Blue Light
Space shortcuts
Child pages
  • Installation

Versions Compared

Old Version 5

changes.mady.by.user Dyuman

Saved on

compared with

New Version Current

changes.mady.by.user Dyuman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Here, we replicate the relevant configuration already present on server.lastschl.av as a starting point. The test virtual machine will have two network interfaces, one serving as uplink on a 192.168.10.0/24 network (IP 192.168.10.52), and one to connect to the wifi routersNASes/clients supplicants on a 192.168.9.0/24 network (IP 192.168.9.1). The FQDN will be server.test.av.

...

The host computer has two network interfaces, one connected to a network uplink and another connected to a couple of wifi routersNASes. Each VirtualBox virtual interface is bridged to a different physical adapter. Network configuration is now as follows (interface name seen in guest OS - Adapter name in VirtualBox settings - Adapter "Attached to" setting in VirtualBox settings - Physical interface bridged to):

...

enp0s8 - Adapter 2 - Bridged adapter - physical interface connected to wifi routersNASes

Booted the VM, logged in to the GUI, connected using DHCP with network manager

...

Code Block
root@debian9-base:/etc/shorewall# for i in `ls`; do echo "========= $i ========="; cat $i | grep -v "^#" | grep -v "^$"; echo "========= $i ========="; echo ""; done
========= hosts =========
========= hosts =========

========= interfaces =========
net     enp0s3         detect      tcpflags,dhcp,nosmurfs,routefilter,logmartians
wifi	enp0s8		   detect	   tcpflags,nosmurfs,routefilter,logmartians
========= interfaces =========

========= masq =========
enp0s3					   192.168.9.0/24
========= masq =========

========= policy =========
$FW		net		REJECT		INFO(uid)
$FW		wifi	ACCEPT		INFO(uid)
wifi	all		REJECT
net		all		DROP		INFO
all		all		REJECT		info
========= policy =========

========= routestopped =========
========= routestopped =========

========= rules =========
Invalid(DROP)		 net			 all
ACCEPT:INFO(uid)     net             $FW             			$FW			tcp     22
ACCEPT:INFO(uid)     net             $FW             			$FW			udp     123
ACCEPT:INFO(uid)     net	     		 $FW	     		 icmp
ACCEPT:INFO(uid)     $FW			net			tcp     465,587,995,993
ACCEPT:INFO(uid)        net$FW			net			udp             tcp     465,587,995,99353,123
ACCEPT:INFO(uid)     $FW			net			icmp
ACCEPT:INFO(uid)     $FW			net			tcp      -  net          -   udp     53,123
ACCEPT:INFO(uid)     $FW	  -   	 net	     	 icmp
ACCEPT:INFO(uid)     $FW-             net  root
ACCEPT:INFO(uid)           tcp$FW			net			udp      -            -               -               -               root
ACCEPT:INFO(uid)     $FW             net       			net			icmp      udp     -            -               -               -               root
ACCEPT:INFO(uid)     $FW			net			tcp     -        net    -         icmp    -  -          -     -          -     _apt
ACCEPT:INFO(uid)     $FW			net			udp     -            -   root
ACCEPT:INFO(uid)     $FW       -      net         -    tcp     -      _apt
ACCEPT:INFO(uid)      -$FW			net			icmp    -            -               -               _apt
ACCEPT:INFO(uid)-     $FW          _apt
========= rules  net             udp     -            -               -               - =========

========= shorewall.conf =========
....
STARTUP_ENABLED=Yes
....
IP_FORWARDING=On
....
========= shorewall.conf =========

========= zones =========
fw			firewall
net			ipv4
wifi		ipv4
========= zones =========

In /etc/default/shorewall, set

Code Block
startup=1
Code Block
root@debian9-base:~# cat /etc/rsyslog.d/40-shorewall.conf 
:msg, contains, "Shorewall:" /var/log/shorewall
& stop

root@debian9-base:~# cat /etc/logrotate.d/shorewall 
/var/log/shorewall-init.log {
    weekly
    rotate 108
    compress
    nomissingok
    create 0640 root adm
}

/var/log/shorewall
{
	rotate 731
	daily
	nomissingok
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
              _apt
ACCEPT:INFO(uid)     $FW             net             icmp    -            -               -               -               _apt
========= rules =========

