Response window for proxied packets. If non-zero,
- # then the lower of (home, client) response_window
- # will be used.
- #
- # i.e. it can be used to lower the response_window
- # packets from one client to a home server. It cannot
- # be used to raise the response_window.
- #
-# response_window = 10.0
-
- #
- # Connection limiting for clients using "proto = tcp".
- #
- # This section is ignored for clients sending UDP traffic
- #
- limit {
- #
- # Limit the number of simultaneous TCP connections from a client
- #
- # The default is 16.
- # Setting this to 0 means "no limit"
- max_connections = 16
-
- # The per-socket "max_requests" option does not exist.
-
- #
- # The lifetime, in seconds, of a TCP connection. After
- # this lifetime, the connection will be closed.
- #
- # Setting this to 0 means "forever".
- lifetime = 0
-
- #
- # The idle timeout, in seconds, of a TCP connection.
- # If no packets have been received over the connection for
- # this time, the connection will be closed.
- #
- # Setting this to 0 means "no timeout".
- #
- # We STRONGLY RECOMMEND that you set an idle timeout.
- #
- idle_timeout = 30
- }
-}
-
-# IPv6 Client
-client localhost_ipv6 {
- ipv6addr = ::1
- secret = testing123
-}
-
-# All IPv6 Site-local clients
-#client sitelocal_ipv6 {
-# ipv6addr = fe80::/16
-# secret = testing123
-#}
-
-#client example.org {
-# ipaddr = radius.example.org
-# secret = testing123
-#}
-
-#
-# You can now specify one secret for a network of clients.
-# When a client request comes in, the BEST match is chosen.
-# i.e. The entry from the smallest possible network.
-#
-#client private-network-1 {
-# ipaddr = 192.0.2.0/24
-# secret = testing123-1
-#}
-
-#client private-network-2 {
-# ipaddr = 198.51.100.0/24
-# secret = testing123-2
-#}
-
-########################## Debian Edu #################################
-# This takes effect for APs connected to the backbone network that have
-# been configured to use the same secret.
-client backbone-net {
- ipaddr = 10.0.0.0/8
- secret = edu-backbone
-}
-#######################################################################
-
-#
-# Per-socket client lists. The configuration entries are exactly
-# the same as above, but they are nested inside of a section.
-#
-# You can have as many per-socket client lists as you have "listen"
-# sections, or you can re-use a list among multiple "listen" sections.
-#
-# Un-comment this section, and edit a "listen" section to add:
-# "clients = per_socket_clients". That IP address/port combination
-# will then accept ONLY the clients listed in this section.
-#
-#clients per_socket_clients {
-# client socket_client {
-# ipaddr = 192.0.2.4
-# secret = testing123
-# }
-#}
=====================================
share/debian-edu-config/freeradius-eap.conf deleted
=====================================
@@ -1,978 +0,0 @@
-# -*- text -*-
-##
-## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
-##
-## $Id: a89a783663588017b12bcc076362e728261ba8f2 $
-
-#######################################################################
-#
-# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
-# is smart enough to figure this out on its own. The most
-# common side effect of setting 'Auth-Type := EAP' is that the
-# users then cannot use ANY other authentication method.
-#
-eap {
- # Invoke the default supported EAP type when
- # EAP-Identity response is received.
- #
- # The incoming EAP messages DO NOT specify which EAP
- # type they will be using, so it MUST be set here.
- #
- # For now, only one default EAP type may be used at a time.
- #
- # If the EAP-Type attribute is set by another module,
- # then that EAP type takes precedence over the
- # default type configured here.
- #
- default_eap_type = md5
-
- # A list is maintained to correlate EAP-Response
- # packets with EAP-Request packets. After a
- # configurable length of time, entries in the list
- # expire, and are deleted.
- #
- timer_expire = 60
-
- # There are many EAP types, but the server has support
- # for only a limited subset. If the server receives
- # a request for an EAP type it does not support, then
- # it normally rejects the request. By setting this
- # configuration to "yes", you can tell the server to
- # instead keep processing the request. Another module
- # MUST then be configured to proxy the request to
- # another RADIUS server which supports that EAP type.
- #
- # If another module is NOT configured to handle the
- # request, then the request will still end up being
- # rejected.
- #
- ignore_unknown_eap_types = no
-
- # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
- # a User-Name attribute in an Access-Accept, it copies one
- # more byte than it should.
- #
- # We can work around it by configurably adding an extra
- # zero byte.
- #
- cisco_accounting_username_bug = no
-
- # Help prevent DoS attacks by limiting the number of
- # sessions that the server is tracking. For simplicity,
- # this is taken from the "max_requests" directive in
- # radiusd.conf.
- #
- max_sessions = ${max_requests}
-
-
- ############################################################
- #
- # Supported EAP-types
- #
-
-
- # EAP-MD5
- #
- # We do NOT recommend using EAP-MD5 authentication
- # for wireless connections. It is insecure, and does
- # not provide for dynamic WEP keys.
- #
- md5 {
- }
-
-
- # EAP-pwd -- secure password-based authentication
- #
- #pwd {
- # group = 19
-
- # server_id = theserver at example.com
-
- # This has the same meaning as for TLS.
- #
- # fragment_size = 1020
-
- # The virtual server which determines the
- # "known good" password for the user.
- # Note that unlike TLS, only the "authorize"
- # section is processed. EAP-PWD requests can be
- # distinguished by having a User-Name, but
- # no User-Password, CHAP-Password, EAP-Message, etc.
- #
- # virtual_server = "inner-tunnel"
- #}
-
-
- # Cisco LEAP
- #
- # We do not recommend using LEAP in new deployments. See:
- # http://www.securiteam.com/tools/5TP012ACKE.html
- #
- # Cisco LEAP uses the MS-CHAP algorithm (but not
- # the MS-CHAP attributes) to perform it's authentication.
- #
- # As a result, LEAP *requires* access to the plain-text
- # User-Password, or the NT-Password attributes.
- # 'System' authentication is impossible with LEAP.
