Issue Pseudonymous Identifiers

In addition to supporting SAML assertions in a RADIUS attribute, Moonshot also supports three pseudonymous identifiers shipped in RADIUS attributes. For simple deployments where only one identifier is required, it can be more efficient to not send the SAML assertion altogether and to rely solely on the pseudonymous identifier(s).

Moonshot defines three identifiers of varying scope:

Moonshot-Host-TargetedId - A host-specific identifier that is unique on a per-host basis, e.g. a user logging into different hosts even at the same organisation with the same realm will generate different identifiers.
Moonshot-Realm-TargetedId - A realm-specific identifier that will be unique on a per-realm basis, e.g. a user logging into different hosts at the same organisation with the same realm will generate the same identifier.
Moonshot-TR-COI-TargetedId - A community of interest-specific identifier that will be unique per community of interest. A user logging into services belonging to different organisations in a specific community of interest will generate the same identifier.

This page contains a FreeRADIUS policy file generating all three identifiers that you can store in /etc/raddb/policy.d (/etc/freeradius/policy.d on Debian).

After changing the targeted_id_salt value in the file, you can then call moonshot_host_tid, moonshot_realm_tid and moonshot_coi_tid respectively from the post_auth section of your inner-tunnel server in FreeRADIUS to generate the appropriate attribute.

This file requires that you install the uuid package on your required platform.

FreeRADIUS 3.0.12 and later

In FreeRADIUS 3.0.12 and later, this functionality is included in the standard configuration but commented out.

To enable this functionality, uncomment the following three lines in the post-auth section of the sites-available/inner-tunnel file:

#	moonshot_host_tid
#	moonshot_realm_tid
#	moonshot_coi_tid

Updates to the moonshot-targeted-ids file

Be aware that FreeRADIUS 3.0.12 and 3.0.13 contain a weaker version of this functionality. We recommend refreshing the bundled moonshot-targeted-ids file with the version below.

FreeRADIUS 3.0.6 to 3.0.13 inclusive:

Porting configurations

FreeRADIUS configurations remain generally compatible between versions. When you upgrade FreeRADIUS to version 3.0.12 or later, please be aware of the inclusion of moonshot-targeted-ids in the standard distribution, and that this will change how your service will work.

Save this code fragment as the moonshot-targeted-ids file in the policy.d/ directory of your FreeRADIUS installation (on RHEL/CentOS/SL it's /etc/raddb/policy.d, on Debian/Ubuntu it's /etc/freeradius/policy.d):

moonshot-targeted-ids

#
#  The following policies generate targeted IDs for ABFAB (Moonshot)
#
#  This policy requires that the UUID package is installed on your platform
#  and that this is called from the inner-tunnel
#
#  The following string attributes need to exist in the UKERNA dictionary
#  Moonshot-Host-TargetedId (138)
#  Moonshot-Realm-TargetedId (139)
#  Moonshot-TR-COI-TargetedId (140)
#
#  These attributes should also be listed in the attr_filter policies
#  post-proxy and pre-proxy when you use attribute filtering:
#       Moonshot-Host-TargetedId =* ANY,
#       Moonshot-Realm-TargetedId =* ANY,
#       Moonshot-TR-COI-TargetedId =* ANY,
#
 
#
#  targeted_id_salt definition
#  This salt serves the purpose of protecting targeted IDs against
#  dictionary attacks, therefore should be chosen as a "random"
#  string and kept secret.
#
#  If you use special characters %, { and }, escape them with a \ first
#
targeted_id_salt = 'changeme'

#
#  Moonshot namespaces
#  These namespaces are used for UUID generation.
#  They should not be changed by implementors
#
moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6'
moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6'
moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247'

#  This policy generates a host-specific targeted ID
#
moonshot_host_tid.post-auth {
	#  generate a UUID for Moonshot-Host-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
	if (&outer.request:GSS-Acceptor-Host-Name) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
			if (&outer.session-state:Moonshot-Host-TargetedId =~ /([\%\{\}]+)/) {
				update outer.session-state {
					Moonshot-Host-TargetedId !* ANY
					Module-Failure-Message = 'Invalid Moonshot-Host-TargetedId, check your targeted_id_salt!'
				}
				reject
			}
		}
	}
}
#  This policy generates a realm-specific targeted ID
#
moonshot_realm_tid.post-auth {
	#  generate a UUID for Moonshot-Realm-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
	if (&outer.request:GSS-Acceptor-Realm-Name) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
			if (&outer.session-state:Moonshot-Realm-TargetedId =~ /([\%\{\}]+)/) {
				update outer.session-state {
					Moonshot-Realm-TargetedId !* ANY
					Module-Failure-Message = 'Invalid Moonshot-Realm-TargetedId, check your targeted_id_salt!'
				}
				reject
			}
		}
	}
}
#  This policy generates a COI-specific targeted ID
#
moonshot_coi_tid.post-auth {
	#  generate a UUID for Moonshot-TR-COI-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
	if (&outer.request:Trust-Router-COI) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
			if (&outer.session-state:Moonshot-TR-COI-TargetedId =~ /([\%\{\}]+)/) {
				update outer.session-state {
					Moonshot-TR-COI-TargetedId !* ANY
					Module-Failure-Message = 'Invalid Moonshot-TR-COI-TargetedId, check your targeted_id_salt!'
				}
				reject
			}
		}
	}
}

Insert the following three lines into the post-auth section of the sites-available/inner-tunnel file after the ldap line:

	moonshot_host_tid
	moonshot_realm_tid
	moonshot_coi_tid

To ensure the contents of the session-state object in FreeRADIUS is transferred to the outgoing Access-Accept packet, check that the following lines exist at the top of the post-auth section in the sites-available/abfab-tr-idp file. If they do not exist, add them:

	update {
		&reply: += &session-state:
	}

Testing

To test this functionality, run FreeRADIUS in debug mode and follow the Troubleshooting local GSSAPI connections topic instructions to initiate a Moonshot authentication request.

To switch FreeRADIUS to debug mode, run the following command depending on your platform:

On Debian or Ubuntu

$ su - --shell=/bin/bash freerad
$ unset DISPLAY
$ /usr/sbin/freeradius -fxx -l stdout

On Redhat, CentOS or Scientific Linux

$ su - --shell=/bin/bash radiusd
$ unset DISPLAY
$ radiusd -fxx -l stdout

A successful test will show output similar to the below in the FreeRADIUS output:

FreeRADIUS debug output

(14) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 127.0.0.1:37755 length 0
(14)   MS-MPPE-Recv-Key = 0x4d791488748973762623708aec1644b4dcfd84e66ad081eb772570e0d46cd187
(14)   MS-MPPE-Send-Key = 0x4b95963b88d001563c46392523059fd60b674b6c60ed096df2492baa9b8acf99
(14)   EAP-Message = 0x03070004
(14)   Message-Authenticator = 0xb906d3aee95801d863c8d597d2e8ff92
(14)   Moonshot-Host-TargetedId = "0a12fe5a-998a-5020-89e4-ec4f6c856d68@example.com"
(14)   Moonshot-Realm-TargetedId = "1eb1a34b-4243-5e33-920e-212af366b597@example.com"
(14)   Moonshot-TR-COI-TargetedId = "e0f7494d-e349-5674-800c-bca041f1747a@example.com"
(14) Finished request