Versions Compared

Version Old Version 9 New Version Current
Changes made by

Stefan Paetow

Alejandro Perez Mendez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

On this page you will find instructions on how to set up a Trust Router APC on Debian 7 (Wheezy) using FreeRADIUS. It also installs and configures the Trust Router client.

Contents

Table of Contents
maxLevel2

Note
titleComplexity of Installation

Many of the steps outlined below are currently necessary, but we realise the install should be simpler. As the software matures and the packaging improves, we will to make this process easier with fewer manual steps required.


System Preparation

Install Debian 7

The first thing that is required is a Debian 7 machine - this can be physical or virtual.
Numberedheadings

Install

Debian 7 (Wheezy) via usual mechanism (e.g netboot CD, ISO in VMware/VirtualBox or

the

DVD image.
  • Choose the following server install options: "Debian desktop, SSH server, Standard system utilities”.
  • Create/choose a secure root password and an initial system user account.
  • Once installed, make sure you run an apt-get update and apt-get upgrade to ensure your system is fully up to date.
    • Tip

    We would recommend using LVM when disk partitioning to allow easier partition/disk expansion on a live system.

    Warning

    After install, you will want to secure/lockdown the server as best practice dictates - for both the server and any extra software installed. This is beyond the remit of this guide but there are many guides available, e.g. for securing Debian, and SSH servers.

    Configure Debian 7

    Next, there are a few Debian configuration options that need to be set in advance.

    Networking configuration

    For production deployments, it is recommended that the Moonshot APC be assigned a static IP address.

    For Debian networking information please refer to the Debian documentation: https://wiki.debian.org/NetworkConfiguration

    Firewall configuration

    The following ports are required to be accessible from the outside world, both in local firewall and in any external firewalls:

    • 2083/tcp (for RadSec connections to other Moonshot entities)
    • 12309/tcp (for Trust Router client connections - if using the Trust Router to broker trust relationships between entities)

    Add the Moonshot Repository

    Add the Moonshot Debian Wheezy repository to your system. To do this, run the following command (as root, or using sudo):

    bash

    Install the Moonshot GPG key:

    bash

    Update the apt cache with the new repository information:

    bash

    Install the Software

    We’re now ready to install the Moonshot software and its required dependencies. Install the software by running the following command:

    bash

    If you try to start FreeRADIUS at this point, it will not currently start successfully as the certificates it requires have not been generated - they are created in step 3.1 below.

     

    true

    Configure the Moonshot APC

    Next, we need to configure the Moonshot APC.

    Configure FreeRADIUS

    Certificates

    We need to get

    FreeRADIUS

    to create some private and public keys to use for its RadSec connections. Create and install the certificates by doing the following (as root).

    Change into the /etc/freeradius/certs directory

    bashEdit the certificate generation properties in client.cnf, server.cnf, and ca.cnf as following:In the ca.cnf file:
  • In the [ req ] section, add encrypt_key = no

  • In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

    • in the [ certificate_authority ] section, change all of the parameters to match those of your organisation. e.g.

    true

    In the server.cnf file:

  • In the [ req ] section, add encrypt_key = no
  • In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

    • in the [ server ] section, change all of the parameters to match those of your organisation. e.g.

    true

    In the client.cnf file:

  • In the [ req ] section, add encrypt_key = no
  • In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

    • in the [ client ] section, change all of the parameters to match those of your organisation. e.g.

    trueAll of the organisation parameters (countryName, localityName, etc) need to match in the three .cnf files but the commonName must be unique in each file)Clear out any old certificates in the directory

    bash

    Run the bootstrap script to generate the certificates

    bash

    Create a file that is the concatenation of the certificate and private key of the client.

    Create the file

    bash
  • Cerify that the client.pem file starts with "-----BEGIN CERTIFICATE-----".

    • Moonshot UI credential store

    We need to enable the freeradius user to use the Moonshot UI flatstore:

    bash

    RadSec

    Next we need to configure RadSec. We do this by creating a file at /etc/radsec.conf with the following:

    true

    Realm

    We next need to configure your realm in the FreeRADIUS server so that it knows not to send any requests for your own users off to another server.

    1. Configure your realm in /etc/freeradius/proxy.conf
      1. Open the file for editing and fine find the line “realm example.com {“

      2. Above this, add the following, where YOUR_REALM should be substituted for the realm you intend to use for your APC:

        true


    Channel Binding Support

    We next need to configure your FreeRADIUS server to support channel bindings.

    1. Open /etc/freeradius/sites-available/abfab-tls for editing:
      1. Scroll to the client default stanza at the bottom of the file

      2. Edit the stanza to match the below:


      3. If you have any other client definitions here, for example to distinguish between internal and external clients, also apply the change to them.

    EAP Type

    1. Set the EAP type in use by moonshot (EAP-TTLS) by editing /etc/freeradius/mods-enabled/eap. Find the first instance of default_eap_type = md5 and change it to TTLS, i.e.:

    Other EAP types should be supported (PEAP and MD5 have been tested).

