Introduction
Components involved
Installation
Replication of production setup
Here, we replicate the relevant parts of the present installation as a starting point.
Imported ~/Documents/Debian9-base.ova as Debian9-base_8021x, re-initializing all MAC addresses
Added eth adapter 2, re-init MAC
CPU, increase to 2
added eth1 mac address to server DHCP config, 192.168.10.52
server shwl add 52
Booted, disconnected eth2 because of errors
Logged in to GUI, connected DHCP
apt-get update
apt-get upgrade
reboot VM
rm 02proxy
set better ls and root passwords
installed ssh pub key in root
| Code Block |
|---|
apt-get install shorewall
apt-get install ipset
mv /etc/shorewall{,-orig}
mkdir /etc/shorewall
root@server.lastschl:~# scp /etc/shorewall/* root@192.168.10.52:/etc/shorewall/
#commented all entries related to loc and vpn zones (including dynamic zone man) in all files
#removed all MAC addresses of wifi clients
|
| Code Block |
|---|
cp -r shorewall{,-remove-loc-vpn-man-wifimac}
updated interface names in interfaces, masq
cp -r shorewall{,-updated-interfaces}
/etc/default/shorewall startup=1
removed postfix, proxy rules (did not update config backups)
added shorewall rules _apt |
| Code Block |
|---|
systemctl enable shorewall.service
systemctl disable network-manager.service
systemctl disable NetworkManager.service
root@server.lastschl:~# scp /etc/network/interfaces 192.168.10.52:/etc/network/
updated interface names, removed loc interface, and updated net ip
unlink /etc/resolv.conf
echo nameserver 192.168.10.1 > /etc/resolv.conf |
| Code Block |
|---|
root@server.lastschl:~# scp /etc/rsyslog.d/40-shorewall.conf 192.168.10.52:/etc/rsyslog.d/
root@server.lastschl:~# scp /etc/logrotate.d/shorewall 192.168.10.52:/etc/logrotate.d/
root@server.lastschl:~# scp /etc/logrotate.d/rsyslog 192.168.10.52:/etc/logrotate.d/
root@server.lastschl:~# scp /etc/logrotate.conf 192.168.10.52:/etc/
mkdir /etc/ltsp
root@server.lastschl:~# scp /etc/ltsp/dhcpd.conf 192.168.10.52:/etc/ltsp/
root@server.lastschl:~# scp /etc/dhcp/dhcpd.conf 192.168.10.52:/etc/dhcp/
apt-get install isc-dhcp-server
/etc/default/isc-dhcp-server
removed 10 network from dhcp
lastschl.av to test.av
removed MAC reservations |
Configure DNS (based on LASTSCHL-211):
| Code Block |
|---|
apt-get install dnsmasq
touch /var/log/dnsmasq
chmod 640 /var/log/dnsmasqSet in /etc/dnsmasq.conf |
| Code Block |
|---|
strict-order
interface=enp0s8
expand-hosts
domain=test.av
log-queries
log-facility=/var/log/dnsmasq
|
/etc/logrotate.d/dnsmasq| Code Block |
|---|
/var/log/dnsmasq
{
rotate 730
daily
nomissingok
notifempty
delaycompress
compress
dateext
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
} |
/etc/hostname
| Code Block |
|---|
debian9-base.test.av |
/etc/hosts
| Code Block |
|---|
127.0.0.1 localhost
192.168.9.1 test.av
192.168.9.1 server.test.av server
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters |
packages: shorewall
New stuff
FreeRADIUS
packages: freeradius
Modified /etc/freeradius/3.0/mods-available/eap:
commented the following:
| Code Block |
|---|
....
# md5 {
# }
....
# leap {
# }
....
# gtc {
# # The default challenge, which many clients
# # ignore..
# #challenge = "Password: "
#
# # The plain-text response which comes back
# # is put into a User-Password attribute,
# # and passed to another module for
# # authentication. This allows the EAP-GTC
# # response to be checked against plain-text,
# # or crypt'd passwords.
# #
# # If you say "Local" instead of "PAP", then
# # the module will look for a User-Password
# # configured for the request, and do the
# # authentication itself.
# #
# auth_type = PAP
# }
....
# tls {
# # Point to the common TLS configuration
# tls = tls-common
#
# #
# # As part of checking a client certificate, the EAP-TLS
# # sets some attributes such as TLS-Client-Cert-CN. This
# # virtual server has access to these attributes, and can
# # be used to accept or reject the request.
# #
# # virtual_server = check-eap-tls
# }
.... |
modified the 'default_eap_type' directive under section 'eap' to be:
| Code Block |
|---|
default_eap_type = peap |
and the 'default_eap_type' directive under section 'ttls' to be:
| Code Block |
|---|
default_eap_type = mschapv2 |
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router:
| Code Block |
|---|
client test1 { # Replace test1 with a name for the router
ipaddr = 192.168.9.2 # Replace with IP of the router
secret = password # Replace with an actual password
} |
Certificates
as freerad?
Modified "@@@"
as freerad ("@@@" right way to do it?):
| Code Block |
|---|
cd /etc/freeradius/3.0/certs
make |
Modify /etc/freeradius/3.0/mods-available/eap, modify the following directives under section 'tls-config tls-common' to be:
| Code Block |
|---|
private_key_password = password # Replace password with the password chosen previously
private_key_file = /etc/freeradius/3.0/certs/server.pem
....
certificate_file = /etc/freeradius/3.0/certs/server.pem
....
ca_file = /etc/freeradius/3.0/certs/ca.pem |
MySQL
Python module / script_launcher.py script
| Code Block |
|---|
cd /etc/freeradius/3.0/
ln -s mods-available/python mods-enabled/ |
Put the following in it:
| Code Block | ||
|---|---|---|
| ||
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
module = script_launcher # @#$dy
python_path = ${modconfdir}/${.:name}:/usr/lib/python2.7 # @#$dy
mod_post_auth = ${.module} # @#$dy
func_post_auth = post_auth # @#$dy
}
|
Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel:
| Code Block | ||
|---|---|---|
| ||
...
# Add this line just after 'sql' in the 'post-auth' section
python
... |
Modify /etc/freeradius/3.0/mods-available/eap, modified the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:
| Code Block |
|---|
copy_request_to_tunnel = yes |
Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py
Shorewall
sudo
packages: sudo
shwl_add / shwl_del scripts
packages: arp-scan
| Code Block |
|---|
apt-get install arp-scan
# Install the scripts in /usr/local/sbin/, and configure settings in each of them
chown root:freerad /usr/local/sbin/shwl_*
chmod 750 /usr/local/sbin/shwl_* |
Add the following line to freerad's crontab
| Code Block |
|---|
*/1 * * * * /usr/local/sbin/shwl_del.sh # @#$dy # @@@ figure out optimal interval |
MySQL
pam_to_mysql_update.sh script
Pre-requisites from above steps: sudo, shwl_add / shwl_del scripts MySQL config, FreeRADIUS MySQL config
| Code Block |
|---|
apt-get install libpam-script sshpass
mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
# Put the script in here, and configure MySQL settings inside
ln -s pam_to_mysql_update.sh pam_script_auth
ln -s pam_to_mysql_update.sh pam_script_passwd
|
Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:
| Code Block | ||
|---|---|---|
| ||
...
auth required pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/ |
Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:
...
| title | /etc/pam.d/common-password |
|---|
...
Child page description:
Overview - Description of the solution and documentation of custom scripts
Installation - Instructions on installing, and attachment containing scripts