========= shorewall.conf =========
....
STARTUP_ENABLED=Yes
....
IP_FORWARDING=On
....
========= shorewall.conf =========

========= zones =========
fw			firewall
net			ipv4
wifi		ipv4
========= zones =========

In /etc/default/shorewall, set

Code Block
startup=1
Code Block
endscript
}
root@debian9-base:~# cat /etc/logrotate.d/rsyslog 
/var/log/syslog
/var/log/auth.log
{
	rotate 731
	daily
	dateext
	nomissingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}

root@debian9-base:~# cat /etc/rsyslog.d/40-shorewalllogrotate.conf 
:msg, contains, "Shorewall:" /var/log/shorewall
& stop

root@debian9-base:~# cat /etc/logrotate.d/shorewall 
/var/log/shorewall-init.log {
    weekly
    rotate 108
    compress
    nomissingok
    create 0640 root adm
}

/var/log/shorewall
{
	rotate 731
	daily
	nomissingok
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
        endscript
}
root@debian9-base:~# cat /etc/logrotate.d/rsyslog 
/var/log/syslog
/var/log/auth.log
{
	rotate 731
	daily
	dateext
	nomissingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}

root@debian9-base:~# cat /etc/logrotate.conf 
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    nomissingok
    monthly
    create 0664 root utmp
    rotate 24
}

/var/log/btmp {
    nomissingok
    monthly
    create 0660 root utmp
    rotate 24
}

# system-specific logs may be configured here
Code Block
systemctl enable shorewall.service

 

Configure network and DHCP (based on LASTSCHL-212):

Code Block
systemctl disable network-manager.service
systemctl disable NetworkManager.service
unlink /etc/resolv.conf
echo nameserver 192.168.10.1 > /etc/resolv.conf
mkdir /etc/ltsp
Code Block
root@debian9-base:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The external interface
auto enp0s3
iface enp0s3 inet static
address 192.168.10.52
network 192.168.10.0
netmask 255.255.255.0
broadcast 192.168.10.255
gateway 192.168.10.1
  
# The wifi interface
auto enp0s8
iface enp0s8 inet static
address 192.168.9.1
netmask 255.255.255.0
broadcast 192.168.9.255
 
root@debian9-base:~# cat /etc/dhcp/dhcpd# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    nomissingok
    monthly
    create 0664 root utmp
    rotate 24
}

/var/log/btmp {
    nomissingok
    monthly
    create 0660 root utmp
    rotate 24
}
# system-specific logs may be configured here
Code Block
systemctl enable shorewall.service

 

Configure network and DHCP (based on LASTSCHL-212):

Code Block
systemctl disable network-manager.service
systemctl disable NetworkManager.service
unlink /etc/resolv.conf
echo nameserver 192.168.10.1 > /etc/resolv.conf
mkdir /etc/ltsp
Code Block
root@debian9-base:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The external interface
auto enp0s3
iface enp0s3 inet static
address 192.168.10.52
network 192.168.10.0
netmask 255.255.255.0
broadcast 192.168.10.255
gateway 192.168.10.1
  
# The wifi interface
auto enp0s8
iface enp0s8 inet static
address 192.168.9.1
netmask 255.255.255.0
broadcast 192.168.9.255
 
root@debian9-base:~# cat /etc/dhcp/dhcpd.conf | grep -v "^#" | grep -v "^$"
# Some of the following lines are there by default and are probably not required
ddns-update-style none;
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
include "/etc/ltsp/dhcpd.conf";
 
root@debian9-base:~# cat /etc/ltsp/dhcpd.conf 
#
# Default LTSP dhcpd.conf config file.
#

authoritative;

subnet 192.168.9.0 netmask 255.255.255.0 {
    range 192.168.9.40 192.168.9.250;
    option domain-name "test.av";
    option domain-name-servers 192.168.9.1;
    option broadcast-address 192.168.9.255;
    option routers 192.168.9.1;
    option subnet-mask 255.255.255.0;
    option root-path "/opt/ltsp/amd64";
    if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
        filename "/ltsp/amd64/pxelinux.0";
    } else {
		filename "/ltsp/amd64/nbi.img";
	}
}
Code Block
apt-get install isc-dhcp-server

In /etc/default/isc-dhcp-server, set:

Code Block
INTERFACESv4="enp0s8"

