Configuring Radiator for eduroam-US

Radiator is a robust commercial RADIUS server written by Open System Consultants.  The Radiator server is used by the eduroam-US Top-Level server as well as the European TLRSs.

The Radiator configuration for an eduroam-US institution can be seen as four major components:  The general configuration, the client configuration, the outer and inner handlers, and the eduroam handler.

The general configuration sets up paths, logging details, and IPs/ports to bind the RADIUS server to:
	# Sample Radiator configuration of a US Institution called example.edu
	LogDir /var/log/radius
	DbDir /etc/radiator
	LogFile %L/%Y/logfile.%y%m%d
	PidFile %L/radiusd.pid
	
	# Use a low trace level in production systems. Increase
	# it to 4 or 5 for debugging, or use the -trace flag to radiusd
	Trace 3
	
	AuthPort 1812
	AcctPort 1813
	
The client configuration allows for incoming connections to the RADIUS server. At minimum an eduroam-US institution must handle connections from the eduroam-US Top-Level server(s). If your Radiator instance also handles other RADIUS responsibilities you will require client handlers for each those devices making requests:
	# Client handler for connection from US Top-Level
	<Client [eduroam-US top level server(s)]>
	  Secret <SECRET>
	  Identifier eduroam
	</Client>
	

The inner and outer-tunnel handlers are the most complicated portions of the Radiator configuration for eduroam-US.  The outer-handler terminates the SSL tunnel and defines inner-authentication methods.  This is where you configure your certificates and set some inner-tunnel specific settings.  The AutoMPPEKeys directive instructs the server to pass back necessary key material to your NAS. 

Please Note: The inner-tunnel handlers must be defined before the outer-handler in your Radiator configuration file because handlers are matched by order of definition in comparing the handler checklist.  Because the outer-handler is less specific it matches the more-specific inner-handler checklist as well and will mask the inner-handler.  See section 5.17 of the Radiator handbook for more details.
	# Outer Handler, forwards based on tunnel type, to above handlers for TTLS or PEAP
	<Handler Client-Identifier=eduroam, Realm=/example\.edu$/i>
	  <AuthBy FILE>
	
	    # file containing the word "anonymous" w/o quotes on its own line
	    Filename %D/dot1x_anon
	
	    # your institution may not support both PEAP and TTLS but can
	    EAPType TTLS, PEAP 
	    EAPAnonymous %0
	
	    EAPTLS_CAFile /etc/pki/tls/certs/cacert.pem
	    EAPTLS_CertificateFile /etc/pki/tls/certs/radius.example.edu.pem
	    EAPTLS_CertificateType PEM
	    EAPTLS_PrivateKeyFile /etc/pki/tls/private/radius.example.edu.pem
	    EAPTLS_PEAPVersion 0
	    EAPTTLS_NoAckRequired
	    AutoMPPEKeys
	  </AuthBy>
	
	  AcctLogFileName %L/%Y/eduroam_detail.%y%m%d
	</Handler>
	

For each inner-handler type (TTLS and/or PEAP) a separate tunneled inner-handler block is required.  Within these blocks local authentication policies are handled, which may include authentication against LDAP, Active Directory (for PEAP handlers), local files, or another directory service supported by Radiator.

Below is an example of a PEAP handler.  The only difference between a PEAP and TTLS handler in terms of the handler block is the TunnelledByPEAP directive is replaced by TunnelledByTTLS. In the below example we have samples of NTLM (Active Directory), LDAP authentication, and authentication by a plaintext file (this is an easy way to create temporary or permanent test accounts).

	<Handler Client-Identifier=eduroam, TunnelledByPEAP=1, Realm=/example\.edu$/i >
	  <AuthBy GROUP>
	    AuthByPolicy ContinueUntilAcceptOrChallenge
	 
	    # For ActiveDirectory backed IdP's
	    <AuthBy NTLM>
	      Domain EXAMPLE
	      UsernameMatchesWithoutRealm
	      EAPType MSCHAP-V2
	    </AuthBy>
	 
	    # For LDAP backed IdPs
	    <AuthBy LDAP2>
	      UseSSL
	      SSLCAClientCert /etc/pki/tls/certs/ldap.example.edu.pem
	      SSLCAClientKey /etc/pki/tls/private/ldap.example.edu.pem
	      SSLCAFile /etc/pki/tls/cacert.pem
	      Host ldap.example.edu
	      BaseDN ou=People,dc=example,dc=edu
	      ServerChecksPassword
	      AuthAttrDef radiusReplyItem, GENERIC, reply
	      HoldServerConnection
	      Version 3
	    </AuthBy>
	 
	    # For temporary test credentials (if necessary)
	    <AuthBy FILE>
	      Filename %D/eduroam_test_users
	      EAPType MSCHAP-V2
	    </AuthBy>
	 
	  </AuthBy>
	 
	  AcctLogFileName %L/%Y/eduroam_detail.%y%m%d
	</Handler> 

The final block is the default eduroam-US handler which passes non-institutional users to the Top-Level server.  Just as above the AutoMPPEKeys directive passes necessary keying information to the appropriate NAS.

	# Default Handler forwards to eduroam-US Top-Level
	<Handler>
	  <AuthBy RADIUS>
	    Secret <SECRET>
	    RetryTimeout 8
	    Host [eduroam-US top level server(s)]
	    AuthPort 1812
	    AcctPort 1813
	    AutoMPPEKeys
	  </AuthBy>
	</Handler>
	

For complete documentation on configuration of Radiator please see their reference manual.

AttachmentDateSize
File Example_Radiator_Institution.cfg10/27/10 12:26 pm2.59 KB