Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings

RadSec

Because this connection continues to use RadSec, we still have to request several files from Camford University, namely the Certificate Authority (CA) file for Camford (ca.pem), and the Client Certificate (client.pem) and private key (client.key) for use with their Moonshot IdP.

Preparing the certificates

Note

If Camford University used our instructions to create an Identity Provider, the Client Certificate and its private key are in the same file, client.pem

  1. If Camford University sent us three files, we'll create a combined file of the Client Certificate and its private key:

    Code Block
    languagebash
    $ cat client.key >> client.pem
  2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END ENCRYPTED PRIVATE KEY-----".

Storing the certificates

Because the certificates are only used by FreeRADIUS, it is best if you store the certificates in FreeRADIUS' certs directory.

Warning
Be aware that running the make destroycerts command in the FreeRADIUS certs directory will also erase these certificates!

Rename the files from ca.pem and client.pem to an easily-recognisable name, such as camford_moonshot_ca.pem and camford_moonshot_client.pem.

Then make sure they are readable by members of the FreeRADIUS group.

Code Block
languagebash
titleOn Debian/Ubuntu
$ cp /tmp/camford/ca.pem /etc/freeradius/certs/camford_moonshot_ca.pem
$ cp /tmp/camford/client.pem /etc/freeradius/certs/camford_moonshot_client.pem
$ chgrp freerad /etc/freeradius/certs/camford_moonshot*.pem
Code Block
languagebash
titleOn RedHat/CentOS/Scientific Linux
$ cp /tmp/camford/ca.pem /etc/raddb/certs/camford_moonshot_ca.pem
$ cp /tmp/camford/client.pem /etc/raddb/certs/camford_moonshot_client.pem
$ chgrp radiusd /etc/raddb/certs/camford_moonshot*.pem

FreeRADIUS configuration

In the FreeRADIUS configuration, we can define a single file that contains everything about the RadSec connection to the Moonshot IdP:

  1. Create a new file in the FreeRADIUS sites-available directory (/etc/raddb/sites-available on RedHat/CentOS/Scientific Linux, /etc/freeradius/sites-available on Debian/Ubuntu) called camford_moonshotidp with the below contents:

    Code Block
    titlesites-available/camford_moonshotidp
    linenumberstrue
    #  This is the actual Camford Moonshot IdP server
    #
    home_server camford_moonshotidp_server1 {
        ipaddr = 192.168.213.24
        port = 2083
        type = auth
        secret = radsec
        proto = tcp
        status_check = none
       
        tls {
            private_key_password = whatever
            private_key_file = ${certdir}/camford_moonshot_client.pem
            certificate_file = ${certdir}/camford_moonshot_client.pem
            ca_file = ${cadir}/camford_moonshot_ca.pem
            dh_file = ${certdir}/dh
            randomfragment_filesize = 8192
            ca_path = ${certdircadir}/random
            fragmentcipher_sizelist = 8192"DEFAULT"
            ca_pathcache {
                enable = no
                lifetime = 24 # hours
                name = "camford-moonshotidp"
                persist_dir = ${cadirlogdir}/camford-moonshotidp
            cipher_list}
            require_client_cert = "DEFAULT"yes
            verify {
            }
        }
    }
     
    #  FreeRADIUS supports server pools:
    
    #  Moonshot pools will only contain one server (the above home_server)
    #
    home_server_pool camford_moonshotidp_authpool {
        home_server = camford_moonshotidp_server1
    }
     
    #  The identity realm camford.ac.uk points to the server pool that
    #  will service requests camford.ac.uk.
    
    #  That pool is the above home_server_pool
    #
    realm camford.ac.uk {
        auth_pool = camford_moonshotidp_authpool
        nostrip
    }
     
    Note
    titleCertificate paths

    If you stored the certificates for the Moonshot IdP somewhere else, you must adjust the private_key, certificate_file and ca_file entries with appropriate paths. The ${certdir} and ${ca_dir} directives refer to the FreeRADIUS certs directory. You do should not need to change those directives.

  2. To enable this configuration, it needs to be linked into the FreeRADIUS sites-enabled directory:

    Code Block
    languagebash
    titleOn Debian/Ubuntu
    $ cd /etc/freeradius/sites-enabled
    $ ln -s ../sites-available/camford_moonshotidp
    Code Block
    languagebash
    titleOn RedHat/CentOS/Scientific Linux
    $ cd /etc/raddb/sites-enabled
    $ ln -s ../sites-available/camford_moonshotidp


  3.  Restart FreeRADIUS

You should now try a test to check that the connection is functional.

...