- #
- leap {
- }
-
-
- # EAP-GTC -- Generic Token Card
- #
- # Currently, this is only permitted inside of EAP-TTLS,
- # or EAP-PEAP. The module "challenges" the user with
- # text, and the response from the user is taken to be
- # the User-Password.
- #
- # Proxying the tunneled EAP-GTC session is a bad idea,
- # the users password will go over the wire in plain-text,
- # for anyone to see.
- #
- gtc {
- # The default challenge, which many clients
- # ignore..
- #
- # challenge = "Password: "
-
- # The plain-text response which comes back
- # is put into a User-Password attribute,
- # and passed to another module for
- # authentication. This allows the EAP-GTC
- # response to be checked against plain-text,
- # or crypt'd passwords.
- #
- # If you say "Local" instead of "PAP", then
- # the module will look for a User-Password
- # configured for the request, and do the
- # authentication itself.
- #
- auth_type = PAP
- }
-
-
- # Common TLS configuration for TLS-based EAP types
- # ------------------------------------------------
- #
- # See raddb/certs/README for additional comments
- # on certificates.
- #
- # If OpenSSL was not found at the time the server was
- # built, the "tls", "ttls", and "peap" sections will
- # be ignored.
- #
- # If you do not currently have certificates signed by
- # a trusted CA you may use the 'snakeoil' certificates.
- # Included with the server in raddb/certs.
- #
- # If these certificates have not been auto-generated:
- # cd raddb/certs
- # make
- #
- # These test certificates SHOULD NOT be used in a normal
- # deployment. They are created only to make it easier
- # to install the server, and to perform some simple
- # tests with EAP-TLS, TTLS, or PEAP.
- #
- # Note that you should NOT use a globally known CA here!
- # e.g. using a Verisign cert as a "known CA" means that
- # ANYONE who has a certificate signed by them can
- # authenticate via EAP-TLS! This is likely not what you want.
- #
- tls-config tls-common {
- private_key_password = whatever
- private_key_file = /etc/freeradius/3.0/certs/server.key
-
- # If Private key & Certificate are located in
- # the same file, then private_key_file &
- # certificate_file must contain the same file
- # name.
- #
- # If ca_file (below) is not used, then the
- # certificate_file below SHOULD also include all of
- # the intermediate CA certificates used to sign the
- # server certificate, but NOT the root CA.
- #
- # Including the ROOT CA certificate is not useful and
- # merely inflates the exchanged data volume during
- # the TLS negotiation.
- #
- # This file should contain the server certificate,
- # followed by intermediate certificates, in order.
- # i.e. If we have a server certificate signed by CA1,
- # which is signed by CA2, which is signed by a root
- # CA, then the "certificate_file" should contain
- # server.pem, followed by CA1.pem, followed by
- # CA2.pem.
- #
- # When using "ca_file" or "ca_dir", the
- # "certificate_file" should contain only
- # "server.pem". And then you may (or may not) need
- # to set "auto_chain", depending on your version of
- # OpenSSL.
- #
- # In short, SSL / TLS certificates are complex.
- # There are many versions of software, each of which
- # behave slightly differently. It is impossible to
- # give advice which will work everywhere. Instead,
- # we give general guidelines.
- #
- certificate_file = /etc/freeradius/3.0/certs/server.crt
-
- # Trusted Root CA list
- #
- # This file can contain multiple CA certificates.
- # ALL of the CA's in this list will be trusted to
- # issue client certificates for authentication.
- #
- # In general, you should use self-signed
- # certificates for 802.1x (EAP) authentication.
- # In that case, this CA file should contain
- # *one* CA certificate.
- #
- ca_file = /etc/freeradius/3.0/certs/ca.pem
- # OpenSSL will automatically create certificate chains,
- # unless we tell it to not do that. The problem is that
- # it sometimes gets the chains right from a certificate
- # signature view, but wrong from the clients view.
- #
- # When setting "auto_chain = no", the server certificate
- # file MUST include the full certificate chain.
- #
- # auto_chain = yes
-
- # If OpenSSL supports TLS-PSK, then we can use a
- # fixed PSK identity and (hex) password. As of
- # 3.0.18, these can be used at the same time as the
- # certificate configuration, but only for TLS 1.0
- # through 1.2.
- #
- # If PSK and certificates are configured at the same
- # time for TLS 1.3, then the server will warn you,
- # and will disable TLS 1.3, as it will not work.
- #
- # The work around is to have two modules (or for
- # RadSec, two listen sections). One will have PSK
- # configured, and the other will have certificates
- # configured.
- #
- # psk_identity = "test"
- # psk_hexphrase = "036363823"
-
- # Dynamic queries for the PSK. If TLS-PSK is used,
- # and psk_query is set, then you MUST NOT use
- # psk_identity or psk_hexphrase.
- #
- # Instead, use a dynamic expansion similar to the one
- # below. It keys off of TLS-PSK-Identity. It should
- # return a of string no more than 512 hex characters.
- # That string will be converted to binary, and will
- # be used as the dynamic PSK hexphrase.
- #
- # Note that this query is just an example. You will
- # need to customize it for your installation.
- #
- # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
-
- # For DH cipher suites to work, you have to
- # run OpenSSL to create the DH file first:
- #
- # openssl dhparam -out certs/dh 2048
- #
- dh_file = ${certdir}/dh
-
- # If your system doesn't have /dev/urandom,
- # you will need to create this file, and
- # periodically change its contents.
- #
- # For security reasons, FreeRADIUS doesn't
- # write to files in its configuration
- # directory.
- #
- # random_file = /dev/urandom
-
- # This can never exceed the size of a RADIUS
- # packet (4096 bytes), and is preferably half
- # that, to accommodate other attributes in
- # RADIUS packet. On most APs the MAX packet
- # length is configured between 1500 - 1600
- # In these cases, fragment size should be
- # 1024 or less.
- #
- # fragment_size = 1024
-
- # include_length is a flag which is
- # by default set to yes If set to
- # yes, Total Length of the message is
- # included in EVERY packet we send.
