Dies ist eine alte Version des Dokuments!

Für Admins: Konfiguration von VLAN's in easyroam

Ausgangslage

Selbstverständlich lassen sich auch VLAN's in easyroam konfigurieren. Ausgangskonfiguration ist typische RadSec Anbindung eines eduroam IdP's in easyroam am Beispiel des radsecproxy: 

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### lokal WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}
########## PKI stuff ####
tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

###### Federationserver stuff ###

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
##### Realm stuff ###

realm * {
 server tld1
 server tld2
 server tld3
}

Alle in ein VLAN

Besteht nun die Aufgabe darin, alle eduroam/easyroam Nutzende in ein VLAN zu leiten, kann die Konfiguration wie folgt aussehen: 

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### lokal WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}

###### VLAN staff #####

rewrite addVLAN {
 removeAttribute        64
 removeAttribute        65
 removeAttribute        81
 addAttribute           64:13
 addAttribute           65:6
 addAttribute           81:'64'
}


###### PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

####### Federationsserver stuff ####

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        rewriteIN addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        rewriteIN addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        rewriteIn addVLAN
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

###### realm stuff #####

realm * {
 server tld1
 server tld2
 server tld3
}

Institutseigene Nutzende in privilegierte VLAN's

Besteht die Aufgabe darin die eigenen easyroam Nutzenden in ein privilegiertes VLAN zu leiten, wird eine zusätzliche radsecproxy Instanz benötigt und die angepasste die angepasste Ausgangskonfiguration: 

ListenUDP               *:1812
ListenUDP               *:1813

LogDestination         file:///var/log/rsp1.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

####### lokal WLAN stuff ####

client wlan_controllser {
     host <ip-addr>
     type udp 
     secret for_your_eyes_only
}

#### local loop server ####

server localloop {
       host  127.0.0.1
       type udp
       port 21812
       secret for_your_eyes_only
}
########## PKI stuff ####

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

###### Federationserver stuff ###

server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

##### Realm stuff ###

realm /@easyroam(-pca)?<instistut-realm>$/ {
        server localhost-add-vlan
}

realm * {
 server tld1
 server tld2
 server tld3
}
listenUDP               *:21812

LogDestination         file:///var/log/rsp2.log
LoopPrevention         on
LogThreadId            on
LogLevel                5

rewrite addVLAN {
 removeAttribute        64
 removeAttribute        65
 removeAttribute        81
 addAttribute           64:13
 addAttribute           65:6
 addAttribute           81:'64'
}

tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca-io.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-io-key.pem
}

###### VLAN stuff #####

client localloop {
 host 127.0.0.1
 rewriteOUT addVLAN
 type udp
 secret for_your_eyes_only
}

###### PKI stuff ####
tls eduroamPKI {
        CACertificateFile  /etc/radsec/certs/eduroam-ca/eduroam-root-ca.pem
        CertificateFile    /etc/radsec/certs/eduroam-ca/eduroam-ca.pem
        CertificateKeyFile /etc/radsec/certs/eduroam-ca/eduroam-ca-key.pem

####### Federationsserver stuff ####
server  tld1 {
        host  193.174.75.134
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld2 {
        host  193.174.75.138
        certificatenamecheck off
        statusserver on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}
server  tld3 {
        host  194.95.245.98
        certificatenamecheck off
        statusServer on
        tls eduroamPKI
        type tls
        matchCertificateAttribute SubjectAltName:DNS:/^(tld(1|2|3)\.eduroam\.de)$/
}

###### realm stuff #####
realm realm /@easyroam(-pca)?<instituts-realm>$/ {
 server tld1
 server tld2
 server tld3
}

Der Test

Mit eapol_test lässt sich belegen, dass die Attribute für VLAN's korrekt im Access-Accept Paket hinzugefügt werden. 