 

 

Configure DNS (based on LASTSCHL-211):

Code Block
apt-get install dnsmasq
touch /var/log/dnsmasq
chmod 640 /var/log/dnsmasq
Code Block
root@debian9-base:~# cat /etc/dnsmasq.conf | grep -v "^#" | grep -v "^$"
# Some of the following lines are there by default and are probably not required
ddns-update-style none;
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
include "/etc/ltsp/dhcpd.conf";
strict-order
interface=enp0s8
expand-hosts
domain=test.av
log-queries
log-facility=/var/log/dnsmasq
 
root@debian9-base:~# cat /etc/ltsp/dhcpd.conf 
#
# Default LTSP dhcpd.conf config file.
#

authoritative;

subnet 192.168.9.0 netmask 255.255.255.0 {
    range 192.168.9.40 192.168.9.250;
    option domain-name "test.av";
    option domain-name-servers 192.168.9.1;
    option broadcast-address 192.168.9.255;
    option routers 192.168.9.1;
    option subnet-mask 255.255.255.0;
    option root-path "/opt/ltsp/amd64";
    if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
        filename "/ltsp/amd64/pxelinux.0";
    } else {
        filename "/ltsp/amd64/nbi.img";
    }

}
Code Block
apt-get install isc-dhcp-server

In /etc/default/isc-dhcp-server, set:

Code Block
INTERFACESv4="enp0s8"

 

 

Configure DNS (based on LASTSCHL-211):

Code Block
apt-get install dnsmasq
touch /var/log/dnsmasq
chmod 640 /var/log/dnsmasq
Code Block
root@debian9-base:~# cat /etc/dnsmasq.conf | grep -v "^#" | grep -v "^$"
strict-order
interface=enp0s8
expand-hosts
domain=test.av
log-queries
log-facility=/var/log/dnsmasq
 
root@debian9-base:~# cat /etc/logrotate.d/dnsmasq
/var/log/dnsmasq
{
	rotate 731
	daily
	nomissingok	
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
	endscript
}
 
root@debian9-base:~# cat /etc/hostname
server.test.av
 
root@debian9-base:~# cat /etc/hosts
127.0.0.1	localhost

192.168.9.1	test.av
192.168.9.1	server.test.av	server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

New stuff

Now that we have a working setup similar to the production one, we will modify it to implement the new solution.

Download the latest version of the attached shwl_add_shwl_del_sl_pmu archive and extract it somewhere convenient.

Shorewall

Add to /etc/shorewall/hosts:

Code Block
wifi1 enp0s8:dynamic

...

Code Block
# Just after: wifi		all		REJECT
# Added:
wifi1		net		ACCEPT		INFO
wifi1		$FW		ACCEPT		INFO(uid)
$FW		wifi1		ACCEPT		INFO(uid)
# Before: net		all		DROP		INFO

...

Code Block
....
wifi1:wifi ipv4 dynamic_shared

In /etc/shorewall/shorewall.conf set:

Code Block
SAVE_IPSETS=Yes

Add to /etc/shorewall/rules (replace IP addresses with actual IP address of wifi routers):

Code Block
 
# At the top of the file:
?SECTION ALL
# Allow the server and NASes to talk RADIUS and HTTP (web interface)
ACCEPTlogrotate.d/dnsmasq
/var/log/dnsmasq
{
	rotate 731
	daily
	nomissingok	
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
	endscript
}
 
root@debian9-base:~# cat /etc/hostname
server.test.av
 
root@debian9-base:~# cat /etc/hosts
127.0.0.1	localhost

192.168.9.1	test.av
192.168.9.1	server.test.av	server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

New stuff

Now that we have a working setup similar to the production one, we will modify it to implement the new solution.

Download the latest version of the attached shwl_add_shwl_del_sl_pmu archive and extract it somewhere.

