Moonshot
Page tree

Versions Compared

Old Version 23

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version 24

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. On RHEL platforms, run yum update freeradius
  2. On Debian platforms, run apt-get install freeradius freeradius-config
  3. Repeat the command for any other FreeRADIUS modules that you use in your installation, such as the LDAP, KRB5 and SQLite modules.
  4. Install the freeradius-abfab module; it will do much of the reconfiguration (such as enabling the sites and modules used by Moonshot, as well as creating and configuring users).
  5. Do not start the server.

...

Note
In the below instructions, /etc/raddb will be equivalent to /etc/freeradius on Debian platforms.

  1. Check that the /etc/raddb/sites-enabled/channel_bindings, /etc/raddb/sites-enabled/abfab-tr-idp, and /etc/raddb/sites-enabled/abfab-tls symbolic links exist. If they do not, create them:

    Code Block
    languagebash
    $ cd /etc/raddb/sites-enabled
$ ln -s ../sites-available/channel_bindings
$ ln -s ../sites-available/abfab-tls
$ ln -s ../sites-available/abfab-tr-idp
  2. Delete the /etc/raddb/sites-enabled/chbind and /etc/raddb/sites-enabled/tls symbolic links.

  3. Check that the /etc/raddb/mods-enabled/abfab_psk_sql symbolic link exists. If it does not, create it:

    Code Block
    languagebash
    $ cd /etc/raddb/sites-enabled
$ ln -s ../mods-available/abfab_psk_sql
  4. Delete the /etc/raddb/mods-enabled/psk symbolic link.

  5. Edit Open the file /etc/sites-available/abfab-tr-idp for editing and comment out the psk_authorize line in the authorize section.

    Note
    This step will not be necessary once all sites have upgraded to the same minimum version of FreeRADIUS that supports channel bindings.
  6. On the Moonshot IdP only, transfer the SAML assertion (as created per the Issue SAML Assertions section) from the post-auth section in /etc/raddb/sites-available/default into the post-auth section of /etc/raddb/sites-available/abfab-tr-idp, or create a custom policy in /etc/raddb/policy.d that you can call from both post-auth sections).Edit . To see how to do this, visit the Hard-coded in the RADIUS Server page.

  7. Open the file /etc/raddb/proxy.conf for editing and check that the the proxy server section contains the below keyword:

    Code Block
     dynamic = yes 

    If it does not, either insert it at the top or the bottom of the section.

  8. Check that the realm suffix entries in /etc/raddb/mods-available/realm are as they were before the upgrade:

    Code Block
    linenumberstrue
    realm suffix {
  format = suffix
  delimiter = "@"
  default_community = "apc.moonshot.ja.net"
  rp_realm = "hostname of your IdP as registered with the Janet Moonshot Community Portal"
  trust_router = "tr1.moonshot.ja.net"
}

  9. Start the server. It should start ok and continue to function as normal.

    Warning

    On RHEL/CentOS/SL systems, please ensure that SELinux is switched into Permissive mode!

...