Versions Compared

Version Old Version 1 New Version Current
Changes made by

Stefan Paetow

Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

On this page you will find instructions on how to create a static

...

connection to a Moonshot

...

Create a new file in /etc/raddb/sites-available called mainidp_localdomain:

Code Block
title/etc/raddb/sites-available/mainidp_localdomain
linenumberstrue
home_server mainidp_localdomain_server1 {
    ipaddr = 192.168.213.24
    port = 2083
    type = auth
    secret = radsec
    proto = tcp
    status_check = none
 
    tls {
        private_key_password = whatever
        private_key_file = ${certdir}/mainidp_localdomain.pem
        certificate_file = ${certdir}/mainidp_localdomain.pem
        ca_file = ${cadir}/mainidp_ca.pem
        dh_file = ${certdir}/dh
        random_file = ${certdir}/random
        fragment_size = 8192
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
    }
}
 
home_server_pool mainidp_localdomain_authpool {
    home_server = mainidp_localdomain_server1
    home_server = ...
}
 
realm mainidp_realm {
    auth_pool = mainidp_localdomain_authpool
    nostrip
}
 
#  Invalid (but still valid for the time being) configuration
#realm mainidp_realm {
#    authhost = mainidp_localdomain_server1
#    secret = radsec
#    nostrip
#}

Link to the file in /etc/raddb/sites-enabled to enable it. 

Store a client certificate (client.pem) and the ca.pem from the identity provider in /etc/raddb/certs and call them mainidp_localdomain.pem and mainidp_ca.pem respectively.

Make sure they are readable by the radiusd group. 

Restart the server. 

...

Identity Provider (IdP) without the need to access the Trust Router infrastructure for realm information.

Contents

Table of Contents
maxLevel2

Info
titleExample configuration
In the example configuration information that follows, we shall refer to the organisation that owns the Moonshot IdP as Camford University and the IdP itself by its IP address, 192.168.213.24.
Numberedheadings

RadSec

Because this connection continues to use RadSec, we still have to request several files from Camford University, namely the Certificate Authority (CA) file for Camford (ca.pem), and the Client Certificate (client.pem) and private key (client.key) for use with their Moonshot IdP.

Preparing the certificates

If Camford University used our instructions , the Client Certificate and its private key are in the same file, client.pem

  1. If Camford University sent us three files, we'll create a combined file of the Client Certificate and its private key:

    bash

  2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END ENCRYPTED PRIVATE KEY-----".

Storing the certificates

Because the certificates are only used by FreeRADIUS, it is best if you store the certificates in FreeRADIUS' certs directory.

Be aware that running the make destroycerts command in the FreeRADIUS certs directory will also erase these certificates!

Rename the files from ca.pem and client.pem to an easily-recognisable name, such as camford_moonshot_ca.pem and camford_moonshot_client.pem.

Then make sure they are readable by members of the FreeRADIUS group.

bashOn Debian/UbuntubashOn RedHat/CentOS/Scientific Linux

FreeRADIUS configuration

In the FreeRADIUS configuration, we can define a single file that contains everything about the RadSec connection to the Moonshot IdP:

  1. Create a new file in the FreeRADIUS sites-available directory (/etc/raddb/sites-available on RedHat/CentOS/Scientific Linux, /etc/freeradius/sites-available on Debian/Ubuntu) called camford_moonshotidp with the below contents:

    sites-available/camford_moonshotidptrueCertificate paths

    If you stored the certificates for the Moonshot IdP somewhere else, you must adjust the private_key, certificate_file and ca_file entries with appropriate paths. The ${certdir} and ${ca_dir} directives refer to the FreeRADIUS certs directory. You should not need to change those directives.

  2. To enable this configuration, it needs to be linked into the FreeRADIUS sites-enabled directory:

    bashOn Debian/UbuntubashOn RedHat/CentOS/Scientific Linux


  3.  Restart FreeRADIUS

You should now try a test to check that the connection is functional.