Shorewall

Add to /etc/shorewall/hosts:

Code Block
wifi1 enp0s8:dynamic


Modify /etc/shorewall/policy:

Code Block
# Just after: wifi		all		REJECT
# Added:
wifi1		net		ACCEPT		INFO
wifi1		$FW		ACCEPT		INFO(uid)
$FW			wifi1	ACCEPT		INFO(uid)
# Before: net		all		DROP		INFO


Add to /etc/shorewall/zones:

Code Block
....
wifi1:wifi ipv4 dynamic_shared

In /etc/shorewall/shorewall.conf set:

Code Block
SAVE_IPSETS=Yes

Add to /etc/shorewall/rules (replace IP addresses with actual IP address of NASes):

Code Block
 
# At the top of the file:
?SECTION ALL
# Allow the server and NASes to talk RADIUS and HTTP (web interface)
ACCEPT          wifi:192.168.9.2,192.168.9.3,192.168.9.4                $FW                                             tcp     -       80
ACCEPT          $FW                                                     wifi:192.168.9.2,192.168.9.3,192.168.9.4        tcp     80   $FW   -
ACCEPT          wifi:192.168.9.2,192.168.9.3,192.168.9.4                $FW                    tcp      -       80
ACCEPT          $FW  udp     1812    -
ACCEPT          $FW                                wifi:192.168.9.2,192.168.9.3,192.168.9.4        tcp     80      -
ACCEPT          wifi:192.168.9.2,192.168.9.3,192.168.9.4        udp     -       $FW1812
# But, reject anything else to and from any other device part of the 192.168.9.0/24 network that is not part of any dynamic zone
REJECT          wifi            udp     1812    -
ACCEPT          $FW                     all                                wifi:192.168.9.2,192.168.9.3,192.168.9.4        udp     -       1812
#- But, reject anything else to and from any other device part of the 192.168.9.0/24 network that is not part of any dynamic zone -
REJECT          wifiall                                                    all wifi                                            -       -       -
REJECT       
?SECTION NEW
 
# At the end of the file:
ACCEPT:INFO(uid)   all     wifi:192.168.9.2,192.168.9.3,192.168.9.4        $FW             udp            1812

 

FreeRADIUS

Code Block
apt-get install freeradius
systemctl enable freeradius.service

 

Modify /etc/freeradius/3.0/mods-available/eap:

comment the following:

Code Block
....
#       md5 {
#       }
....
#   wifi    leap {
#       }
....
#       gtc {
#               #  The default challenge, which many clients
#  -       -      # -

?SECTION NEW
 
# At the end of the file:
ACCEPT:INFO(uid) ignore..
#               #challenge = wifi:192.168.9.2,192.168.9.3,192.168.9.4"Password: "
#
#        $FW       #  The plain-text response which udpcomes back
#   1812

 

FreeRADIUS

Code Block
apt-get install freeradius
systemctl enable freeradius.service

 

Modify /etc/freeradius/3.0/mods-available/eap:

comment the following:

Code Block
....
#       md5 {
#  is put into a User-Password }
....
#attribute,
#        leap {
       #  and passed to another module }for
....
##       	#  authentication.  This allows gtcthe {EAP-GTC
#               #  Theresponse defaultto challenge,be whichchecked many clientsagainst plain-text,
#               #   ignore.or crypt'd passwords.
#               #challenge = "Password: "
#
#               #  The plain-text response which comes backIf you say "Local" instead of "PAP", then
#       	#  the module will    #  is put into look for a User-Password attribute,
#               #  andconfigured for passedthe torequest, anotherand moduledo forthe
#       	#   authentication.  This allows the EAP-GTC
#  authentication itself.
#            #  response to be checked against plain-text, #
#               #auth_type  or crypt'd passwords.= PAP
#       }
....
#       tls #{
#               # Point Ifto youthe saycommon "Local" instead of "PAP", then
#TLS configuration
#          	#  the module will looktls for= a User-Passwordtls-common
#
#       	#
#        #  configured for the request, and do the
# As part of checking a client certificate, the EAP-TLS
#      #  authentication itself.
#      # sets some attributes such as    #TLS-Client-Cert-CN. This
#               auth_type# =virtual PAP
#server has access to these attributes, and }can
....
#       tls {
#       # be used to accept or reject the request.
# Point  to the common TLS configuration	#
#       #        tlsvirtual_server = check-eap-tls-common
#
#       	#
#               # As part of checking a client certificate, the EAP-TLS
#               # sets some attributes such as TLS-Client-Cert-CN. This
#}
....

modify the 'default_eap_type' directive under section 'eap' to be:

Code Block
default_eap_type = peap

and the 'default_eap_type' directive under section 'ttls' to be:

