Ausgangslage

Selbstverständlich lassen sich auch VLAN's in easyroam konfigurieren. Ausgangskonfiguration ist eine typische RadSec Anbindung eines eduroam SP's in easyroam am Beispiel des radsecproxy:

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### local WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}
########## PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

###### Federationserver stuff ###

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###

realm * {
 server tld1
 server tld2
 server tld3
}

Alle in ein VLAN

Besteht nun die Aufgabe darin, alle eduroam/easyroam Nutzende in ein VLAN zu leiten, kann die Konfiguration wie folgt aussehen:

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### local WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}

###### VLAN staff #####

rewrite addVLAN {
 removeAttribute        64
 removeAttribute        65
 removeAttribute        81
 addAttribute           64:13
 addAttribute           65:6
 addAttribute           81:'64
}


###### PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

####### Federationsserver stuff ####

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        rewriteIN addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        rewriteIN addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        rewriteIn addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

###### realm stuff #####

realm * {
 server tld1
 server tld2
 server tld3
}

Institutseigene Nutzende in privilegierte VLAN's

Besteht die Aufgabe darin die eigenen easyroam Nutzenden in ein privilegiertes VLAN zu leiten, wird eine zusätzliche radsecproxy Instanz benötigt und die angepasste die angepasste Ausgangskonfiguration:

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### local WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}

#### local loop server ####

server localloop {
       host  127.0.0.1
       type udp
       port 21812
       secret for_your_eyes_only
}
########## PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

###### Federationserver stuff ###

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

##### Realm stuff ###

realm /@easyroam(-pca)?<instistut-realm>$/ {
        server localloop
}

realm * {
 server tld1
 server tld2
 server tld3
}

Der neu hinzukommende radsecproxy:

listenUDP               *:21812

LogDestination         file:///var/log/rsp2.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

rewrite addVLAN {
 removeAttribute        64
 removeAttribute        65
 removeAttribute        81
 addAttribute           64:13
 addAttribute           65:6
 addAttribute           81:'64
}

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca-io.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io-key.pem
}

###### VLAN stuff #####

client localloop {
 host 127.0.0.1
 rewriteOUT addVLAN
 type udp
 secret for_your_eyes_only
}

###### PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

####### Federationsserver stuff ####

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

###### realm stuff #####

realm realm /@easyroam(-pca)?<instituts-realm>$/ {
 server tld1
 server tld2
 server tld3
}

Der Test

Mit eapol_test lässt sich belegen, dass die Attribute für VLAN's korrekt dem Access-Accept Paket hinzugefügt werden.

RADIUS message: code=1 (Access-Request) identifier=10 length=172
   Attribute 1 (User-Name) length=41
      Value: '6174679189648274680@easyroam-pca.dfn.de'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '01-02-03-04-05-06'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 027600060d00
   Attribute 24 (State) length=18
      Value: b612453ebf644846e972f432c6e1f044
   Attribute 80 (Message-Authenticator) length=18
      Value: 55db7a5260c3d9bdb57ffed6fb60d00c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 213 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=10 length=213
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371134f24cb208f259170dece11267dd832f5db022cc25ecccf43ab0bba337542e791cb499a1e7f54de5aeed4b12e7096322364985
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371034f8f94f60008d191dacb6130ab970e33ac8d930b08a3e2fcdd799cfec4b28a4995f67f2f4b72cbf8fb30fc16f970c57280e52
   Attribute 79 (EAP-Message) length=6
      Value: 03760004
   Attribute 80 (Message-Authenticator) length=18
      Value: 7a76d76bdbeb97df7f971b0498d6f03d
   Attribute 12 (Framed-MTU) length=6
      Value: 1014
   Attribute 18 (Reply-Message) length=30
      Value: 'authenticated using TLS 1.3!'
   Attribute 64 (Tunnel-Type) length=6
      Value: 0000000d
   Attribute 65 (Tunnel-Medium-Type) length=6
      Value: 00000006
   Attribute 81 (Tunnel-Private-Group-Id) length=5
      Value: 363427
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 0.01 sec

Der vereitelte Missbrauch

Denkbar wäre mit einem gültigen easyroam Pseudozertifikat und einer gefälschten äußeren Identität die VLAN - Konfiguration auszutricksen.

Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=9 length=518
   Attribute 1 (User-Name) length=53
      Value: '6090495638272782046@easyroam-pca.institute-realm.de'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '01-02-03-04-05-06'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=255
      Value: 02d101520d005f71c34fcce8e12d54e2b13ac0c6b105cfde03a036f179bc575630c657a14c8cb3bceb87e09320e04cf09cc52a9bbe9ca83cd0dd111664565e6193f0178fe19086921f3edcfd67a69c31de8d168f5ecd14eb51832bf55ab082b0d3db6a9555a9ba1103fbe1c3ff88697f3d436dcff49b54d92896e9d9a5d184cbaca0698f8744e94fa1c800129e268904b70546f45962b2290c06d34b0ad85ee37743bd02feda080a200328997e84e713256ce5ce64bb04a611c744829ad2b5f5bf8e6a36bf21f0efd1489ef2841013554982e9ae447f31cf7eb0acb17c71f2298c009e9676013b0705c757dd8705af23f008d2571c66eefd08f336a433
   Attribute 79 (EAP-Message) length=87
      Value: 0d318a30b3ca7daa1c4e36170303004583ff81e5939f69e193ab8eb441c5596a33a8c21418616d3617c15cc00afaf421739c11bc1771ee8548b945907904e7e2a396b84df50ce7e5c64a12feebd330741c9d90c52e
   Attribute 24 (State) length=18
      Value: 2168c43f29b9c9eafd8c90d2473fe380
   Attribute 80 (Message-Authenticator) length=18
      Value: 80e122ef58f88e4963afead78911076b
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 186 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=9 length=186
   Attribute 79 (EAP-Message) length=6
      Value: 04d10004
   Attribute 80 (Message-Authenticator) length=18
      Value: 1738d193c2cf0bba54fb9f5f3cf07647
   Attribute 18 (Reply-Message) length=142
      Value: 'Certificate CN 6174679189648274680@easyroam-pca.dfn.de does not match specified value (6090495638272782046@easyroam-pca.institute-realm.de)!'
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 1.01 sec

Kombinieren

Die angeführten Beispiele lassen sich beliebig kombinieren. Zu beachten ist jedoch, dass lokale Loops konfiguriert werden können. Externe Loops, die den eduroam Betrieb gefährden könnten, sind ausgeschlossen, da unsere Server in der Regel mit einem Reject oder Accept antworten. In den Beispielen werden zwei Uplinks zu den Föderationsservern etabliert. Es ist aber auch möglich mit einem Beinchen zu den Föderationsservern VLAN's für die eigenen easyroam Nutzenden zu konfigurieren. Auch gezielt, easyroam Nutzende (extern/interne) in privilegierte VLAN's zu leiten, ist möglich. Das entscheidet jedoch lokal jeder Admin selbst.

  • Zuletzt geändert: vor 3 Monaten