==== Für Admins: Konfiguration von VLAN's in easyroam ====
=== Ausgangslage ===
Selbstverständlich lassen sich auch VLAN's in easyroam konfigurieren. Ausgangskonfiguration ist eine typische RadSec Anbindung eines eduroam IdP's in easyroam am Beispiel des radsecproxy:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### local WLAN stuff ####
client wlan_controllser {
host
type udp
secret for_your_eyes_only
}
########## PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
###### Federationserver stuff ###
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###
realm * {
server tld1
server tld2
server tld3
}
=== Alle in ein VLAN ===
Besteht nun die Aufgabe darin, alle eduroam/easyroam Nutzende in ein VLAN zu leiten, kann die Konfiguration wie folgt aussehen:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### local WLAN stuff ####
client wlan_controllser {
host
type udp
secret for_your_eyes_only
}
###### VLAN staff #####
rewrite addVLAN {
removeAttribute 64
removeAttribute 65
removeAttribute 81
addAttribute 64:13
addAttribute 65:6
addAttribute 81:'64'
}
###### PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
####### Federationsserver stuff ####
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
rewriteIN addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
rewriteIN addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
rewriteIn addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
###### realm stuff #####
realm * {
server tld1
server tld2
server tld3
}
=== Institutseigene Nutzende in privilegierte VLAN's ===
Besteht die Aufgabe darin die eigenen easyroam Nutzenden in ein privilegiertes VLAN zu leiten, wird eine zusätzliche radsecproxy Instanz benötigt und die angepasste
die angepasste Ausgangskonfiguration:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### local WLAN stuff ####
client wlan_controllser {
host
type udp
secret for_your_eyes_only
}
#### local loop server ####
server localloop {
host 127.0.0.1
type udp
port 21812
secret for_your_eyes_only
}
########## PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
###### Federationserver stuff ###
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###
realm /@easyroam(-pca)?$/ {
server localloop
}
realm * {
server tld1
server tld2
server tld3
}
Der neu hinzukommende radsecproxy:
/etc/radsec/radsecproxy_add_vlan.conf
listenUDP *:21812
LogDestination file:///var/log/rsp2.log
LoopPrevention on
LogThreadId on
LogLevel 5
rewrite addVLAN {
removeAttribute 64
removeAttribute 65
removeAttribute 81
addAttribute 64:13
addAttribute 65:6
addAttribute 81:'64'
}
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io-key.pem
}
###### VLAN stuff #####
client localloop {
host 127.0.0.1
rewriteOUT addVLAN
type udp
secret for_your_eyes_only
}
###### PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
####### Federationsserver stuff ####
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
###### realm stuff #####
realm realm /@easyroam(-pca)?$/ {
server tld1
server tld2
server tld3
}
/usr/local/sbin/radsecproxy -c /etc/radsec/radsecproxy.conf -f
/etc/radsec# /usr/local/sbin/radsecproxy -c /etc/radsec/radsecproxy_add_vlan.conf -f
=== Der Test ===
Mit eapol_test lässt sich belegen, dass die Attribute für VLAN's korrekt dem Access-Accept Paket hinzugefügt werden.
RADIUS message: code=1 (Access-Request) identifier=10 length=172
Attribute 1 (User-Name) length=41
Value: '6174679189648274680@easyroam-pca.dfn.de'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '01-02-03-04-05-06'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 027600060d00
Attribute 24 (State) length=18
Value: b612453ebf644846e972f432c6e1f044
Attribute 80 (Message-Authenticator) length=18
Value: 55db7a5260c3d9bdb57ffed6fb60d00c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 213 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=10 length=213
Attribute 26 (Vendor-Specific) length=58
Value: 000001371134f24cb208f259170dece11267dd832f5db022cc25ecccf43ab0bba337542e791cb499a1e7f54de5aeed4b12e7096322364985
Attribute 26 (Vendor-Specific) length=58
Value: 000001371034f8f94f60008d191dacb6130ab970e33ac8d930b08a3e2fcdd799cfec4b28a4995f67f2f4b72cbf8fb30fc16f970c57280e52
Attribute 79 (EAP-Message) length=6
Value: 03760004
Attribute 80 (Message-Authenticator) length=18
Value: 7a76d76bdbeb97df7f971b0498d6f03d
Attribute 12 (Framed-MTU) length=6
Value: 1014
Attribute 18 (Reply-Message) length=30
Value: 'authenticated using TLS 1.3!'
Attribute 64 (Tunnel-Type) length=6
Value: 0000000d
Attribute 65 (Tunnel-Medium-Type) length=6
Value: 00000006
Attribute 81 (Tunnel-Private-Group-Id) length=5
Value: 363427
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 0.01 sec
=== Der vereitelte Missbrauch ====
Denkbar wäre mit einem gültigen easyroam Pseudozertifikat und einer gefälschten äußeren Identität die VLAN - Konfiguration auszutricksen.
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=9 length=518
Attribute 1 (User-Name) length=53
Value: '6090495638272782046@easyroam-pca.institute-realm.de'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '01-02-03-04-05-06'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=255
Value: 02d101520d005f71c34fcce8e12d54e2b13ac0c6b105cfde03a036f179bc575630c657a14c8cb3bceb87e09320e04cf09cc52a9bbe9ca83cd0dd111664565e6193f0178fe19086921f3edcfd67a69c31de8d168f5ecd14eb51832bf55ab082b0d3db6a9555a9ba1103fbe1c3ff88697f3d436dcff49b54d92896e9d9a5d184cbaca0698f8744e94fa1c800129e268904b70546f45962b2290c06d34b0ad85ee37743bd02feda080a200328997e84e713256ce5ce64bb04a611c744829ad2b5f5bf8e6a36bf21f0efd1489ef2841013554982e9ae447f31cf7eb0acb17c71f2298c009e9676013b0705c757dd8705af23f008d2571c66eefd08f336a433
Attribute 79 (EAP-Message) length=87
Value: 0d318a30b3ca7daa1c4e36170303004583ff81e5939f69e193ab8eb441c5596a33a8c21418616d3617c15cc00afaf421739c11bc1771ee8548b945907904e7e2a396b84df50ce7e5c64a12feebd330741c9d90c52e
Attribute 24 (State) length=18
Value: 2168c43f29b9c9eafd8c90d2473fe380
Attribute 80 (Message-Authenticator) length=18
Value: 80e122ef58f88e4963afead78911076b
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 186 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=9 length=186
Attribute 79 (EAP-Message) length=6
Value: 04d10004
Attribute 80 (Message-Authenticator) length=18
Value: 1738d193c2cf0bba54fb9f5f3cf07647
Attribute 18 (Reply-Message) length=142
Value: 'Certificate CN 6174679189648274680@easyroam-pca.dfn.de does not match specified value (6090495638272782046@easyroam-pca.institute-realm.de)!'
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 1.01 sec
=== Kombinieren ===
Die angeführten Beispiele lassen sich beliebig kombinieren. Zu beachten ist jedoch, dass lokale Loops konfiguriert werden können. Externe Loops, die den eduroam Betrieb gefährden könnten, sind ausgeschlossen, da unsere Server in der Regel mit einem Reject oder Accept antworten. In den Beispielen werden zwei Uplinks zu den Föderationsservern etabliert. Es ist aber auch möglich mit einem Beinchen zu den Föderationsservern VLAN's für die eigenen easyroam Nutzenden zu konfigurieren. Auch gezielt, easyroam Nutzende (extern/interne) in privilegierte VLAN's zu leiten, ist möglich. Das entscheidet jedoch lokal jeder Admin selbst.