- # If set to no, Total Length of the
- # message is included ONLY in the
- # First packet of a fragment series.
- #
- # include_length = yes
-
-
- # Check the Certificate Revocation List
- #
- # 1) Copy CA certificates and CRLs to same directory.
- # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
- # 'c_rehash' is OpenSSL's command.
- # 3) uncomment the lines below.
- # 5) Restart radiusd
- # check_crl = yes
-
- # Check if intermediate CAs have been revoked.
- # check_all_crl = yes
-
- ca_path = ${cadir}
-
- # Accept an expired Certificate Revocation List
- #
- # allow_expired_crl = no
-
- # If check_cert_issuer is set, the value will
- # be checked against the DN of the issuer in
- # the client certificate. If the values do not
- # match, the certificate verification will fail,
- # rejecting the user.
- #
- # This check can be done more generally by checking
- # the value of the TLS-Client-Cert-Issuer attribute.
- # This check can be done via any mechanism you
- # choose.
- #
- # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
-
- # If check_cert_cn is set, the value will
- # be xlat'ed and checked against the CN
- # in the client certificate. If the values
- # do not match, the certificate verification
- # will fail rejecting the user.
- #
- # This check is done only if the previous
- # "check_cert_issuer" is not set, or if
- # the check succeeds.
- #
- # In 2.1.10 and later, this check can be done
- # more generally by checking the value of the
- # TLS-Client-Cert-Common-Name attribute. This check
- # can be done via any mechanism you choose.
- #
- # check_cert_cn = %{User-Name}
-
- # Set this option to specify the allowed
- # TLS cipher suites. The format is listed
- # in "man 1 ciphers".
- #
- # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
- #
- cipher_list = "DEFAULT"
-
- # If enabled, OpenSSL will use server cipher list
- # (possibly defined by cipher_list option above)
- # for choosing right cipher suite rather than
- # using client-specified list which is OpenSSl default
- # behavior. Setting this to "yes" means that OpenSSL
- # will choose the servers ciphers, even if they do not
- # best match what the client sends.
- #
- # TLS negotiation is usually good, but can be imperfect.
- # This setting allows administrators to "fine tune" it
- # if necessary.
- #
- cipher_server_preference = no
-
- # You can selectively disable TLS versions for
- # compatability with old client devices.
- #
- # If your system has OpenSSL 1.1.0 or greater, do NOT
- # use these. Instead, set tls_min_version and
- # tls_max_version.
- #
- # disable_tlsv1_2 = no
- disable_tlsv1_1 = yes
- disable_tlsv1 = yes
-
- # Set min / max TLS version. Mainly for Debian
- # "trusty", which disables older versions of TLS, and
- # requires the application to manually enable them.
- #
- # If you are running Debian trusty, you should set
- # these options, otherwise older clients will not be
- # able to connect.
- #
- # Allowed values are "1.0", "1.1", "1.2", and "1.3".
- #
- # Note that the server WILL NOT permit negotiation of
- # TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT
- # finished. It is therefore impossible for the server
- # to negotiate EAP-TLS correctly with TLS 1.3.
- #
- # The values must be in quotes.
- #
- tls_min_version = "1.2"
- tls_max_version = "1.2"
-
- # Elliptical cryptography configuration
- #
- # Only for OpenSSL >= 0.9.8.f
- #
- ecdh_curve = "prime256v1"
-
- # Session resumption / fast reauthentication
- # cache.
- #
- # The cache contains the following information:
- #
- # session Id - unique identifier, managed by SSL
- # User-Name - from the Access-Accept
- # Stripped-User-Name - from the Access-Request
- # Cached-Session-Policy - from the Access-Accept
- #
- # See also the "store" subsection below for
- # additional attributes which can be cached.
- #
- # The "Cached-Session-Policy" is the name of a
- # policy which should be applied to the cached
- # session. This policy can be used to assign
- # VLANs, IP addresses, etc. It serves as a useful
- # way to re-apply the policy from the original
- # Access-Accept to the subsequent Access-Accept
- # for the cached session.
- #
- # On session resumption, these attributes are
- # copied from the cache, and placed into the
- # reply list.
- #
- # You probably also want "use_tunneled_reply = yes"
- # when using fast session resumption.
- #
- # You can check if a session has been resumed by
- # looking for the existence of the EAP-Session-Resumed
- # attribute. Note that this attribute will *only*
- # exist in the "post-auth" section.
- #
- # CAVEATS: The cache is stored and reloaded BEFORE
- # the "post-auth" section is run. This limitation
- # makes caching more difficult than it should be. In
- # practice, it means that the first authentication
- # session must set the reply attributes before the
- # post-auth section is run.
- #
- # When the session is resumed, the attributes are
- # restored and placed into the session-state list.
- #
- cache {
- # Enable it. The default is "no". Deleting the entire "cache"
- # subsection also disables caching.
- #
- # As of version 3.0.14, the session cache requires the use
- # of the "name" and "persist_dir" configuration items, below.
- #
- # The internal OpenSSL session cache has been permanently
- # disabled.
- #
- # You can disallow resumption for a particular user by adding the
- # following attribute to the control item list:
- #
- # Allow-Session-Resumption = No
- #
- # If "enable = no" below, you CANNOT enable resumption for just one
- # user by setting the above attribute to "yes".
- #
- enable = no
-
- # Lifetime of the cached entries, in hours. The sessions will be
- # deleted/invalidated after this time.
- #
- lifetime = 24 # hours
-
- # Internal "name" of the session cache. Used to
- # distinguish which TLS context sessions belong to.
- #
- # The server will generate a random value if unset.
- # This will change across server restart so you MUST
- # set the "name" if you want to persist sessions (see
- # below).
- #
- # name = "EAP module"
-
- # Simple directory-based storage of sessions.
- # Two files per session will be written, the SSL
- # state and the cached VPs. This will persist session
- # across server restarts.
- #
- # The default directory is ${logdir}, for historical
- # reasons. You should ${db_dir} instead. And check
- # the value of db_dir in the main radiusd.conf file.
