...
- On RHEL platforms, run
yum update freeradius
- On Debian platforms, run
apt-get install freeradius freeradius-config
- Repeat the command for any other FreeRADIUS modules that you use in your installation, such as the LDAP, KRB5 and SQLite modules.
- Install the
freeradius-abfab
module; it will do much of the reconfiguration (such as enabling the sites and modules used by Moonshot, as well as creating and configuring users). - Do not start the server.
...
Note |
---|
In the below instructions, /etc/raddb will be equivalent to /etc/freeradius on Debian platforms. |
Check that the
/etc/raddb/sites-enabled/channel_bindings,
/etc/raddb/sites-enabled/abfab-tr-idp
, and/etc/raddb/sites-enabled/abfab-tls
symbolic links exist. If they do not, create them:Code Block language bash $ cd /etc/raddb/sites-enabled $ ln -s ../sites-available/channel_bindings $ ln -s ../sites-available/abfab-tls $ ln -s ../sites-available/abfab-tr-idp
- Delete the
/etc/raddb/sites-enabled/chbind
and/etc/raddb/sites-enabled/tls
symbolic links. Check that the
/etc/raddb/mods-enabled/abfab_psk_sql
symbolic link exists. If it does not, create it:Code Block language bash $ cd /etc/raddb/sites-enabled $ ln -s ../mods-available/abfab_psk_sql
- Delete the
/etc/raddb/mods-enabled/psk
symbolic link. Edit Open the file
/etc/sites-available/abfab-tr-idp
for editing and comment out thepsk_authorize
line in theauthorize
section.Note This step will not be necessary once all sites have upgraded to the same minimum version of FreeRADIUS that supports channel bindings. - On the Moonshot IdP only, transfer the SAML assertion (as created per the Issue SAML Assertions section) from the
post-auth
section in/etc/raddb/sites-available/default
into thepost-auth
section of/etc/raddb/sites-available/abfab-tr-idp
, or create a custom policy in/etc/raddb/policy.d
that you can call from bothpost-auth
sections).Edit . To see how to do this, visit the Hard-coded in the RADIUS Server page. Open the file
/etc/raddb/proxy.conf
for editing and check that the theproxy server
section contains the below keyword:Code Block dynamic = yes
If it does not, either insert it at the top or the bottom of the section.
Check that the
realm suffix
entries in/etc/raddb/mods-available/realm
are as they were before the upgrade:Code Block linenumbers true realm suffix { format = suffix delimiter = "@" default_community = "apc.moonshot.ja.net" rp_realm = "hostname of your IdP as registered with the Janet Moonshot Community Portal" trust_router = "tr1.moonshot.ja.net" }
Start the server. It should start ok and continue to function as normal.
Warning On RHEL/CentOS/SL systems, please ensure that SELinux is switched into Permissive mode!
...