Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



On this page you will find instructions on how to set up a Moonshot RP Proxy on RedHat, CentOS or Scientific Linux 7 using FreeRADIUS. It also installs and configures the Trust Router client, if you are going to use the Trust Router infrastructure.


Table of Contents


Numbered Headings

Include Page

Install the Moonshot RP Proxy

We’re now ready to install the Moonshot software and its required dependencies. Install the software by running the following command:

Code Block
$ yum install moonshot-gss-eap moonshot-ui freeradius-abfab freeradius-utils trust_router dbus-x11

Configure the Moonshot RP Proxy

Next, we need to configure the Moonshot RP Proxy.

Configure FreeRADIUS

Include Page

OpenSSL settings

Check the FreeRADIUS OpenSSL detection setting.


By default, FreeRADIUS attempts to detect the version of OpenSSL that is installed to block vulnerable versions. However, RedHat/CentOS/Scientific Linux patch existing versions, which may lead FreeRADIUS to believe that the installed version is unsafe. This setting overrides the check.

  1. Open /etc/raddb/radiusd.conf for editing:
    1. Search for the allow_vulnerable_openssl setting in the security { } section.
    2. Edit it like so:

      Code Block
              #allow_vulnerable_openssl = no
              allow_vulnerable_openssl = 'CVE-2014-0160'

Moonshot UI credential store

We need to enable the FreeRADIUS user to use the Moonshot UI flatstore:

Code Block
$ echo "radiusd" >> /etc/moonshot/flatstore-users

Set up the FreeRADIUS and Trust Router users

To allow FreeRADIUS to read a key database for dynamic realm support, we need to place the FreeRADIUS user and the Trust Router users into each other's groups to allow them to read shared files of each other.

Code Block
$ usermod -a -G radiusd trustrouter
$ usermod -a -G trustrouter radiusd


Next we need to configure RadSec. We do this by creating a file at /etc/radsec.conf with the following:

Code Block
realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/raddb/certs/ca.pem"
	certfile = "/etc/raddb/certs/client.pem"
	certkeyfile = "/etc/raddb/certs/client.key"
	disable_hostname_check = yes
	server {
		hostname = ""
		service = "2083"
		secret = "radsec"

Dynamic Realm supprt

We next need to tell your FreeRADIUS server to support dynamic lookup of realms.

  1. Open /etc/raddb/proxy.conf for editing:
    1. Towards the top of the file is a stanza beginning "proxy server {". Find this.
    2. Below this, add dynamic = yes, like so:

      Code Block
      proxy server {
              dynamic = yes

Channel Binding Support

We next need to configure your FreeRADIUS server to support channel bindings.

  1. Open /etc/raddb/sites-available/abfab-tls for editing:
    1. Scroll to the client default stanza at the bottom of the file
    2. Edit the stanza to match the below:

      Code Block
      client default {
              ipaddr =
              proto = tls
              gss_acceptor_realm_name = "your RP realm here"
              trust_router_coi =


      For simple deployments, specify the same RP realm as in the rp_realm option in Section 4.1 below. For simple deployments, this usually matches your IDP Realm. For extended pilots or production environments, you should specify a realm value that will match all the hosts you will be connecting to your RP Proxy.

      Additionally, you must add a domain wildcard constraint in the Jisc Assent Portal that will match this realm value.

    3. If you have any other client definitions here, for example to distinguish between internal and external clients, also apply the change to them.

Configure the Trust Router Client

If you are going to connect your Moonshot RP Proxy to a Trust Router network, then the next step involves configuring the Trust Router client software and configuring its connection to a Trust Router.

Include Page


Now that we have the Moonshot RP Proxy installed and configured, we're now ready to test!


At this point you probably want two consoles open on the server, so that you can manually run various components separately.

Testing FreeRADIUS locally

The first test is to check whether FreeRADIUS is working in its most basic manner.

  1. In window 1, run (as the radiusd user)

    Code Block
    $ su --shell=/bin/bash radiusd
    $ unset DISPLAY
    $ radiusd -fxx -l stdout

  2. Check that no errors are output.

Testing the Trust Router connection

To test the connection to Trust Router, we need to make sure the Temporary Identity Server (TIDS) software is running, then use the Temporary Identity Client (TIDC) software to simulate a connection to the Trust Router.

Testing using the Temporary Identity Client (TIDC)

  1. In window 2, (as the radiusd user) run the tidc command:

    Code Block
    $ su - --shell=/bin/bash radiusd
    $ unset DISPLAY
    $ tidc [your rp-realm]


    This uses the "tidc" binary which is used in the following way - tidc [hostname-of-trust-router] [rp-realm] [hostname-of-apc-server] [apc-name]

  2. If the Trust Router connection was successful, you should see something like the following:

    Code Block
    titleIn window 2 - TIDC output
    TIDC Client:
    Server =, rp_realm =, target_realm =, community =
    connecting to host '' on port 12309
    CTRL-EVENT-EAP-STARTED EAP authentication started
    CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
    CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    tidc_fwd_request: Sending TID request:
    tr_msg_decode_tidresp(): Success! result = success.
    tr_msg_decode_servers(): Number of servers = 1.
    Response received! Realm =, Community =
    Client Key Generated (len = 256):

Next Steps

At this point, you now have a Moonshot RP Proxy that is working and registered with a Trust Router. Now for the next steps:

Automatically start the software


To automatically start FreeRADIUS, issue the following command (as root):

Code Block
$ sudo chkconfig radiusd on


Configure clients

The next step is to configure the Moonshot RP Proxy to Talk to Applications/Services.