- # It should not point to ${raddb}
- #
- # The server will need write perms, and the directory
- # should be secured from anyone else. You might want
- # a script to remove old files from here periodically:
- #
- # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
- #
- # This feature REQUIRES "name" option be set above.
- #
- # persist_dir = "${logdir}/tlscache"
-
- #
- # As of 3.0.20, it is possible to partially
- # control which attributes exist in the
- # session cache. This subsection lists
- # attributes which are taken from the reply,
- # and saved to the on-disk cache. When the
- # session is resumed, these attributes are
- # added to the "session-state" list. The
- # default configuration will then take care
- # of copying them to the reply.
- #
- store {
- Tunnel-Private-Group-Id
- }
- }
-
- # As of version 2.1.10, client certificates can be
- # validated via an external command. This allows
- # dynamic CRLs or OCSP to be used.
- #
- # This configuration is commented out in the
- # default configuration. Uncomment it, and configure
- # the correct paths below to enable it.
- #
- # If OCSP checking is enabled, and the OCSP checks fail,
- # the verify section is not run.
- #
- # If OCSP checking is disabled, the verify section is
- # run on successful certificate validation.
- #
- verify {
- # If the OCSP checks succeed, the verify section
- # is run to allow additional checks.
- #
- # If you want to skip verify on OCSP success,
- # uncomment this configuration item, and set it
- # to "yes".
- #
- # skip_if_ocsp_ok = no
-
- # A temporary directory where the client
- # certificates are stored. This directory
- # MUST be owned by the UID of the server,
- # and MUST not be accessible by any other
- # users. When the server starts, it will do
- # "chmod go-rwx" on the directory, for
- # security reasons. The directory MUST
- # exist when the server starts.
- #
- # You should also delete all of the files
- # in the directory when the server starts.
- #
- # tmpdir = /tmp/radiusd
-
- # The command used to verify the client cert.
- # We recommend using the OpenSSL command-line
- # tool.
- #
- # The ${..ca_path} text is a reference to
- # the ca_path variable defined above.
- #
- # The %{TLS-Client-Cert-Filename} is the name
- # of the temporary file containing the cert
- # in PEM format. This file is automatically
- # deleted by the server when the command
- # returns.
- #
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
- }
-
- # OCSP Configuration
- #
- # Certificates can be verified against an OCSP
- # Responder. This makes it possible to immediately
- # revoke certificates without the distribution of
- # new Certificate Revocation Lists (CRLs).
- #
- ocsp {
- # Enable it. The default is "no".
- # Deleting the entire "ocsp" subsection
- # also disables ocsp checking
- #
- enable = no
-
- # The OCSP Responder URL can be automatically
- # extracted from the certificate in question.
- # To override the OCSP Responder URL set
- # "override_cert_url = yes".
- #
- override_cert_url = yes
-
- # If the OCSP Responder address is not extracted from
- # the certificate, the URL can be defined here.
- #
- url = "http://127.0.0.1/ocsp/"
-
- # If the OCSP Responder can not cope with nonce
- # in the request, then it can be disabled here.
- #
- # For security reasons, disabling this option
- # is not recommended as nonce protects against
- # replay attacks.
- #
- # Note that Microsoft AD Certificate Services OCSP
- # Responder does not enable nonce by default. It is
- # more secure to enable nonce on the responder than
- # to disable it in the query here.
- # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
- #
- # use_nonce = yes
-
- # Number of seconds before giving up waiting
- # for OCSP response. 0 uses system default.
- #
- # timeout = 0
-
- # Normally an error in querying the OCSP
- # responder (no response from server, server did
- # not understand the request, etc) will result in
- # a validation failure.
- #
- # To treat these errors as 'soft' failures and
- # still accept the certificate, enable this
- # option.
- #
- # Warning: this may enable clients with revoked
- # certificates to connect if the OCSP responder
- # is not available. Use with caution.
- #
- # softfail = no
- }
- }
-
-
- # EAP-TLS
- #
- # As of Version 3.0, the TLS configuration for TLS-based
- # EAP types is above in the "tls-config" section.
- #
- tls {
- # Point to the common TLS configuration
- #
- tls = tls-common
-
- # As part of checking a client certificate, the EAP-TLS
- # sets some attributes such as TLS-Client-Cert-Common-Name. This
- # virtual server has access to these attributes, and can
- # be used to accept or reject the request.
- #
- # virtual_server = check-eap-tls
- }
-
-
- # EAP-TTLS -- Tunneled TLS
- #
- # The TTLS module implements the EAP-TTLS protocol,
- # which can be described as EAP inside of Diameter,
- # inside of TLS, inside of EAP, inside of RADIUS...
- #
- # Surprisingly, it works quite well.
- #
- ttls {
- # Which tls-config section the TLS negotiation parameters
- # are in - see EAP-TLS above for an explanation.
- #
- # In the case that an old configuration from FreeRADIUS
- # v2.x is being used, all the options of the tls-config
- # section may also appear instead in the 'tls' section
- # above. If that is done, the tls= option here (and in
- # tls above) MUST be commented out.
- #
- tls = tls-common
-
- # The tunneled EAP session needs a default EAP type
- # which is separate from the one for the non-tunneled
- # EAP module. Inside of the TTLS tunnel, we recommend
- # using EAP-MD5. If the request does not contain an
- # EAP conversation, then this configuration entry is
- # ignored.
- #
- default_eap_type = md5
-
- # The tunneled authentication request does not usually
- # contain useful attributes like 'Calling-Station-Id',
- # etc. These attributes are outside of the tunnel,
- # and normally unavailable to the tunneled
- # authentication request.
- #
- # By setting this configuration entry to 'yes',
- # any attribute which is NOT in the tunneled
- # authentication request, but which IS available
- # outside of the tunnel, is copied to the tunneled
- # request.
- #
- # allowed values: {no, yes}
- #
- copy_request_to_tunnel = no
-
- # As of version 3.0.5, this configuration item
- # is deprecated. Instead, you should use
- #
- # update outer.session-state {
- # ...
- # }
- #
- # This will cache attributes for the final Access-Accept.
