Introduction
Components involved
Installation
Replication of production setup
Here, we replicate the relevant parts of the present installation as a starting point.
Imported ~/Documents/Debian9-base.ova as Debian9-base_8021x, re-initializing all MAC addresses
Added eth adapter 2, re-init MAC
CPU, increase to 2
added eth1 mac address to server DHCP config, 192.168.10.52
server shwl add 52
Booted, disconnected eth2 because of errors
Logged in to GUI, connected DHCP
apt-get update
apt-get upgrade
reboot VM
rm 02proxy
set better ls and root passwords
installed ssh pub key in root
apt-get install shorewall apt-get install ipset mv /etc/shorewall{,-orig} mkdir /etc/shorewall root@server.lastschl:~# scp /etc/shorewall/* root@192.168.10.52:/etc/shorewall/ #commented all entries related to loc and vpn zones (including dynamic zone man) in all files #removed all MAC addresses of wifi clients
cp -r shorewall{,-remove-loc-vpn-man-wifimac} updated interface names in interfaces, masq cp -r shorewall{,-updated-interfaces} /etc/default/shorewall startup=1 removed postfix, proxy rules (did not update config backups) root@server.lastschl:~# scp /etc/rsyslog.d/40-shorewall.conf 192.168.10.52:/etc/rsyslog.d/ root@server.lastschl:~# scp /etc/logrotate.d/shorewall 192.168.10.52:/etc/logrotate.d/ root@server.lastschl:~# scp /etc/logrotate.d/rsyslog 192.168.10.52:/etc/logrotate.d/ root@server.lastschl:~# scp /etc/logrotate.conf 192.168.10.52:/etc/ systemctl enable shorewall.service added shorewall rules _apt
Configure network and DHCP (based on LASTSCHL-212):
systemctl disable network-manager.service systemctl disable NetworkManager.service
/etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The external interface auto enp0s3 iface enp0s3 inet static address 192.168.10.52 network 192.168.10.0 netmask 255.255.255.0 broadcast 192.168.10.255 gateway 192.168.10.1 # The wifi interface auto enp0s8 iface enp0s8 inet static address 192.168.9.1 netmask 255.255.255.0 broadcast 192.168.9.255
unlink /etc/resolv.conf echo nameserver 192.168.10.1 > /etc/resolv.conf mkdir /etc/ltsp root@server.lastschl:~# scp /etc/dhcp/dhcpd.conf 192.168.10.52:/etc/dhcp/
/etc/ltsp/dhcpd.conf
# # Default LTSP dhcpd.conf config file. # authoritative; subnet 192.168.9.0 netmask 255.255.255.0 { range 192.168.9.40 192.168.9.250; option domain-name "test.av"; option domain-name-servers 192.168.9.1; option broadcast-address 192.168.9.255; option routers 192.168.9.1; option subnet-mask 255.255.255.0; option root-path "/opt/ltsp/amd64"; if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" { filename "/ltsp/amd64/pxelinux.0"; } else { filename "/ltsp/amd64/nbi.img"; } }
In /etc/default/isc-dhcp-server, set:
INTERFACESv4="enp0s8"
apt-get install isc-dhcp-server
Configure DNS (based on LASTSCHL-211):
apt-get install dnsmasq touch /var/log/dnsmasq chmod 640 /var/log/dnsmasqSet in /etc/dnsmasq.conf
strict-order interface=enp0s8 expand-hosts domain=test.av log-queries log-facility=/var/log/dnsmasq
/etc/logrotate.d/dnsmasq
/var/log/dnsmasq { rotate 730 daily nomissingok notifempty delaycompress compress dateext postrotate reload rsyslog >/dev/null 2>&1 || true endscript }
/etc/hostname
debian9-base.test.av
/etc/hosts
127.0.0.1 localhost 192.168.9.1 test.av 192.168.9.1 server.test.av server # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
packages: shorewall
New stuff
FreeRADIUS
packages: freeradius
Modified /etc/freeradius/3.0/mods-available/eap:
commented the following:
.... # md5 { # } .... # leap { # } .... # gtc { # # The default challenge, which many clients # # ignore.. # #challenge = "Password: " # # # The plain-text response which comes back # # is put into a User-Password attribute, # # and passed to another module for # # authentication. This allows the EAP-GTC # # response to be checked against plain-text, # # or crypt'd passwords. # # # # If you say "Local" instead of "PAP", then # # the module will look for a User-Password # # configured for the request, and do the # # authentication itself. # # # auth_type = PAP # } .... # tls { # # Point to the common TLS configuration # tls = tls-common # # # # # As part of checking a client certificate, the EAP-TLS # # sets some attributes such as TLS-Client-Cert-CN. This # # virtual server has access to these attributes, and can # # be used to accept or reject the request. # # # # virtual_server = check-eap-tls # } ....
modified the 'default_eap_type' directive under section 'eap' to be:
default_eap_type = peap
and the 'default_eap_type' directive under section 'ttls' to be:
default_eap_type = mschapv2
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router:
client test1 { # Replace test1 with a name for the router ipaddr = 192.168.9.2 # Replace with IP of the router secret = password # Replace with an actual password }
Certificates
as freerad?
Modified "@@@"
as freerad ("@@@" right way to do it?):
cd /etc/freeradius/3.0/certs make
Modify /etc/freeradius/3.0/mods-available/eap, modify the following directives under section 'tls-config tls-common' to be:
private_key_password = password # Replace password with the password chosen previously private_key_file = /etc/freeradius/3.0/certs/server.pem .... certificate_file = /etc/freeradius/3.0/certs/server.pem .... ca_file = /etc/freeradius/3.0/certs/ca.pem
MySQL
Python module / script_launcher.py script
cd /etc/freeradius/3.0/ ln -s mods-available/python mods-enabled/
Put the following in it:
# # Make sure the PYTHONPATH environmental variable contains the # directory(s) for the modules listed below. # # Uncomment any func_* which are included in your module. If # rlm_python is called for a section which does not have # a function defined, it will return NOOP. # python { module = script_launcher # @#$dy python_path = ${modconfdir}/${.:name}:/usr/lib/python2.7 # @#$dy mod_post_auth = ${.module} # @#$dy func_post_auth = post_auth # @#$dy }
Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel:
... # Add this line just after 'sql' in the 'post-auth' section python ...
Modify /etc/freeradius/3.0/mods-available/eap, modified the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:
copy_request_to_tunnel = yes
Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py
Shorewall
sudo
packages: sudo
shwl_add / shwl_del scripts
packages: arp-scan
apt-get install arp-scan # Install the scripts in /usr/local/sbin/, and configure settings in each of them chown root:freerad /usr/local/sbin/shwl_* chmod 750 /usr/local/sbin/shwl_*
Add the following line to freerad's crontab
*/1 * * * * /usr/local/sbin/shwl_del.sh # @#$dy # @@@ figure out optimal interval
MySQL
pam_to_mysql_update.sh script
Pre-requisites from above steps: sudo, shwl_add / shwl_del scripts MySQL config, FreeRADIUS MySQL config
apt-get install libpam-script sshpass mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update # Put the script in here, and configure MySQL settings inside ln -s pam_to_mysql_update.sh pam_script_auth ln -s pam_to_mysql_update.sh pam_script_passwd
Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:
... auth required pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/
Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:
... password required pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/