Code Block
default_eap_type = mschapv2

Modify /etc/freeradius/3.0/sites-available/default, comment the following lines (see comments included in the code block):

Code Block
# All the listen sections except the IPv4 version with "type = auth"
listen {
	ipaddr = *
	port = 0
	type = acct
	limit {
	}
}
listen {
	type = auth
	ipv6addr = ::	# any.  ::1 == localhost
	port = 0
	limit {
	      max_connections = 16
	      lifetime = 0
	      idle_timeout # virtual server has access to these attributes, and can
#               # be used to accept or reject the request.
#       	#
#       #       virtual_server = check-eap-tls
#       }
....

modify the 'default_eap_type' directive under section 'eap' to be:

Code Block
default_eap_type = peap

and the 'default_eap_type' directive under section 'ttls' to be:

Code Block
default_eap_type = mschapv2

Modify /etc/freeradius/3.0/sites-available/default, comment the following lines (see comments included in the code block):

Code Block
# All the listen sections except the IPv4 version with "type = auth"
listen {
	ipaddr = *
	port = 0
	type = acct
	limit {
	}
}
listen {
	type = auth
	ipv6addr = ::	# any.  ::1 == localhost
	port = 0
	limit {
	      max_connections = 16
	      lifetime = 0
	      idle_timeout = 30
	}
}
listen {
	ipv6addr = ::
	port = 0
	type = acct
	limit {
	}= 30
	}
}
listen {
	ipv6addr = ::
	port = 0
	type = acct
	limit {
	}
}
# In the authorize section:
chap
mschap
digest
files
-ldap
pap
# In the authenticate section:
Auth-Type PAP {
		pap
}
Auth-Type CHAP {
		chap
}
Auth-Type MS-CHAP {
		mschap
}
mschap
digest

Uncomment the following line in the 'authorize' section:

Code Block
auth_log

Add the following line at the end of the 'post-auth' section and at the beginning of the Post-Auth-Type REJECT section:

Code Block
reply_log

Add the following section just below the Post-Auth-Type REJECT section:

Code Block
Post-Auth-Type CHALLENGE {
        reply_log
}

Add the following in the post-auth section, just before the Post-Auth-Type REJECT section:

Code Block
update reply {
             Session-Timeout := 3600
             Termination-Action := 1
}

Modify /etc/freeradius/3.0/sites-available/inner-tunnel, comment the following lines:

Code Block
# The whole listen section
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}
# In the authorize section:
chap
mschap
digest
files
-ldap
pap
# In the authenticate section:
Auth-Type PAP {
		pap
}
Auth-Type CHAP {
		chap
}
Auth-Type MS-CHAP {
		mschap
}
mschap
digest

Uncomment Add the following line after 'filter_username' and before 'suffix' in the 'authorize' section:

...

Add the following line at the end of the 'post-auth' section and at the beginning of the Post-Auth-Type REJECT section:

Code Block
reply_log

...

 
Add the following in the post-auth section , just before below the Post-Auth-Type REJECT section:
 Code Block
update replyPost-Auth-Type CHALLENGE {
             Session-Timeout := 3600
             Termination-Action := 1
reply_log
}
 
Modify /etc/freeradius/3.0/sites-available/inner-tunnel, comment the following linesradiusd.conf, set (in the 'log' section):
 Code Block
# The whole listen section
listen {
       ipaddr = 127.0.0.1
       port = 18120auth = yes
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add (replace with actual IP addresses of NASes):
 Code Block
client wifi-ap1 {
       ipaddr = 192.168.9.2
       typesecret = auth
}
password # InReplace with thean authorizeactual section:password
chap}
mschap
files
-ldap
# In the authenticate section:
Auth-Type PAP {
		pap
}
Auth-Type CHAP {
		chap
}
Auth-Type MS-CHAP {
		mschap
}
Add the following line after 'filter_username' and before 'suffix' in the 'authorize' section:
 Code Block
auth_log
Add the following line at the end of the 'post-auth' section and at the beginning of the Post-Auth-Type REJECT section:
 Code Block
reply_log
 
Modify /etc/freeradius/3.0/radiusd.conf, set (in the 'log' section):
 Code Block
auth = yes
 