- #
- # The reply attributes sent to the NAS are usually
- # based on the name of the user 'outside' of the
- # tunnel (usually 'anonymous'). If you want to send
- # the reply attributes based on the user name inside
- # of the tunnel, then set this configuration entry to
- # 'yes', and the reply to the NAS will be taken from
- # the reply to the tunneled request.
- #
- # allowed values: {no, yes}
- #
- use_tunneled_reply = no
-
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # A virtual server MUST be specified.
- #
- virtual_server = "inner-tunnel"
-
- # This has the same meaning, and overwrites, the
- # same field in the "tls" configuration, above.
- # The default value here is "yes".
- #
- # include_length = yes
-
- # Unlike EAP-TLS, EAP-TTLS does not require a client
- # certificate. However, you can require one by setting the
- # following option. You can also override this option by
- # setting
- #
- # EAP-TLS-Require-Client-Cert = Yes
- #
- # in the control items for a request.
- #
- # Note that the majority of supplicants do not support using a
- # client certificate with EAP-TTLS, so this option is unlikely
- # to be usable for most people.
- #
- # require_client_cert = yes
- }
-
-
- # EAP-PEAP
- #
-
- ##################################################
- #
- # !!!!! WARNINGS for Windows compatibility !!!!!
- #
- ##################################################
- #
- # If you see the server send an Access-Challenge,
- # and the client never sends another Access-Request,
- # then
- #
- # STOP!
- #
- # The server certificate has to have special OID's
- # in it, or else the Microsoft clients will silently
- # fail. See the "scripts/xpextensions" file for
- # details, and the following page:
- #
- # https://support.microsoft.com/en-us/help/814394/
- #
- # If is still doesn't work, and you're using Samba,
- # you may be encountering a Samba bug. See:
- #
- # https://bugzilla.samba.org/show_bug.cgi?id=6563
- #
- # Note that we do not necessarily agree with their
- # explanation... but the fix does appear to work.
- #
- ##################################################
-
- # The tunneled EAP session needs a default EAP type
- # which is separate from the one for the non-tunneled
- # EAP module. Inside of the TLS/PEAP tunnel, we
- # recommend using EAP-MS-CHAPv2.
- #
- peap {
- # Which tls-config section the TLS negotiation parameters
- # are in - see EAP-TLS above for an explanation.
- #
- # In the case that an old configuration from FreeRADIUS
- # v2.x is being used, all the options of the tls-config
- # section may also appear instead in the 'tls' section
- # above. If that is done, the tls= option here (and in
- # tls above) MUST be commented out.
- #
- tls = tls-common
-
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- # PEAP tunnel, we recommend using MS-CHAPv2,
- # as that is the default type supported by
- # Windows clients.
- #
- default_eap_type = mschapv2
-
- # The PEAP module also has these configuration
- # items, which are the same as for TTLS.
- #
- copy_request_to_tunnel = no
-
- # As of version 3.0.5, this configuration item
- # is deprecated. Instead, you should use
- #
- # update outer.session-state {
- # ...
- # }
- #
- # This will cache attributes for the final Access-Accept.
- #
- use_tunneled_reply = no
-
- # When the tunneled session is proxied, the
- # home server may not understand EAP-MSCHAP-V2.
- # Set this entry to "no" to proxy the tunneled
- # EAP-MSCHAP-V2 as normal MSCHAPv2.
- #
- # proxy_tunneled_request_as_eap = yes
-
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # A virtual server MUST be specified.
- #
- virtual_server = "inner-tunnel"
-
- # This option enables support for MS-SoH
- # see doc/SoH.txt for more info.
- # It is disabled by default.
- #
- # soh = yes
-
- # The SoH reply will be turned into a request which
- # can be sent to a specific virtual server:
- #
- # soh_virtual_server = "soh-server"
-
- # Unlike EAP-TLS, PEAP does not require a client certificate.
- # However, you can require one by setting the following
- # option. You can also override this option by setting
- #
- # EAP-TLS-Require-Client-Cert = Yes
- #
- # in the control items for a request.
- #
- # Note that the majority of supplicants do not support using a
- # client certificate with PEAP, so this option is unlikely to
- # be usable for most people.
- #
- # require_client_cert = yes
- }
-
-
- # EAP-MSCHAPv2
- #
- # Note that it is the EAP MS-CHAPv2 sub-module, not
- # the main 'mschap' module.
- #
- # Note also that in order for this sub-module to work,
- # the main 'mschap' module MUST ALSO be configured.
- #
- # This module is the *Microsoft* implementation of MS-CHAPv2
- # in EAP. There is another (incompatible) implementation
- # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
- # currently support.
- #
- mschapv2 {
- # Prior to version 2.1.11, the module never
- # sent the MS-CHAP-Error message to the
- # client. This worked, but it had issues
- # when the cached password was wrong. The
- # server *should* send "E=691 R=0" to the
- # client, which tells it to prompt the user
- # for a new password.
- #
- # The default is to behave as in 2.1.10 and
- # earlier, which is known to work. If you
- # set "send_error = yes", then the error
- # message will be sent back to the client.
- # This *may* help some clients work better,
- # but *may* also cause other clients to stop
- # working.
- #
- # send_error = no
-
- # Server identifier to send back in the challenge.
- # This should generally be the host name of the
- # RADIUS server. Or, some information to uniquely
- # identify it.
- #
- # identity = "FreeRADIUS"
- }
-
-
- # EAP-FAST
- #
- # The FAST module implements the EAP-FAST protocol
- #
- #fast {
- # Point to the common TLS configuration
- #
- # tls = tls-common
-
- # If 'cipher_list' is set here, it will over-ride the
- # 'cipher_list' configuration from the 'tls-common'
- # configuration. The EAP-FAST module has it's own
- # over-ride for 'cipher_list' because the
- # specifications mandata a different set of ciphers
- # than are used by the other EAP methods.
- #
- # cipher_list though must include "ADH" for anonymous provisioning.
