Configuring Radiator for eduroam-US
Radiator is a robust commercial RADIUS server written by Open System Consultants. The Radiator server is used by the eduroam-US Top-Level server as well as the European TLRSs.
The Radiator configuration for an eduroam-US institution can be seen as four major components: The general configuration, the client configuration, the outer and inner handlers, and the eduroam handler.
# Sample Radiator configuration of a US Institution called example.edu LogDir /var/log/radius DbDir /etc/radiator LogFile %L/%Y/logfile.%y%m%d PidFile %L/radiusd.pid # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 3 AuthPort 1812 AcctPort 1813
# Client handler for connection from US Top-Level <Client [eduroam-US top level server(s)]> Secret <SECRET> Identifier eduroam </Client>
The inner and outer-tunnel handlers are the most complicated portions of the Radiator configuration for eduroam-US. The outer-handler terminates the SSL tunnel and defines inner-authentication methods. This is where you configure your certificates and set some inner-tunnel specific settings. The AutoMPPEKeys directive instructs the server to pass back necessary key material to your NAS.
# Outer Handler, forwards based on tunnel type, to above handlers for TTLS or PEAP <Handler Client-Identifier=eduroam, Realm=/example\.edu$/i> <AuthBy FILE> # file containing the word "anonymous" w/o quotes on its own line Filename %D/dot1x_anon # your institution may not support both PEAP and TTLS but can EAPType TTLS, PEAP EAPAnonymous %0 EAPTLS_CAFile /etc/pki/tls/certs/cacert.pem EAPTLS_CertificateFile /etc/pki/tls/certs/radius.example.edu.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/pki/tls/private/radius.example.edu.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired AutoMPPEKeys </AuthBy> AcctLogFileName %L/%Y/eduroam_detail.%y%m%d </Handler>
For each inner-handler type (TTLS and/or PEAP) a separate tunneled inner-handler block is required. Within these blocks local authentication policies are handled, which may include authentication against LDAP, Active Directory (for PEAP handlers), local files, or another directory service supported by Radiator.
Below is an example of a PEAP handler. The only difference between a PEAP and TTLS handler in terms of the handler block is the TunnelledByPEAP directive is replaced by TunnelledByTTLS. In the below example we have samples of NTLM (Active Directory), LDAP authentication, and authentication by a plaintext file (this is an easy way to create temporary or permanent test accounts).
<Handler Client-Identifier=eduroam, TunnelledByPEAP=1, Realm=/example\.edu$/i > <AuthBy GROUP> AuthByPolicy ContinueUntilAcceptOrChallenge # For ActiveDirectory backed IdP's <AuthBy NTLM> Domain EXAMPLE UsernameMatchesWithoutRealm EAPType MSCHAP-V2 </AuthBy> # For LDAP backed IdPs <AuthBy LDAP2> UseSSL SSLCAClientCert /etc/pki/tls/certs/ldap.example.edu.pem SSLCAClientKey /etc/pki/tls/private/ldap.example.edu.pem SSLCAFile /etc/pki/tls/cacert.pem Host ldap.example.edu BaseDN ou=People,dc=example,dc=edu ServerChecksPassword AuthAttrDef radiusReplyItem, GENERIC, reply HoldServerConnection Version 3 </AuthBy> # For temporary test credentials (if necessary) <AuthBy FILE> Filename %D/eduroam_test_users EAPType MSCHAP-V2 </AuthBy> </AuthBy> AcctLogFileName %L/%Y/eduroam_detail.%y%m%d </Handler>
The final block is the default eduroam-US handler which passes non-institutional users to the Top-Level server. Just as above the AutoMPPEKeys directive passes necessary keying information to the appropriate NAS.
# Default Handler forwards to eduroam-US Top-Level <Handler> <AuthBy RADIUS> Secret <SECRET> RetryTimeout 8 Host [eduroam-US top level server(s)] AuthPort 1812 AcctPort 1813 AutoMPPEKeys </AuthBy> </Handler>
For complete documentation on configuration of Radiator please see their reference manual.
|Example_Radiator_Institution.cfg||10/27/10 12:26 pm||2.59 KB|