Dies ist eine alte Version des Dokuments!
Für Admins: Konfiguration von VLAN's in easyroam
Ausgangslage
Selbstverständlich lassen sich auch VLAN's in easyroam konfigurieren. Ausgangskonfiguration ist typische RadSec Anbindung eines eduroam IdP's in easyroam am Beispiel des radsecproxy:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### lokal WLAN stuff ####
client wlan_controllser {
host <ip-addr>
type udp
secret for_your_eyes_only
}
########## PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
###### Federationserver stuff ###
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###
realm * {
server tld1
server tld2
server tld3
}
Alle in ein VLAN
Besteht nun die Aufgabe darin, alle eduroam/easyroam Nutzende in ein VLAN zu leiten, kann die Konfiguration wie folgt aussehen:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### lokal WLAN stuff ####
client wlan_controllser {
host <ip-addr>
type udp
secret for_your_eyes_only
}
###### VLAN staff #####
rewrite addVLAN {
removeAttribute 64
removeAttribute 65
removeAttribute 81
addAttribute 64:13
addAttribute 65:6
addAttribute 81:'64'
}
###### PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
####### Federationsserver stuff ####
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
rewriteIN addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
rewriteIN addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
rewriteIn addVLAN
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
###### realm stuff #####
realm * {
server tld1
server tld2
server tld3
}
Institutseigene Nutzende in privilegierte VLAN's
Besteht die Aufgabe darin die eigenen easyroam Nutzenden in ein privilegiertes VLAN zu leiten, wird eine zusätzliche radsecproxy Instanz benötigt und die angepasste die angepasste Ausgangskonfiguration:
/etc/radsec/radsecproxy.conf
ListenUDP *:1812
ListenUDP *:1813
LogDestination file:///var/log/rsp1.log
LoopPrevention on
LogThreadId on
LogLevel 5
####### lokal WLAN stuff ####
client wlan_controllser {
host <ip-addr>
type udp
secret for_your_eyes_only
}
#### local loop server ####
server localloop {
host 127.0.0.1
type udp
port 21812
secret for_your_eyes_only
}
########## PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
###### Federationserver stuff ###
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###
realm /@easyroam(-pca)?<instistut-realm>$/ {
server localhost-add-vlan
}
realm * {
server tld1
server tld2
server tld3
}
/etc/radsec/radsecproxy_add_vlan.conf
listenUDP *:21812
LogDestination file:///var/log/rsp2.log
LoopPrevention on
LogThreadId on
LogLevel 5
rewrite addVLAN {
removeAttribute 64
removeAttribute 65
removeAttribute 81
addAttribute 64:13
addAttribute 65:6
addAttribute 81:'64'
}
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io-key.pem
}
###### VLAN stuff #####
client localloop {
host 127.0.0.1
rewriteOUT addVLAN
type udp
secret for_your_eyes_only
}
###### PKI stuff ####
tls eduroamPKI {
CACertificateFile /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
CertificateFile /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem
####### Federationsserver stuff ####
server tld1 {
host 193.174.75.134
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld2 {
host 193.174.75.138
certificatenamecheck off
statusserver on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server tld3 {
host 194.95.245.98
certificatenamecheck off
statusServer on
tls eduroamPKI
type tls
matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
###### realm stuff #####
realm realm /@easyroam(-pca)?<instituts-realm>$/ {
server tld1
server tld2
server tld3
}
/usr/local/sbin/radsecproxy -c /etc/radsec/radsecproxy.conf -f
/etc/radsec# /usr/local/sbin/radsecproxy -c /etc/radsec/radsecproxy_add_vlan.conf -f
Der Test
Mit eapol_test lässt sich belegen, dass die Attribute für VLAN's korrekt im Access-Accept Paket hinzugefügt werden.
RADIUS message: code=1 (Access-Request) identifier=10 length=172
Attribute 1 (User-Name) length=41
Value: '6174679189648274680@easyroam-pca.dfn.de'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '01-02-03-04-05-06'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 027600060d00
Attribute 24 (State) length=18
Value: b612453ebf644846e972f432c6e1f044
Attribute 80 (Message-Authenticator) length=18
Value: 55db7a5260c3d9bdb57ffed6fb60d00c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 213 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=10 length=213
Attribute 26 (Vendor-Specific) length=58
Value: 000001371134f24cb208f259170dece11267dd832f5db022cc25ecccf43ab0bba337542e791cb499a1e7f54de5aeed4b12e7096322364985
Attribute 26 (Vendor-Specific) length=58
Value: 000001371034f8f94f60008d191dacb6130ab970e33ac8d930b08a3e2fcdd799cfec4b28a4995f67f2f4b72cbf8fb30fc16f970c57280e52
Attribute 79 (EAP-Message) length=6
Value: 03760004
Attribute 80 (Message-Authenticator) length=18
Value: 7a76d76bdbeb97df7f971b0498d6f03d
Attribute 12 (Framed-MTU) length=6
Value: 1014
Attribute 18 (Reply-Message) length=30
Value: 'authenticated using TLS 1.3!'
Attribute 64 (Tunnel-Type) length=6
Value: 0000000d
Attribute 65 (Tunnel-Medium-Type) length=6
Value: 00000006
Attribute 81 (Tunnel-Private-Group-Id) length=5
Value: 363427
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 0.01 sec