==== eduroam-TH Setup Workshop (2020-01-15) ==== 1) Basic setup and testing ----------------------------------------------------- 1.1 Update OS and install pre-require packages -- apt update apt upgrade -y apt install ntp -y ----------------------------------------------------- 1.2 Install freeradius and it's requirements -- apt install freeradius -y apt install easy-rsa -y apt install wget -y ----------------------------------------------------- 1.3 Download, compile and install radius testing tool -- apt install eapoltest -y cd /etc/freeradius/3.0 wget http://www.rmuti.ac.th/user/prakai/p/2023-12-freeradius-test-tool.tar.gz tar vxfz 2023-12-freeradius-test-tool.tar.gz ----------------------------------------------------- 1.4 Download freeradius 3.0 merged configuration template file -- cd /etc/freeradius/3.0 wget http://www.rmuti.ac.th/user/prakai/p/2023-12-freeradius-3-ubuntu-eduroam.tar.gz ----------------------------------------------------- 1.5 Extract freeradius 3.0 merged configuration template file -- tar vxfz 2023-12-freeradius-3-ubuntu-eduroam.tar.gz ----------------------------------------------------- 1.6 Edit freeradius 3.0 main configuration file -- cd /etc/freeradius/3.0 nano radiusd.conf -------- # Change some configurations in radiusd.conf as show below # PROXY CONFIGURATION # proxy_requests = yes $INCLUDE proxy.conf # eduroam $INCLUDE proxy-eduroam.conf ... # CLIENTS CONFIGURATION # $INCLUDE clients.conf # eduroam $INCLUDE clients-eduroam.conf ----------------------------------------------------- 1.7 Duplicate and use configuration files of site of Main realm -- cd /etc/freeradius/3.0 cp proxy-eduroam-main.conf proxy-eduroam.conf cp clients-eduroam-main.conf clients-eduroam.conf cp sites-available/eduroam-main sites-available/eduroam ----------------------------------------------------- 1.8 Edit proxy-eduroam.conf -- cd /etc/freeradius/3.0 nano proxy-eduroam.conf ----------------------------------------------------- 1.9 Edit sites- available/eduroam -- cd /etc/freeradius/3.0 nano sites-available/eduroam ----------------------------------------------------- 1.10 Disable default sites and enable new sites -- cd /etc/freeradius/3.0/sites-enabled rm -f default rm -f inner-tunnel ln -s ../sites-available/eduroam ln -s ../sites-available/eduroam-inner-tunnel ln -s ../sites-available/eduroam-status cd .. ----------------------------------------------------- 1.11 Enable modules: eap-eduroam and files-eduroam -- cd /etc/freeradius/3.0/mods-enabled ln -s ../mods-available/eap-eduroam ln -s ../mods-available/files-eduroam cd .. ----------------------------------------------------- 1.12 Generate Certificate files -- cd /etc/freeradius/3.0/certs rm * cp /usr/share/doc/freeradius/examples/certs/* . nano ca.cnf nano server.cnf nano client.cnf nano Makefile -------- dh: $(OPENSSL) dhparam -dsaparam -out dh $(DH_KEY_SIZE) ./bootstrap cd .. ----------------------------------------------------- 1.13 Change files owner -- chown -R freerad:freerad /etc/freeradius/3.0 ----------------------------------------------------- 1.14 Testing -- Local user (eduroam@uxx.ac.th) -- nano mods-config/files-eduroam/authorize -------- eduroam Cleartext-Password := "TESTING-PASSWORD" -- SCREEN #1 -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'eduroam@uxx.ac.th' -p 'TESTING-PASSWORD' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- ===================================================== 2) Join to NRO ----------------------------------------------------- 2.1 Edit radiusd.conf -- cd /etc/freeradius/3.0 nano radiusd.conf -------- # Change some configurations in radiusd.conf as show below # PROXY CONFIGURATION # proxy_requests = yes $INCLUDE proxy.conf # eduroam $INCLUDE proxy-eduroam.conf # CLIENTS CONFIGURATION # $INCLUDE clients.conf # eduroam $INCLUDE clients-eduroam.conf ----------------------------------------------------- 2.2 Edit proxy-eduroam.conf -- cd /etc/freeradius/3.0 nano proxy-eduroam.conf --------------------------------------------------------- 2.3 Edit clients-eduroam.conf -- cd /etc/freeradius/3.0 nano clients-eduroam.conf --------------------------------------------------------- 2.4 Testing with other institution -- User (eduroam@uni.net.th) -- SCREEN #1 at local -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 at local -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'eduroam@uni.net.th' \ -p 'AskToUniNet' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- SCREEN #3 at other institution or UniNet -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'eduroam@uxx.ac.th' -p 'TESTING-PASSWORD' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- ===================================================== 3) Connect with Sub realm ----------------------------------------------------- 3.1 Edit radiusd.conf -- cd /etc/freeradius/3.0 nano radiusd.conf -------- # Change some configurations in radiusd.conf as show below # PROXY CONFIGURATION # proxy_requests = yes $INCLUDE proxy.conf # eduroam $INCLUDE proxy-eduroam.conf # CLIENTS CONFIGURATION # $INCLUDE clients.conf # eduroam $INCLUDE clients-eduroam.conf ----------------------------------------------------- 3.2 Edit proxy-eduroam.conf -- cd /etc/freeradius/3.0 nano proxy-eduroam.conf ----------------------------------------------------- 3.3 Edit clients-eduroam.conf -- cd /etc/freeradius/3.0 nano clients-eduroam.conf ----------------------------------------------------- 3.4 Testing with institution Sub realm -- User (eduroam@abc.uxx.ac.th) -- SCREEN #1 at local -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 at local -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'eduroam@abc.uxx.ac.th' \ -p 'TESTING-PASSWORD' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- SCREEN #3 at institution Sub realm -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'eduroam@uxx.ac.th' -p 'TESTING-PASSWORD' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- ===================================================== 4) Setup to use account on LDAP Server ----------------------------------------------------- 4.2 Install freeradius ldap module -- apt install freeradius-ldap -y ----------------------------------------------------- 4.3 Edit sites-available/eduroam-inner-tunnel -- cd /etc/freeradius/3.0 nano sites-available/eduroam-inner-tunnel ----------------------------------------------------- 4.4 Edit modules/ldap-eduroam -- cd /etc/freeradius/3.0 nano mods-available/ldap-eduroam ----------------------------------------------------- 4.5 Enable module named ldap-eduroam -- cd /etc/freeradius/3.0/mods-enabled ln -s ../mods-available/ldap-eduroam ----------------------------------------------------- 4.6 Change files owner -- chown -R freerad:freerad /etc/freeradius/3.0 ----------------------------------------------------- 4.7 Testing with user account on LDAP Server (user@uxx.ac.th) -- SCREEN #1 at local -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 at local -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'user@uxx.ac.th' \ -p 'Asdf1234' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- ===================================================== 5) Setup to use account on MySQL Server ----------------------------------------------------- 5.2 Install freeradius mysql module -- apt-get install freeradius-mysql -y ----------------------------------------------------- 5.3 Edit sites-available/eduroam-inner-tunnel -- cd /etc/freeradius/3.0 nano sites-available/eduroam-inner-tunnel ----------------------------------------------------- 5.4 Edit mods-available/sql-eduroam -- cd /etc/freeradius/3.0 nano mods-available/sql-eduroam ----------------------------------------------------- 5.5 Edit mods-config/sql/main/mysql/queries-eduroam.conf -- cd /etc/freeradius/3.0 nano mods-config/sql/main/mysql/queries-eduroam.conf ----------------------------------------------------- 5.6 Enable module named ldap-eduroam -- cd /etc/freeradius/3.0/mods-enabled ln -s ../mods-available/sql-eduroam ----------------------------------------------------- 5.7 Change files owner -- chown -R freerad:freerad /etc/freeradius/3.0 ----------------------------------------------------- 5.8 Testing with user account on LDAP Server (user@uxx.ac.th) -- SCREEN #1 at local -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 at local -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'user@uxx.ac.th' \ -p 'Asdf1234' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- ===================================================== 6) Setup to use account on Microsoft NPS ----------------------------------------------------- 6.2 Create Self-signed Certificate (using Windows PowerShell) -- New-SelfSignedCertificate -DnsName eduroam.uxx.ac.th -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10) ----------------------------------------------------- 6.6 Add new domain suffix and change users UPN using script -- https://gallery.technet.microsoft.com/scriptcenter/Add-new-domain-suffix-and-9f42e43f ----------------------------------------------------- 6.7 Edit radiusd.conf -- cd /etc/freeradius/3.0 nano radiusd.conf ----------------------------------------------------- 6.8 Edit proxy-eduroam.conf -- cd /etc/freeradius/3.0 nano proxy-eduroam.conf ----------------------------------------------------- 6.9 Edit sites-enabled/eduroam -- cd /etc/freeradius/3.0 nano sites-available/eduroam ----------------------------------------------------- 6.10 Testing direct to Microsoft NPS (user@uxx.ac.th) -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 192.168.1.3 -P 1812 -S XXXXXXXXXXXXXXXX \ -u 'user@uxx.ac.th' \ -p 'Asdf1234' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 ----------------------------------------------------- 6.11 Testing with user account on Microsoft NPS (user@uxx.ac.th) -- SCREEN #1 at local -- systemctl stop freeradius.service freeradius -X ----------------------------------------------------- SCREEN #2 at local -- cd /etc/freeradius/3.0/tool ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 \ -u 'user@uxx.ac.th' \ -p 'Asdf1234' \ -v -m IEEE8021X \ -s eduroam -e PEAP -2 MSCHAPV2 -----------------------------------------------------