Installation
Replication of production setup
Here, we replicate the relevant configuration already present on server.lastschl.av as a starting point. The test virtual machine will have two network interfaces, one serving as uplink on a 192.168.10.0/24 network (IP 192.168.10.52), and one to connect to the wifi routers/clients on a 192.168.9.0/24 network (IP 192.168.9.1). The FQDN will be server.test.av.
Base virtual machine preparation
Imported Last School's Debian9 VM template "Debian9-base.ova" into Virtual Box as Debian9-base_8021x, re-initializing all MAC addresses. The description for this virtual machine template is:
...
Installed my ssh public key in root's .ssh/authorized_keys file.
Installation of relevant services:
Shorewall (based on LASTSCHL-207):
...
Code Block |
---|
root@debian9-base:~# cat /etc/dnsmasq.conf | grep -v "^#" | grep -v "^$" strict-order interface=enp0s8 expand-hosts domain=test.av log-queries log-facility=/var/log/dnsmasq root@debian9-base:~# cat /etc/logrotate.d/dnsmasq /var/log/dnsmasq { rotate 731 daily nomissingok notifempty delaycompress compress dateext postrotate reload rsyslog >/dev/null 2>&1 || true endscript } root@debian9-base:~# cat /etc/hostname server.test.av root@debian9-base:~# cat /etc/hosts 127.0.0.1 localhost 192.168.9.1 test.av 192.168.9.1 server.test.av server # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters |
New stuff
Now that we have a working setup similar to the production one, we will modify it to implement the new solution.
Download the latest version of the attached shwl_add_shwl_del_sl_pmu archive and extract it somewhere convenient.
Shorewall
Add to /etc/shorewall/hosts:
...
Code Block |
---|
# At the top of the file: ?SECTION ALL # Allow the server and NASes to talk RADIUS and HTTP (web interface) ACCEPT wifi:192.168.9.2,192.168.9.3,192.168.9.4 $FW tcp - 80 ACCEPT $FW wifi:192.168.9.2,192.168.9.3,192.168.9.4 tcp 80 - ACCEPT wifi:192.168.9.2,192.168.9.3,192.168.9.4 $FW udp 1812 - ACCEPT $FW wifi:192.168.9.2,192.168.9.3,192.168.9.4 udp - 1812 # But, reject anything else to and from any other device part of the 192.168.9.0/24 network that is not part of any dynamic zone REJECT wifi all - - - REJECT all wifi - - - ?SECTION NEW # At the end of the file: ACCEPT:INFO(uid) wifi:192.168.9.2,192.168.9.3,192.168.9.4 $FW udp 1812 |
FreeRADIUS
Code Block |
---|
apt-get install freeradius systemctl enable freeradius.service |
...
It has been observed that radius.log comes with world-readable permissions upon installation of the package, deleting it causes FreeRADIUS to re-create it, and it gets re-created with more secure permissions. /etc/freeradius also comes with the executable bit set for all users, which makes it easier for sensitive information contained within to be world-readable in case the permissions of an individual file are not set restrictive enough (as was, by default, the case with the file containing the encryption passwords for the SSL certificates). Could not find any information on the net on whether there is a good reason for the executable bit being set, so, decided it is safer to remove it.
Certificates
Modify /etc/freeradius/3.0/certs/server.cnf, set the following settings:
...
Code Block |
---|
private_key_password = password # Replace password with the password chosen previously '@@@' same or different? private_key_file = /etc/freeradius/3.0/certs/server.pem .... certificate_file = /etc/freeradius/3.0/certs/server.pem .... ca_file = /etc/freeradius/3.0/certs/ca.pem |
MySQL
Code Block |
---|
apt-get install mysql-server freeradius-mysql mysql -uroot CREATE DATABASE radius; exit mysql -uroot radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql |
...
In the authorize section, comment it out.
Python module / script_launcher.py script
Code Block |
---|
apt-get install libpython2.7-dev # It is not fully sure whether this package is needed cd /etc/freeradius/3.0/mods-enabled ln -s ../mods-available/python python |
...
Code Block |
---|
copy_request_to_tunnel = yes |
Place the script_launcher.py script from the shwl_add_shwl_del_sl_pmu archive at /etc/freeradius/3.0/mods-config/python/script_launcher.py
Code Block |
---|
chown freerad:freerad /etc/freeradius/3.0/mods-config/python/script_launcher.py chmod 640 /etc/freeradius/3.0/mods-config/python/script_launcher.py |
sudo
Code Block |
---|
apt-get install sudo |
...
Code Block |
---|
freerad ALL=(root:root) NOPASSWD:/sbin/shorewall,/usr/bin/arp-scan |
shwl_add / shwl_del scripts
Prerequisites from above steps: sudo, FreeRADIUS python module / script_launcher.py script, shorewall, FreeRADIUS MySQL
...
Code Block |
---|
.... # Settings cfg_ip_match_pattern="192.168." # Pattern to match all IP addresses that might be in the shorewall dynamic zone cfg_session_expiry_timeout=3660 # Session duration (should be slightly longer than Session-Timeout attribute specified in FreeRADIUS) cfg_shwl_zone="wifi1" # Shorewall dynamic zone containing clients' IP addresses cfg_file_location="/var/local/shwl_add" # Folder where runtime information is stored cfg_file_location_owner_user="freerad" # User by which above folder should be owned cfg_file_location_owner_group="freerad" # Group by which above folder should be owned cfg_mysql_user="freerad" # MySQL username cfg_mysql_db="shwl_add_shwl_del_pmu" # MySQL database name where to log events cfg_mysql_log_table="event_log" # Table in MySQL database where to log events .... |
MySQL
Code Block |
---|
mysql -uroot CREATE DATABASE shwl_add_shwl_del_pmu; GRANT ALL on shwl_add_shwl_del_pmu.event_log TO 'freerad'@'localhost'; exit mysql -uroot shwl_add_shwl_del_pmu < shwl_add_shwl_del_pmu.sql # Updating shwl_add_shwl_del_pmu.sql to the full path of the shwl_add_shwl_del_pmu.sql file extracted from the shwl_add_shwl_del_sl_pmu archive |
pam_to_mysql_update.sh script
Prerequisities from above: sudo, FreeRADIUS MySQL, shwl_add / shwl_del scripts MySQL
...