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add (replace with actual IP addresses of wifi routers):
 Code Block
client wifi-ap1 {
       ipaddr = 192.168.9.2
       secret = password # Replace with an actual password
}
 
client wifi-ap2 {
       ipaddr = 192.168.9.3
       secret = password # Replace with an actual password
}

client wifi-ap3 {
       ipaddr = 192.168.9.4
       secret  
client wifi-ap2 {
       ipaddr = 192.168.9.3
       secret = password # Replace with an actual password
}

client wifi-ap3 {
       ipaddr = 192.168.9.4
       secret = password # Replace with an actual password
}
Modify /etc/logrotate.d/freeradius, modify the following options as follows ('dateext' option needs to be added):
 Code Block
rotate 732
nomissingok
dateext
 Code Block
rm /var/log/freeradius/radius.log
rm /var/log/freeradius/radwtmp
chmod o-rwx /var/log/freeradius
chown freerad:freerad /var/log/freeradius
chmod o-rwx /etc/freeradius
It has been observed that radius.log comes with world-readable permissions upon installation of the package, deleting it causes FreeRADIUS to re-create it, and it gets re-created with more secure permissions. /etc/freeradius also comes with the executable bit set for all users, which makes it easier for sensitive information contained within to be world-readable in case the permissions of an individual file are not set restrictive enough (as was, by default, the case with the file containing the encryption passwords for the certificates). Could not find any information on the net on whether there is a good reason for the executable bit being set, so, decided it is safer to remove it.

Certificates
Modify /etc/freeradius/3.0/certs/server.cnf, set the following settings:
 Code Block
...
[ CA_default ]
...
default_days            = 732
...
[ req ]
...
input_password	= password # Replace with an actual password
output_password	= password # Replace with an actual password
}
Modify /etc/logrotate.d/freeradius, modify the following options as follows ('dateext' option needs to be added):
 Code Block
rotate 732
nomissingok
dateext
 Code Block
rm /var/log/freeradius/radius.log
rm /var/log/freeradius/radwtmp
chmod o-rwx /var/log/freeradius
chown freerad:freerad /var/log/freeradius
chmod o-rwx /etc/freeradius
It has been observed that radius.log comes with world-readable permissions upon installation of the package, deleting it causes FreeRADIUS to re-create it, and it gets re-created with more secure permissions. /etc/freeradius also comes with the executable bit set for all users, which makes it easier for sensitive information contained within to be world-readable in case the permissions of an individual file are not set restrictive enough (as was, by default, the case with the file containing the encryption passwords for the SSL certificates). Could not find any information on the net on whether there is a good reason for the executable bit being set, so, decided it is safer to remove it.
...
, should be same as input_password
...

[certificate_authority]
countryName	= IN
stateOrProvinceName	= Tamil Nadu
localityName	= Auroville
organizationName	= Test
emailAddress	= admin@test.av
commonName	= "Test Certificate Authority"
...
Modify /etc/freeradius/3.0/certs/server.cnf, set the following settings:
...
/ca.cnf, set the following settings:
 Code Block
...
[ CA_default ]
...
default_days            = 732
...
crlDistributionPoints	= URI:http://server.test.av/test_ca.crl # This URL will not actually be implemented at the moment, but choose a URL where it is possible to in future make the file available

[ req ]
...
input_password	= password # Replace with an actual password, different from the one in server.cnf
output_password	= password # Replace with an actual password, should be same as input_password
...

[certificate_authorityserver]
countryName	= IN
stateOrProvinceName	= Tamil Nadu
localityName	= Auroville
organizationName	= Test
emailAddress	= admin@test.av
commonName	= "Test Certificate Authority"Test Server Certificate"
 
[v3_ca]
...
crlDistributionPoints	= URI:http://server.test.av/test_ca.crl
...
Modify Modify /etc/freeradius/3.0/certs/ca.cnfxpextensions, set the following settings:
 Code Block
...
[ CAxpclient_default ext]
...
default_days            = 732
...
crlDistributionPoints	crlDistributionPoints = URI:http://server.test.av/test_ca.crl

[ req ]
...
input_password	= password # ReplaceThis withURL anwill actual password
output_password	= password # Replace with an actual password, should be same as input_password

[server]
countryName	= IN
stateOrProvinceName	= Tamil Nadu
localityName	= Auroville
organizationName	= Test
emailAddress	= admin@test.av
commonName	= "Test Server Certificate"
 
[v3_canot actually be implemented at the moment, but choose a URL where it is possible to in future make the file available
...
 
