Für Admins: Konfiguration von VLAN's in easyroam
Ausgangslage
Selbstverständlich lassen sich auch VLAN's in easyroam konfigurieren. Ausgangskonfiguration ist eine typische RadSec Anbindung eines eduroam SP's in easyroam am Beispiel des radsecproxy:
ListenUDP *:1812 ListenUDP *:1813 LogDestination file:///var/log/rsp1.log LoopPrevention on LogThreadId on LogLevel 5 ####### local WLAN stuff #### client wlan_controllser { host <ip-addr> type udp secret for_your_eyes_only } ########## PKI stuff #### tls eduroamPKI { CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem ###### Federationserver stuff ### server tld1 { host 193.174.75.134 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld2 { host 193.174.75.138 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld3 { host 194.95.245.98 certificatenamecheck off statusServer on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } ##### Realm stuff ### realm * { server tld1 server tld2 server tld3 }
Alle in ein VLAN
Besteht nun die Aufgabe darin, alle eduroam/easyroam Nutzende in ein VLAN zu leiten, kann die Konfiguration wie folgt aussehen:
ListenUDP *:1812 ListenUDP *:1813 LogDestination file:///var/log/rsp1.log LoopPrevention on LogThreadId on LogLevel 5 ####### local WLAN stuff #### client wlan_controllser { host <ip-addr> type udp secret for_your_eyes_only } ###### VLAN staff ##### rewrite addVLAN { removeAttribute 64 removeAttribute 65 removeAttribute 81 addAttribute 64:13 addAttribute 65:6 addAttribute 81:'64 } ###### PKI stuff #### tls eduroamPKI { CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem ####### Federationsserver stuff #### server tld1 { host 193.174.75.134 certificatenamecheck off statusserver on tls eduroamPKI rewriteIN addVLAN type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld2 { host 193.174.75.138 certificatenamecheck off statusserver on tls eduroamPKI rewriteIN addVLAN type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld3 { host 194.95.245.98 certificatenamecheck off statusServer on tls eduroamPKI rewriteIn addVLAN type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } ###### realm stuff ##### realm * { server tld1 server tld2 server tld3 }
Institutseigene Nutzende in privilegierte VLAN's
Besteht die Aufgabe darin die eigenen easyroam Nutzenden in ein privilegiertes VLAN zu leiten, wird eine zusätzliche radsecproxy Instanz benötigt und die angepasste die angepasste Ausgangskonfiguration:
ListenUDP *:1812 ListenUDP *:1813 LogDestination file:///var/log/rsp1.log LoopPrevention on LogThreadId on LogLevel 5 ####### local WLAN stuff #### client wlan_controllser { host <ip-addr> type udp secret for_your_eyes_only } #### local loop server #### server localloop { host 127.0.0.1 type udp port 21812 secret for_your_eyes_only } ########## PKI stuff #### tls eduroamPKI { CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem ###### Federationserver stuff ### server tld1 { host 193.174.75.134 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld2 { host 193.174.75.138 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld3 { host 194.95.245.98 certificatenamecheck off statusServer on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } ##### Realm stuff ### realm /@easyroam(-pca)?<instistut-realm>$/ { server localloop } realm * { server tld1 server tld2 server tld3 }
Der neu hinzukommende radsecproxy:
listenUDP *:21812 LogDestination file:///var/log/rsp2.log LoopPrevention on LogThreadId on LogLevel 5 rewrite addVLAN { removeAttribute 64 removeAttribute 65 removeAttribute 81 addAttribute 64:13 addAttribute 65:6 addAttribute 81:'64 } tls eduroamPKI { CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io.pem CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io-key.pem } ###### VLAN stuff ##### client localloop { host 127.0.0.1 rewriteOUT addVLAN type udp secret for_your_eyes_only } ###### PKI stuff #### tls eduroamPKI { CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem ####### Federationsserver stuff #### server tld1 { host 193.174.75.134 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld2 { host 193.174.75.138 certificatenamecheck off statusserver on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } server tld3 { host 194.95.245.98 certificatenamecheck off statusServer on tls eduroamPKI type tls matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/ } ###### realm stuff ##### realm realm /@easyroam(-pca)?<instituts-realm>$/ { server tld1 server tld2 server tld3 }
Der Test
Mit eapol_test lässt sich belegen, dass die Attribute für VLAN's korrekt dem Access-Accept Paket hinzugefügt werden.