- # This is not as straight forward as appending "ADH" alongside
- # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
- # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
- #
- # Note - for OpenSSL 1.1.0 and above you may need
- # to add ":@SECLEVEL=0"
- #
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
-
- # PAC lifetime in seconds (default: seven days)
- #
- # pac_lifetime = 604800
-
- # Authority ID of the server
- #
- # If you are running a cluster of RADIUS servers, you should make
- # the value chosen here (and for "pac_opaque_key") the same on all
- # your RADIUS servers. This value should be unique to your
- # installation. We suggest using a domain name.
- #
- # authority_identity = "1234"
-
- # PAC Opaque encryption key (must be exactly 32 bytes in size)
- #
- # This value MUST be secret, and MUST be generated using
- # a secure method, such as via 'openssl rand -hex 32'
- #
- # pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
-
- # Same as for TTLS, PEAP, etc.
- #
- # virtual_server = inner-tunnel
- #}
-}
=====================================
share/debian-edu-config/freeradius-mschap.conf deleted
=====================================
@@ -1,255 +0,0 @@
-# -*- text -*-
-#
-# $Id: 2fbc9278e39516c4fc2e8119d2a5be35858f1e33 $
-
-#
-# Microsoft CHAP authentication
-#
-# This module supports MS-CHAP and MS-CHAPv2 authentication.
-# It also enforces the SMB-Account-Ctrl attribute.
-#
-mschap {
- #
- # If you are using /etc/smbpasswd, see the 'passwd'
- # module for an example of how to use /etc/smbpasswd
- #
-
- #
- # If use_mppe is not set to no mschap, will
- # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
- # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
- #
-# use_mppe = no
-
- #
- # If MPPE is enabled, require_encryption makes
- # encryption moderate
- #
-# require_encryption = yes
-
- #
- # require_strong always requires 128 bit key
- # encryption
- #
-# require_strong = yes
-
- #
- # This module can perform authentication itself, OR
- # use a Windows Domain Controller. This configuration
- # directive tells the module to call the ntlm_auth
- # program, which will do the authentication, and return
- # the NT-Key. Note that you MUST have "winbindd" and
- # "nmbd" running on the local machine for ntlm_auth
- # to work. See the ntlm_auth program documentation
- # for details.
- #
- # If ntlm_auth is configured below, then the mschap
- # module will call ntlm_auth for every MS-CHAP
- # authentication request. If there is a cleartext
- # or NT hashed password available, you can set
- # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
- # and the mschap module will do the authentication itself,
- # without calling ntlm_auth.
- #
- # Be VERY careful when editing the following line!
- #
- # You can also try setting the user name as:
- #
- # ... --username=%{mschap:User-Name} ...
- #
- # In that case, the mschap module will look at the User-Name
- # attribute, and do prefix/suffix checks in order to obtain
- # the "best" user name for the request.
- #
- # For Samba 4, you should also set the "ntlm auth" parameter
- # in the Samba configuration:
- #
- # ntlm auth = yes
- #
- # or
- #
- # ntlm auth = mschapv2-and-ntlmv2-only
- #
- # This will let Samba 4 accept the MS-CHAP authentication
- # method that is needed by FreeRADIUS.
- #
- # Depending on the Samba version, you may also need to add:
- #
- # --allow-mschapv2
- #
- # to the command-line parameters.
- #
- ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --domain=TJENER --request-nt-key \
- --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
- --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
-
- #
- # The default is to wait 10 seconds for ntlm_auth to
- # complete. This is a long time, and if it's taking that
- # long then you likely have other problems in your domain.
- # The length of time can be decreased with the following
- # option, which can save clients waiting if your ntlm_auth
- # usually finishes quicker. Range 1 to 10 seconds.
- #
-# ntlm_auth_timeout = 10
-
- #
- # An alternative to using ntlm_auth is to connect to the
- # winbind daemon directly for authentication. This option
- # is likely to be faster and may be useful on busy systems,
- # but is less well tested.
- #
- # Using this option requires libwbclient from Samba 4.2.1
- # or later to be installed. Make sure that ntlm_auth above is
- # commented out.
- #
-# winbind_username = "%{mschap:User-Name}"
-# winbind_domain = "%{mschap:NT-Domain}"
-
- #
- # When using single sign-on with a winbind connection and the
- # client uses a different casing for the username than the
- # casing is according to the backend, reauth may fail because
- # of some Windows internals. This switch tries to find the
- # user in the correct casing in the backend, and retry
- # authentication with that username.
- #
-# winbind_retry_with_normalised_username = no
-
- #
- # Information for the winbind connection pool. The configuration
- # items below are the same for all modules which use the new
- # connection pool.
- #
- pool {
- #
- # Connections to create during module instantiation.
- # If the server cannot create specified number of
- # connections during instantiation it will exit.
- # Set to 0 to allow the server to start without the
- # winbind daemon being available.
- #
- start = ${thread[pool].start_servers}
-
- #
- # Minimum number of connections to keep open
- #
- min = ${thread[pool].min_spare_servers}
-
- #
- # Maximum number of connections
- #
- # If these connections are all in use and a new one
- # is requested, the request will NOT get a connection.
- #
- # Setting 'max' to LESS than the number of threads means
- # that some threads may starve, and you will see errors
- # like 'No connections available and at max connection limit'
- #
- # Setting 'max' to MORE than the number of threads means
- # that there are more connections than necessary.
- #
- max = ${thread[pool].max_servers}
-
- #
- # Spare connections to be left idle
- #
- # NOTE: Idle connections WILL be closed if "idle_timeout"
- # is set. This should be less than or equal to "max" above.
- #
- spare = ${thread[pool].max_spare_servers}
-
- #
- # Number of uses before the connection is closed
- #
- # 0 means "infinite"
- #
- uses = 0
-
- #
- # The number of seconds to wait after the server tries
- # to open a connection, and fails. During this time,
- # no new connections will be opened.
- #
- retry_delay = 30
-
- #
- # The lifetime (in seconds) of the connection
- #
- # NOTE: A setting of 0 means infinite (no limit).