[ xpserver_ext]
...
crlDistributionPoints	 = URI:http://server.test.av/test_ca.crl # This URL will not actually be implemented at the moment, but choose a URL where it is possible to in future make the file available
...
 Code Block
cd /etc/freeradius/3.0/certs
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* # This step is probably not needed, 
make ca.pem
make ca.der
make server.pem
make server.csr
chown freerad:freerad *
chmod o-rwx *
rm bootstrap
rm passwords.mk
# Delete all other files in the folder except: server.cnf, ca.cnf, xpextensions, Makefile, README, dh, ca.pem, server.pem, server.key
...
 Code Block
private_key_password = password # Replace password with the password chosen previously '@@@' same or different?in server.cnf
private_key_file = /etc/freeradius/3.0/certs/server.pem
....
certificate_file = /etc/freeradius/3.0/certs/server.pem
....
ca_file = /etc/freeradius/3.0/certs/ca.pem
...
It is sufficient to use standard utilities such as 'passwd', the password will be updated in the MySQL database as well. Tested with 'passwd' and User Accounts applet in GNOMESee the 'pam_to_mysql_update.sh' section in the 'Overview' page for utilities with which this has been tested. In case prompted with "Current password:" (exactly as written here) it is sufficient to ignore and press enter. Commands that expire or disable a user's system user account (or password) without deleting it (such as passwd -l) will not cause the credentials in the MySQL database to be disabled, thus it is necessary to take care (perhaps with a site specific lock user script) to also invalidate the same.
...
 Code Block
mysql -uroot
	use radius;
	DELETE FROM radcheck WHERE username='user';
exit
deluser user