RADIUS message: code=1 (Access-Request) identifier=10 length=172 Attribute 1 (User-Name) length=41 Value: '6174679189648274680@easyroam-pca.dfn.de' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '01-02-03-04-05-06' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 027600060d00 Attribute 24 (State) length=18 Value: b612453ebf644846e972f432c6e1f044 Attribute 80 (Message-Authenticator) length=18 Value: 55db7a5260c3d9bdb57ffed6fb60d00c Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 213 bytes from RADIUS server Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=10 length=213 Attribute 26 (Vendor-Specific) length=58 Value: 000001371134f24cb208f259170dece11267dd832f5db022cc25ecccf43ab0bba337542e791cb499a1e7f54de5aeed4b12e7096322364985 Attribute 26 (Vendor-Specific) length=58 Value: 000001371034f8f94f60008d191dacb6130ab970e33ac8d930b08a3e2fcdd799cfec4b28a4995f67f2f4b72cbf8fb30fc16f970c57280e52 Attribute 79 (EAP-Message) length=6 Value: 03760004 Attribute 80 (Message-Authenticator) length=18 Value: 7a76d76bdbeb97df7f971b0498d6f03d Attribute 12 (Framed-MTU) length=6 Value: 1014 Attribute 18 (Reply-Message) length=30 Value: 'authenticated using TLS 1.3!' Attribute 64 (Tunnel-Type) length=6 Value: 0000000d Attribute 65 (Tunnel-Medium-Type) length=6 Value: 00000006 Attribute 81 (Tunnel-Private-Group-Id) length=5 Value: 363427 STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 0.01 sec
Der vereitelte Missbrauch
Denkbar wäre mit einem gültigen easyroam Pseudozertifikat und einer gefälschten äußeren Identität die VLAN - Konfiguration auszutricksen.
Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=9 length=518 Attribute 1 (User-Name) length=53 Value: '6090495638272782046@easyroam-pca.institute-realm.de' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '01-02-03-04-05-06' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=255 Value: 02d101520d005f71c34fcce8e12d54e2b13ac0c6b105cfde03a036f179bc575630c657a14c8cb3bceb87e09320e04cf09cc52a9bbe9ca83cd0dd111664565e6193f0178fe19086921f3edcfd67a69c31de8d168f5ecd14eb51832bf55ab082b0d3db6a9555a9ba1103fbe1c3ff88697f3d436dcff49b54d92896e9d9a5d184cbaca0698f8744e94fa1c800129e268904b70546f45962b2290c06d34b0ad85ee37743bd02feda080a200328997e84e713256ce5ce64bb04a611c744829ad2b5f5bf8e6a36bf21f0efd1489ef2841013554982e9ae447f31cf7eb0acb17c71f2298c009e9676013b0705c757dd8705af23f008d2571c66eefd08f336a433 Attribute 79 (EAP-Message) length=87 Value: 0d318a30b3ca7daa1c4e36170303004583ff81e5939f69e193ab8eb441c5596a33a8c21418616d3617c15cc00afaf421739c11bc1771ee8548b945907904e7e2a396b84df50ce7e5c64a12feebd330741c9d90c52e Attribute 24 (State) length=18 Value: 2168c43f29b9c9eafd8c90d2473fe380 Attribute 80 (Message-Authenticator) length=18 Value: 80e122ef58f88e4963afead78911076b Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 186 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=9 length=186 Attribute 79 (EAP-Message) length=6 Value: 04d10004 Attribute 80 (Message-Authenticator) length=18 Value: 1738d193c2cf0bba54fb9f5f3cf07647 Attribute 18 (Reply-Message) length=142 Value: 'Certificate CN 6174679189648274680@easyroam-pca.dfn.de does not match specified value (6090495638272782046@easyroam-pca.institute-realm.de)!' STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 1.01 sec
Kombinieren
Die angeführten Beispiele lassen sich beliebig kombinieren. Zu beachten ist jedoch, dass lokale Loops konfiguriert werden können. Externe Loops, die den eduroam Betrieb gefährden könnten, sind ausgeschlossen, da unsere Server in der Regel mit einem Reject oder Accept antworten. In den Beispielen werden zwei Uplinks zu den Föderationsservern etabliert. Es ist aber auch möglich mit einem Beinchen zu den Föderationsservern VLAN's für die eigenen easyroam Nutzenden zu konfigurieren. Auch gezielt, easyroam Nutzende (extern/interne) in privilegierte VLAN's zu leiten, ist möglich. Das entscheidet jedoch lokal jeder Admin selbst.