- #
- lifetime = 86400
-
- #
- # The pool is checked for free connections every
- # "cleanup_interval". If there are free connections,
- # then one of them is closed.
- #
- cleanup_interval = 300
-
- #
- # The idle timeout (in seconds). A connection which is
- # unused for this length of time will be closed.
- #
- # NOTE: A setting of 0 means infinite (no timeout).
- #
- idle_timeout = 600
-
- #
- # NOTE: All configuration settings are enforced. If a
- # connection is closed because of "idle_timeout",
- # "uses", or "lifetime", then the total number of
- # connections MAY fall below "min". When that
- # happens, it will open a new connection. It will
- # also log a WARNING message.
- #
- # The solution is to either lower the "min" connections,
- # or increase lifetime/idle_timeout.
- #
- }
-
- passchange {
- #
- # This support MS-CHAPv2 (not v1) password change
- # requests. See doc/mschap.rst for more IMPORTANT
- # information.
- #
- # Samba/ntlm_auth - if you are using ntlm_auth to
- # validate passwords, you will need to use ntlm_auth
- # to change passwords. Uncomment the three lines
- # below, and change the path to ntlm_auth.
- #
-# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
-# ntlm_auth_username = "username: %{mschap:User-Name}"
-# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
-
- #
- # To implement a local password change, you need to
- # supply a string which is then expanded, so that the
- # password can be placed somewhere. e.g. passed to a
- # script (exec), or written to SQL (UPDATE/INSERT).
- # We give both examples here, but only one will be
- # used.
- #
-# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
- #
-# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
- }
-
- #
- # For Apple Server, when running on the same machine as
- # Open Directory. It has no effect on other systems.
- #
-# use_open_directory = yes
-
- #
- # On failure, set (or not) the MS-CHAP error code saying
- # "retries allowed".
- #
-# allow_retry = yes
-
- #
- # An optional retry message.
- #
-# retry_msg = "Re-enter (or reset) the password"
-}
=====================================
share/debian-edu-config/smb.conf.edu-site
=====================================
@@ -13,13 +13,6 @@
# The template file needs to be generated, see 'man net' for details.
; usershare template share = template
-# Uncomment the next entry for Freeradius 3 to accept PEAP-MSCHAPv2; the file
-# /etc/freeradius/3.0/mods-available/mschap needs this long line:
-# ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --domain=TJENER --request-nt-key \
-# --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
-# --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
-; ntlm auth = mschapv2-and-ntlmv2-only
-
[homes]
# Uncomment if home directories should be writable.
; writable = yes
=====================================
share/debian-edu-config/tools/setup-freeradius-server
=====================================
@@ -1,47 +1,122 @@
#!/bin/sh
#
-# This script is called from cf3/cf.freeradius in case both freeradius and
-# winbind packages are installed, but can also be run standalone.
+# Setup freeRADIUS 3 for both EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication.
#
-# schweer, 2020-12-25
+# Wolfgang Schweer <wschweer at arcor.de>
+# First edited: 2020-12-25
+# Last edited: 2021-01-11
set -e
DIRNAME="/etc/freeradius/3.0/certs"
-PASSWORD="$(pwgen -1)"
-if [ ! -d $DIRNAME ] ; then
-echo "-----------------------------------------------------------------------------"
+# Warn if freeRADIUS has already been configured.
+if [ -f $DIRNAME/ca.der ]; then
+echo "-------------------------------------------------------------------------"
echo ""
- echo "Please install the freeradius and winbind packages, i.e. run:"
- echo "apt update && apt install winbind freeradius -qy"
+ echo "The freeRADIUS server seems to have been configured already, exiting."
echo ""
-echo "-----------------------------------------------------------------------------"
+ echo "If 100% sure freeRADIUS should be configured from scratch again, run:"
+ echo ""
+ echo "rm -rf /etc/freeradius"
+ echo "apt purge freeradius* -yq"
+ echo "apt install freeradius freeradius-krb5 -yq"
+ echo "Then run this tool again."
+ echo ""
+echo "-------------------------------------------------------------------------"
exit 0
fi
-/sbin/usermod -a -G winbindd_priv freerad
-
-cd $DIRNAME
+# Check execute permission.
+if [ ! -d $DIRNAME ] && [ $(id -u) > 0 ]; then
+ echo "Please run $0 as root or use sudo, exiting."
+ exit 0
+fi
-if [ -f ca.der ]; then
-echo "-----------------------------------------------------------------------------"
- echo ""
- echo "The freeRADIUS server seems to have been configured already, exiting."
+# Check if required packages are installed.
+if [ ! -d $DIRNAME ] ; then
+ echo "---------------------------------------------------------------------------------------"
echo ""
- echo "To start freeRADIUS configuration from scratch again, run:"
+ echo "Make sure the winbind, freeradius and freeradius-krb5 packages are installed, i.e. run:"
+ echo "apt update && apt install winbind freeradius freeradius-krb5 -qy"
echo ""
- echo "apt purge freeradius-config winbind -yq"
- echo "rm -rf /etc/freeradius"
- echo "apt install winbind freeradius -yq"
- echo "Then run this tool again."
- echo ""
-echo "-----------------------------------------------------------------------------"
+ echo "---------------------------------------------------------------------------------------"
+ exit 0
+fi
+
+# Only run on a main server (kdadmin.local and /etc/debian-edu/www are required).
+if test -r /etc/debian-edu/config ; then
+ . /etc/debian-edu/config
+fi
+if ! echo "$PROFILE" | grep -q Main-Server ; then
+ echo "It only makes sense to run $0 on a main server, exiting."
exit 0
fi
+cd $DIRNAME
+
+# Kerberos principal and keytab setup-
+if [ ! -f /etc/krb5.keytab.radius ] ; then
+ kadmin.local ank -randkey radius/tjener.intern at INTERN
+ kadmin.local ktadd -k /etc/krb5.keytab.radius radius/tjener.intern at INTERN
+ chown freerad:freerad /etc/krb5.keytab.radius
+fi
+
+# Configure freeRADIUS EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication.