RADIUS message: code=1 (Access-Request) identifier=10 length=172
   Attribute 1 (User-Name) length=41
      Value: '6174679189648274680@easyroam-pca.dfn.de'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '01-02-03-04-05-06'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 027600060d00
   Attribute 24 (State) length=18
      Value: b612453ebf644846e972f432c6e1f044
   Attribute 80 (Message-Authenticator) length=18
      Value: 55db7a5260c3d9bdb57ffed6fb60d00c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 213 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=10 length=213
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371134f24cb208f259170dece11267dd832f5db022cc25ecccf43ab0bba337542e791cb499a1e7f54de5aeed4b12e7096322364985
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371034f8f94f60008d191dacb6130ab970e33ac8d930b08a3e2fcdd799cfec4b28a4995f67f2f4b72cbf8fb30fc16f970c57280e52
   Attribute 79 (EAP-Message) length=6
      Value: 03760004
   Attribute 80 (Message-Authenticator) length=18
      Value: 7a76d76bdbeb97df7f971b0498d6f03d
   Attribute 12 (Framed-MTU) length=6
      Value: 1014
   Attribute 18 (Reply-Message) length=30
      Value: 'authenticated using TLS 1.3!'
   Attribute 64 (Tunnel-Type) length=6
      Value: 0000000d
   Attribute 65 (Tunnel-Medium-Type) length=6
      Value: 00000006
   Attribute 81 (Tunnel-Private-Group-Id) length=5
      Value: 363427
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 0.01 sec

Der vereitelte Missbrauch

Denkbar wäre mit einem gültigen easyroam Pseudozertifikat und einer gefälschten äußeren Identität die VLAN - Konfiguration auszutricksen. 

RADIUS message: code=1 (Access-Request) identifier=9 length=512
   Attribute 1 (User-Name) length=47
      Value: '6090495638272782046@easyroam-pca.hs-bremen.de'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '01-02-03-04-05-06'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=255
      Value: 025301520d001cc745f566f6e1db7da12a54b3a704752605db18a5feadfc6b712a5752cc55fa4d30b1ea6939e554c125abad9baa021de89084170a4a5329ff921de081d66f5e723f40218b2bf02d920861f0d8a58d5eee192a15b9efe30b4e88c088a164820e39defa4d4932f378c63c5ff6dd81aa9dc1e99074d5b0b55e4610f43921f9b87635e0b25d459932e487b4b1922c72908c61446426322e045572d1c4993055af0d6cf6802c8f309a1f9a8938569c55c7d56c342a2db8d62f476fa0bd675b1b1fb11bed8fa250d74b784fcce6c08926661c5ebbdeacf9efed92fd93754b7609b7b21031139b1d009a4a283eca43c4eea2834194e3be0106a0
   Attribute 79 (EAP-Message) length=87
      Value: 658b2a75e1a604eba14b471703030045a45488cbd0bb4f384f3eac28b508c5570cda191777a1f52e441777b7157b9523f79460c14a6b36ac0a822e8d87c06987e9c544ec042d800bd89d6d4e4316f503fe9ffb4993
   Attribute 24 (State) length=18
      Value: dc601456d433191b4f47ced99740beb9
   Attribute 80 (Message-Authenticator) length=18
      Value: 4da1f1ff96885d12ffcedd294abf0d28
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 180 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=9 length=180
   Attribute 79 (EAP-Message) length=6
      Value: 04530004
   Attribute 80 (Message-Authenticator) length=18
      Value: e41108844ff36ce95446be4533ebc58a
   Attribute 18 (Reply-Message) length=136
      Value: 'Certificate CN 6174679189648274680@easyroam-pca.dfn.de does not match specified value (6090495638272782046@easyroam-pca.hs-bremen.de)!'
STA 01:02:03:04:05:06: Received RADIUS packet matched with a pending request, round trip time 1.01 sec

Kombinieren

Die angeführten Beispiele lassen sich beliebig kombinieren. In den Beispielen werden zwei Uplinks zu den Föderationsservern etabliert. Es ist aber auch möglich mit einem Beinchen zu den Föderationsservern VLAN's für die eigenen easyroam Nutzenden zu konfigurieren. Auch gezielt, easyroam Nutzende (extern/interne) in privilegierte VLAN's zu leiten, ist möglich. Das entscheidet jedoch lokal jeder Admin selbst.

  • Zuletzt geändert: vor 10 Monaten