...
Here, we replicate the relevant parts of the present installation configuration already present on server.lastschl.av as a starting point.
Base virtual machine preparation
...
Added a second ethernet adapter in settings, connected to "Not attachedBridged adapter", re-initialized its MAC address
Increased the allocated CPUs to 2
The host computer has two network interfaces, one connected to a network uplink and another connected to a couple of wifi routers. Each VirtualBox virtual interface is bridged to a different physical adapter. Network configuration is now as follows (interface name seen in guest OS - Adapter name in VirtualBox settings - Adapter "Attached to" setting in VirtualBox settings - Physical interface bridged to):
enp0s3 - Adapter 1 - Bridged adapter- physical interface connected to uplink
enp0s8 - Adapter 2 - Not attachedBridged adapter - physical interface connected to wifi routers
Booted the VM, logged in to the GUI, connected using DHCP with network manager
In terminal:
Code Block |
---|
rm /etc/apt/apt.conf.d/02proxy apt-get update apt-get upgrade |
...
Code Block |
---|
root@debian9-base:~# cat /etc/dnsmasq.conf | grep -v "^#" | grep -v "^$" strict-order interface=enp0s8 expand-hosts domain=test.av log-queries log-facility=/var/log/dnsmasq root@debian9-base:~# cat /etc/logrotate.d/dnsmasq /var/log/dnsmasq { rotate 731 daily nomissingok notifempty delaycompress compress dateext postrotate reload rsyslog >/dev/null 2>&1 || true endscript } root@debian9-base:~# cat /etc/hostname server.test.av root@debian9-base:~# cat /etc/hosts 127.0.0.1 localhost 192.168.9.1 test.av 192.168.9.1 server.test.av server # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters |
New stuff
Download the latest version of the attached Now that we have a working setup similar to the production one, we will modify it to implement the new solution.
Download the latest version of the attached shwl_add_shwl_del_sl_pmu archive and extract it somewhere convenient.
...
Modify /etc/freeradius/3.0/sites-available/default, comment the following lines (see comments included in the code block):
Code Block |
---|
# All the listen sections except the IPv4 version with "type = auth" listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } # In the authorize section: chap mschap digest files -ldap pap # In the authenticate section: Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest |
...
Modify /etc/logrotate.d/freeradius, modify the following options as follows ('dateext' option needs to be added):
Code Block |
---|
rotate 732
nomissingok
dateext # Needs to be added |
Code Block |
---|
rm /var/log/freeradius/radius.log
rm /var/log/freeradius/radwtmp
chmod o-rwx /var/log/freeradius
chown freerad:freerad /var/log/freeradius
chmod o-rwx /etc/freeradius |
...
chmod o-rwx /etc/freeradius |
It has been observed that radius.log comes with world-readable permissions upon installation of the package, deleting it causes FreeRADIUS to re-create it, and it gets re-created with more secure permissions. /etc/freeradius also comes with the executable bit set for all users, which makes it easier for sensitive information contained within to be world-readable in case the permissions of an individual file are not set restrictive enough (as was, by default, the case with the file containing the encryption passwords for the SSL certificates). Could not find any information on the net on whether there is a good reason for the executable bit being set, so, decided it is safer to remove it.
Certificates
Modify /etc/freeradius/3.0/certs/server.cnf, set the following settings:
Code Block |
---|
...
[ req ]
...
input_password = password # Replace with an actual password
output_password = password # Replace with an actual password, should be same as input_password
...
[certificate_authority]
countryName = IN
stateOrProvinceName = Tamil Nadu
localityName = Auroville
organizationName = Test
emailAddress = admin@test.av
commonName = "Test Certificate Authority"
... |
...
Code Block |
---|
...
[ CA_default ]
...
crlDistributionPoints = URI:http://server.test.av/test_ca.crl
[ req ]
...
input_password = password # Replace with an actual password
output_password = password # Replace with an actual password, should be same as input_password
[server]
countryName = IN
stateOrProvinceName = Tamil Nadu
localityName = Auroville
organizationName = Test
emailAddress = admin@test.av
commonName = "Test Server Certificate"
[v3_ca]
...
crlDistributionPoints = URI:http://server.test.av/test_ca.crl
... |
Code Block |
---|
cd /etc/freeradius/3.0/certs
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* # This step is probably not needed '@@@'
make ca.pem
make ca.der
make server.pem
make server.csr
chown freerad:freerad *
chmod o-rwx *
rm bootstrap
rm passwords.mk
# Delete all other files in the folder except: server.cnf, ca.cnf, xpextensions, Makefile, README, dh, ca.pem, server.pem, server.key |
...
Code Block |
---|
private_key_password = password # Replace password with the password chosen previously '@@@' same or different?
private_key_file = /etc/freeradius/3.0/certs/server.pem
....
certificate_file = /etc/freeradius/3.0/certs/server.pem
....
ca_file = /etc/freeradius/3.0/certs/ca.pem |
...
Code Block |
---|
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "freerad"
password = ""
radius_db = "radius"
logfile = ${logdir}/sqllog.sql # @@@ Do we need this? |
Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel, find the following line under authorize, post-auth and Post-Auth-Type REJECT sections
...
Prerequisites from above steps: sudo, FreeRADIUS python module / script_launcher.py script, shorewall, FreeRADIUS MySQL
...
Code Block |
---|
*/1 * * * * /usr/local/sbin/shwl_del.sh # '@@@' figure out optimal interval |
...
Code Block |
---|
.... # Settings cfg_shwl_zone="wifi1" # Shorewall dynamic zone to which client devices' IP addresses need to be added # '@@@' figure out a few optimal intervals cfg_shwl_retry_delay=2 # Number of seconds to wait, in case of failure in adding IP to shorewall dynamic zone, before attempting second time cfg_file_location="/var/local/shwl_add" # Folder where runtime information will be stored cfg_file_location_owner_user="freerad" # User by which above folder should be owned cfg_file_location_owner_group="freerad" # Group by which above folder should be owned cfg_ip_srch_iface="enp0s8" # Network interface on which to scan for devices cfg_ip_srch_initial_delay=0.75 # How many seconds to wait before first attempt at scanning cfg_ip_srch_retry_delay=4 # How many seconds to wait in between further attempts at scanning cfg_ip_srch_max_attempts=50 # Maximum number of attempts at scanning before giving up cfg_mysql_user="freerad" # MySQL username cfg_mysql_db="shwl_add_shwl_del_pmu" # MySQL database name where to log events cfg_mysql_log_table="event_log" # Table in MySQL database where to log events .... |
...
Code Block |
---|
.... # Settings cfg_ip_match_pattern="192.168." # Pattern to match all IP addresses that might be in the shorewall dynamic zone # '@@@' figure out a few optimal intervals cfg_session_expiry_timeout=3660 # Session duration (should be slightly longer than Session-Timeout attribute specified in FreeRADIUS) cfg_shwl_zone="wifi1" # Shorewall dynamic zone containing clients' IP addresses cfg_file_location="/var/local/shwl_add" # Folder where runtime information is stored cfg_file_location_owner_user="freerad" # User by which above folder should be owned cfg_file_location_owner_group="freerad" # Group by which above folder should be owned cfg_mysql_user="freerad" # MySQL username cfg_mysql_db="shwl_add_shwl_del_pmu" # MySQL database name where to log events cfg_mysql_log_table="event_log" # Table in MySQL database where to log events .... |
...