+echo "" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "#--------------------- Debian Edu specific example -------------------------" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "# Uncomment the next two lines to only allow LDAP group 'teachers'." >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "#DEFAULT Group != \"teachers\", Auth-Type := Reject" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "# Reply-Message = \"Accessing wireless network is not allowed.\"" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "#---------------------------------------------------------------------------" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "# Please don't add anything below the next line!" >> /etc/freeradius/3.0/mods-config/files/authorize
+echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/3.0/mods-config/files/authorize
+
+sed -i '/copy_request/ s/no/yes/' /etc/freeradius/3.0/mods-available/eap
+sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/3.0/mods-available/eap
+
+sed -i '/keytab/ s#${localstatedir}/lib/radiusd/keytab#/etc/krb5.keytab.radius#' /etc/freeradius/3.0/mods-available/krb5
+sed -i '/service/ s#name_of_principle#radius/tjener.intern#' /etc/freeradius/3.0/mods-available/krb5
+
+sed -i '/request-nt-key/ s#/path/to/ntlm_auth#/usr/bin/ntlm_auth#' /etc/freeradius/3.0/mods-available/mschap
+sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/3.0/mods-available/mschap
+sed -i '/request-nt-key/ s#nt-key#nt-key --allow-mschapv2#' /etc/freeradius/3.0/mods-available/mschap
+
+sed -i '/pam/ a\
+ \
+ #\
+ # Kerberos Authentication\
+ Auth-Type Kerberos {\
+ krb5\
+ }' /etc/freeradius/3.0/sites-available/default
+
+sed -i '/pam/ a\
+ \
+ #\
+ # Kerberos Authentication\
+ Auth-Type Kerberos {\
+ krb5\
+ }' /etc/freeradius/3.0/sites-available/inner-tunnel
+
+# Enable Kerberos module.
+cd /etc/freeradius/3.0/mods-enabled
+
+if [ ! -f krb5 ] ; then
+ ln -s ../mods-available/krb5 krb5
+fi
+
+cd -
+
+# Allow the freerad user to read the Winbind reply and the certificate key file.
+/sbin/usermod -a -G winbindd_priv freerad
+/sbin/usermod -a -G ssl-cert freerad
+
service freeradius stop
+
+# Generate freeRADIUS specific CA and server certificates and make them available.
chmod +x bootstrap
+PASSWORD="$(pwgen -1)"
for i in *.cnf xpextensions ; do
sed -i "s#whatever#$PASSWORD#g" $i
@@ -51,7 +126,7 @@ for i in *.cnf xpextensions ; do
sed -i 's#user at example.org#user at postoffice.intern#g' $i
sed -i 's#example.org/example#intern/intern#g' $i
sed -i 's#example.com/example#intern/intern#g' $i
- sed -i 's#Example S#Debian Edu freeRADIU S#g' $i
+ sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
sed -i 's#*example.com#*intern#g' $i
sed -i 's#radius.example.com#freeradius.intern#g' $i
@@ -59,15 +134,19 @@ for i in *.cnf xpextensions ; do
sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
done
-cp /usr/share/debian-edu-config/freeradius-eap.conf ../mods-available/eap
sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
-cp /usr/share/debian-edu-config/freeradius-mschap.conf ../mods-available/mschap
-cp /usr/share/debian-edu-config/freeradius-authorize ../mods-config/files/authorize
-cp /usr/share/debian-edu-config/freeradius-clients.conf ../clients.conf
+sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
+sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
+sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap
./bootstrap
-chmod 644 dh server.crt server.key ca.pem ca.der
+chmod 644 dh server.crt server.pem ca.pem ca.der
+chmod 640 server.key
+cp ca.pem /etc/ssl/certs/freeradius-ca.crt
+cp server.crt /etc/ssl/certs/freeradius-server.crt
+cp server.key /etc/ssl/private/freeradius-server.key
+chown root:ssl-cert /etc/ssl/private/freeradius-server.key
if [ -d /etc/debian-edu/www/ ] ; then
cp ca.der /etc/debian-edu/www/freeradius-ca.der
@@ -75,22 +154,25 @@ if [ -d /etc/debian-edu/www/ ] ; then
cp ca.pem /etc/debian-edu/www/freeradius-ca.crt
fi
+# Cleanup the certs dir.
make clean
chmod -x bootstrap
+# Start the configured freeRADIUS service and give some feedback.
service freeradius start
-echo "-----------------------------------------------------------------------------"
+echo "------------------------------------------------------------------------------------"
echo "The freeRADIUS server has been configured."
echo ""
echo "Both CRT and DER encoded freeRADIUS CA certificates are available for download:"
-echo "https://www.intern/freeradius-ca.crt (for end user devices running Linux) and"
-echo "https://www.intern/freeradius-ca.der (others like Android, iOS, iPadOS and Windows)."
+echo "https://www.intern/freeradius-ca.pem (for end user devices running Linux)."
+echo "https://www.intern/freeradius-ca.crt (Linux, Android and Windows)."
+echo "https://www.intern/freeradius-ca.der (macOS, iOS, iPadOS and Windows)."
echo ""
echo "For simple site-specific configuration adjustments, see"
-echo "/etc/freeradius/3.0/users"
-echo "/etc/freeradius/3.0/huntgroups"
-echo "/etc/freeradius/3.0/clients.conf"
+echo "/etc/freeradius/3.0/users [allow/deny wireless using LDAP groups]"
+echo "/etc/freeradius/3.0/huntgroups [combine access points (APs) into dedicated groups]"
+echo "/etc/freeradius/3.0/clients.conf [enable/disable APs via shared secret]"
echo ""
-echo "-----------------------------------------------------------------------------"
+echo "------------------------------------------------------------------------------------"
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/69a555c5debf79220f88cd982af893f80c56ced5...8bd91908614a54f2d75dd1adbb74bf2a9c61959b
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/69a555c5debf79220f88cd982af893f80c56ced5...8bd91908614a54f2d75dd1adbb74bf2a9c61959b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20210112/b7c943d4/attachment-0001.html>
More information about the debian-edu-commits
mailing list