Configure FreeRADIUS to use Trust Router

Configuring FreeRADIUS realm lookup

We need to configure the community and rp_realm appropriate for your Moonshot service, and the Trust Router that it will connect to.

  1. Open the /etc/raddb/mods-enabled/realm for editing.
  2. Find the "realm suffix {" configuration directive, and fill out the fields as appropriate.
  3. Repeat this for the "realm bangpath {" configuration directive.

  4. For the default Jisc Assent Trust Router this will look like the following:

    realm suffix {
  format = suffix
  delimiter = "@"
  default_community = "ov-apc.moonshot.ja.net"
  rp_realm = "Your service realm as registered in the Jisc Assent Portal"
  trust_router = "tr.moonshot.ja.net"
  rekey_enabled = yes
}

realm bangpath {
  format = prefix
  delimiter = "!"
  default_community = "ov-apc.moonshot.ja.net"
  rp_realm = "Your service realm as registered in the Jisc Assent Portal"
  trust_router = "tr.moonshot.ja.net"
  rekey_enabled = yes
}


    Camford University has a Moonshot service registered in the Jisc Assent Portal at the service realm of moonshot.camford.ac.uk, so its realm file would look like this:

    realm suffix {
  format = suffix
  delimiter = "@"
  default_community = "ov-apc.moonshot.ja.net"
  rp_realm = "moonshot.camford.ac.uk"
  trust_router = "tr.moonshot.ja.net"
  rekey_enabled = yes
}
 
realm bangpath {
  format = prefix
  delimiter = "!"
  default_community = "ov-apc.moonshot.ja.net"
  rp_realm = "moonshot.camford.ac.uk"
  trust_router = "tr.moonshot.ja.net"
  rekey_enabled = yes
}



Register your Trust Router client with a Trust Router

At this point, the Moonshot service needs to be associated with a Trust Router. To do this, you need to contact the operator of a Trust Router you wish to join for their specific instructions on how to do this.

Once you have joined the Trust Router service, you will be issued with a Trust Router credential file in XML file format.

Keep this credential file safe. It usually will only be issued once and any subsequent requests usually invalidate any previously issued credentials. This is a security precaution.


The below instructions are specific to the world's first Trust Router service, Jisc Assent, operated by Jisc in the United Kingdom:

  1. If you are not signed up to Assent, sign up to Assent first. This step may take a day or two while your organisation details are verified and you are invited to join the portal.

  2. If you are signed up to Assent, log into the Assent portal and follow instructions on how to do it https://assent.jisc.ac.uk/help/organization#manage-credentials

  3. Download a Trust Router credential under the 'Credential' section of your organisation in the portal (in the form of an XML file). Keep this file safe!

  1. You must import the issued credential file using the moonshot-webp command as the radiusd user:

    $ su - --shell=/bin/bash radiusd
$ moonshot-webp -f [path to credential file]


  2. Check that the credential has been correctly imported:

    $ ls -la /var/lib/radiusd/.local/share/moonshot-ui/identities.txt


  3. If the file exists, the credential file's contents should be present in the file.