WiFi 
...
access point (NAS) configuration
Settings to be configured
...
  • SSID - SSID of choice
  • Network security type: WPA2 Enterprise
  • WPA type: Set to either Auto or WPA2
  • WPA encryption: Set to either Auto or AES
  • RADIUS server IP - 192.168.9.1
  • RADIUS server port - 1812
  • RADIUS server secret/password - Password chosen in clients.conf for this particular NAS
  • WPS - Disable (a good NAS should disable it automatically when choosing WPA2 enterprise security, but good to make sure)
  • Secure password - Choose a secure password for accessing the NAS web (or other) interface. It is important as it controls access to the wireless security settings, and the web (or other) interface is reachable by supplicants connected to the network.
  • Clients isolation - If enabled, prevents connected supplicants from talking to each other/seeing each other's traffic. Can improve security if there is either only one NAS installed or each NAS is in a separate broadcast domain (and there is no other device connected, e.g. through wired network, in the same broadcast domain), at the expense of not allowing connected supplicants to communicate directly with each other (e.g. SSH into each other, etc.)
  • IP address - IP address needs to match IP mentioned in clients.conf
  • Disable DHCP server
  • Some models: Reauthentication period - Specify to something equal to or greater than the Session-Timeout specified in /etc/freeradius/3.0/sites-available/default. Some NASes interpret 0 as disabling re-authentication, and might then also ignore any value mentioned by the FreeRADIUS Session-Timeout / Termination-Action attributes/ Termination-Action attributes.
  • Some models: WPA2/RSN preauthentication - It is suggested to try and disable this feature in case issues are encountered such as mentioned in the "General information" page under Misc. Information point 9.
  • Some models: WPA2/RSN preauthentication '@@@'Some models: Operation mode - Some NASes have an Operation mode setting, which pre-sets/locks some settings to defaults that are appropriate for different kinds of uses, e.g. "DSL Router", "Wireless Router", "Wireless Access Point". This varies by model, but usually something like "Wireless Access Point" is a good first choice, if available, alternatively "Wireless Router"
TP-Link Archer C20 v4 00000004
In this model, the "Reauthentication period" setting is not available, but the router does honor the timeout specified by the RADIUS server. Operation mode can be set to "Access Point". All other settings should be set as mentioned above. This is a dual band router and some settings need to be set in two places, once for each SSID.
TP-Link TD-W8968 V4 0x00000001
In this model, the "Reauthentication period" setting is available as "Network Re-auth Interval", and the router also does honor the timeout specified by the RADIUS server, and follows whichever is smaller. Setting the setting to zero causes the feature to be disabled and the timeout specified by the RADIUS server to also be ignored. Operation mode can be set to "Wireless Router Mode". All other settings should be set as mentioned above.
TP-Link TL-WR740N v4 00000000
In this model, the "Reauthentication period" setting is not available, and the router does not honor the timeout specified by the RADIUS server. The hostapd daemon running on this router supports the feature and works in a similar way as in the above TP-Link TD-W8968 V4, but no option to configure it is available in the web interface, and hostapd is run with this setting set to 0. Judging by the hostapd source code of this (very old) version of hostapd, it is believed (but not tested) that this means, once authenticated, the router might allow the supplicant to continue being part of the network for up to twelve hours without querying the RADIUS server again. A fix is possible to make hostapd run with its default setting of 3600 seconds, but is out of the scope of this wiki page. '@@@'RSN with its default setting of 3600 seconds, but is out of the scope of this wiki page. After applying the fix, and introducing this router in the network with the above two listed models, the issue mentioned in the "General information" page under Misc. Information point 9 was encountered sometimes. The RSN preauthentication option is also not available in the web interface, but it is believed to be possible to disable RSN pre-authentication with a similar fix. No operation mode setting is available. All other settings should be set as mentioned above.
Supplicant configuration
Linux
  1. Copy the ca.ca pem file generated during certificate generation onto the computer.
  2. Select the network's SSID from the list in Network Manager.
  3. When asked, enter the following information, then press connect:
    CA certificate: Browse and select the ca.ca pem file
    Identity: the username 
    Password: the password
    Inner authentication: MSCHAPv2 (not "MSCHAPv2 (not EAP)" )
    Leave all other fields as they are
Android
  1. Copy the ca.ca pem file generated during certificate generation onto the phone.
  2. Open the “Settings” app, go to “Wi-Fi” → “Advanced settings” → “Install certificates”.
  3. Select the ca.ca pem file.
  4. Assign it a name of choice
  5. Under “Certificate use” select “WiFi”
  6. Once again, open the “Settings” app, go to “Wi-Fi”, and select the network's SSID from the list.
  7. When asked, enter the following information, then press connect:
    CA certificate: Select the earlier chosen name when installing the ca.ca pem file
    Identity: the username 
    Password: the password
    Leave all other fields as they are
...
On Linux and Android supplicants it is required to install the ca.ca pem file generated during certificate generation in order to verify the RADIUS server's identity. In case the identity presented by the RADIUS server changes at any point, the supplicant fails to connect, and re-presents the user with the prompt for network credentials. It is possible to connect without installing the ca.ca pem file, but one needs to specify "No CA certificate required" or "Do not validate". In this case the supplicant will send credentials to any RADIUS server for that SSID without verifying its identity. It is possible to avoid sending the real user name in the unencrypted outer tunnel, by specifying a different value (normally 'anonymous') in the "Anonymous identity" field.
On Mac OS, iPhone and iPhone Windows 10 supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any reasonable warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust once againuser is extremely likely to press Trust/Connect once again (on Windows 10, the message also advises the user to connect if they are in a location where said SSID is expected to be present). On Windows 10, in case the user does press Connect again, the supplicant stores both identities and thereon connects without further warning to any server presenting any of those identities, on Mac OS and iPhone this has not been tested. On Mac OS and Windows 10, it is also possible to copy the ca.ca pem file and install it , avoiding the prompt on first connect, on iPhonelike with the Linux supplicant, on  the  iPhone this was tested on, this did not have any effect. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) to configure the supplicant to not send the real user name in the unencrypted outer tunnel.
Windows 10 '@@@'
Sources
https://wiki.freeradius.org/guide/Basic-configuration-HOWTO
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu
https://wiki.freeradius.org/modules/Rlm_python
https://wiki.freeradius.org/config/Certificates
http://deployingradius.com/documents/configuration/certificates.html
http://deployingradius.com/documents/protocols/compatibility.html this did not seem to have any effect. On Windows 10, this does not change the behavior in case the server's identity changes, on Mac OS this has not been tested, presumably the same. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) on Mac OS and iPhone to configure the supplicant to not send the real user name in the unencrypted outer tunnel. On Windows 10 this is somewhat easier.