     

    Resource Provider Authentication

    note

    This information is implementation-specific and will be discussed separately.

     

    1. .


    Returning the User-Name

    The APC must return the User-Name attribute in its RADIUS response.

    1. As root, find the post-auth section in the /etc/freeradius/sites-available/inner-tunnel file.

      1. Make sure the following files are uncommented:


      2. Save the file.

    Resource Provider Authentication

    All Resource Providers in the Trust Router network, including all IdPs and RP Proxies and the Trust Router itself, need to authenticate themselves to the APC using Moonshot. This means that for every service or organisation, you must provision a credential on the APC.

    In a production environment, we recommend you use a method of Resource Provider Authentication that integrates well with your chosen method of managing your Trust Router infrastructure.

    See for options to define credentials.

    We recommend using an automatic means to provision credential files, such as an online portal.

    Defining the APC credential

    During testing, we recommend to define credentials that your Resource Providers can use to authenticate to the APC. We will create a user with username "testapc" and password "testing".

    1. Open /etc/freeradius/users for editing and put the following at the top of the file:

      true


      The formatting of the stanza above is very important. There should be a line break before the Reply-Message.


    Provisioning the APC credential

    For the APC credential you defined in the previous step, create a :

    1. Set the <user> tag to the credential you defined in the previous step, e.g. testapc
    2. Set the <password> tag to its appropriate password. You may wish to base64-encode the password.
    3. Set the <realm> tag to YOUR_APC_REALM.
    4. You can leave the <services> tag out.

    5. You should set the <selection-rules> tag to:

      selection-rulestrue


    6. Define either of the two trust anchors as per the documentation.

      For simple test infrastructures, you may leave out the trust anchors, but it is not recommended.


    7. Save the file, then deploy it onto the Trust Router that you are connecting to this APC (see Section 3.2.2 of ).

    Configure the Trust Router connection

    The APC is fundamental to a Trust Router network, so the next step involves configuring the Trust Router client software and configuring its connection to a Trust Router.

    Set up the FreeRADIUS and Trust Router users

    We need to place the FreeRADIUS user and the Trust Router users into each other's groups to allow them to read each other's shared files.

    bash

    Configure TIDS

    The APC also runs the Temporary ID Server (TIDS).

    1. Open the /etc/default/trust_router file for editing. If necessary, create it.

      true


    Testing

    Now that we have the Moonshot IdP installed and configured, we're now ready to test!

    Tip

    At this point you probably want three consoles open on the server, so that you can manually run various components separately.

    Testing FreeRADIUS locally

    The first test is to check whether FreeRADIUS is working in its most basic manner.

    1. In window 1, run (as root user)

      bashtrue


    2. In window 2, run (as root user)

      bashtrue


      This uses the "radtest" utility which is used in the following way - radtest username password servername port shared-secret


    3. If this is working correctly you should see something like the following:

      In window 1 - FreeRADIUS server output


      In window 2 - radtest client output


    Testing the Trust Router connection

    To test the connection to Trust Router, we need to make sure the Temporary Identity Server (TIDS) software is running, then use the Temporary Identity Client (TIDC) software to simulate a connection to the Trust Router.

    Starting the Temporary Identity Server (TIDS)

    In window 3 (window 1 should still be still running the FreeRADIUS server and window 2 the radtest command), run the TIDS software:

    bashtrue

    testuser@YOURtestapc@YOUR-APC-REALM is the identity that the trust router will use when provisioning keys - this makes it easy to spot in your own log files.
    Specifying your server's IP and hostname may seem redundant (and for single server deployments, it is!). You'll need to set the hostname and IP arguments a little differently if you want to enable some more advanced configurations (such as load balancing and key sharing).

    This uses the "tids" binary which is used in the following way - tids [your-ip-address] trustrouter-gss-name] [your-hostname] [path-to-key-database]


    When using Network Address Translation (NAT) or a firewall, you must specify your external IP address.

     


    Run an APC authentication test

    At this point, you must configure your trust router to use testuser@YOURtestapc@YOUR-APC-REALM as authentication.

    1. The trust router configuration must be updated with the test user associated with your trust router's rp_realm filter lines.
    2. The trust router configuration must be updated with your new APC designated as the APC for your trust router.
    3. The trust router must have its Moonshot credential store updated with the test user and its password.
    4. The trust router must be restarted. At this point, the trust router will attempt to authenticate itself to the APC.
    5. In the FreeRADIUS console, you should see an Access-Accept response.
     


    Next Steps

    At this point, you now have a Moonshot APC that is working. Now for the next steps:

    Automatically start the software

    FreeRADIUS

    To automatically start FreeRADIUS, issue the following command (as root):

    true

    If this is working correctly, you should see FreeRADIUS running as a daemon process.

    TIDS

    To automatically start TIDS, issue the following command (as root):

    true

    If this is working correctly, you should see TIDS running as a daemon process.

    Configure a real source of Authentication

    Your FreeRADIUS server can currently only authenticate a single user - "testusertestapc". At this point, you will want to connect to your management database. The FreeRADIUS site has information and instructions for how to do this.

    ...