Versions Compared

Old Version 11

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version 12

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.

Connecting to a RADIUS server

In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with

Code Block
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem

In the eap file you define this cert as the ca_file and then you also need something like the following


Code Block
eap {
        default_eap_type = tls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = ${max_requests}

        tls-config tls-common {
                private_key_file = ${certdir}/radius.geteduroam.TLD.key
                certificate_file = ${certdir}/radius.geteduroam.TLD.crt
                ca_file = ${cadir}/geteduroam-ca.pem
                auto_chain = no
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                #check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"

                cipher_server_preference = no

                tls_min_version = "1.2"
                tls_max_version = "1.3"

        fragment_size = 1450

                ecdh_curve = "prime256v1"

                cache {
                        enable = no

                        store {
                                Tunnel-Private-Group-Id
                        }
                }

                verify {
                }

                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }


        tls {
                tls = tls-common
        		virtual_server = check-eap-tls
        }

        ttls {
                tls = tls-common
                virtual_server = "inner-tunnel"
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
        }
}

The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to


Code Block
server check-eap-tls {

  authorize {

    #if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {

    if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {

      if (&Realm == "%{1}") {

        update config {

          Auth-Type = Accept

        }

      }

      else {

        update config {

          Auth-Type = Reject

        }

      }

    }

  }

}


in order to accept anonymous outer IDs, if needed.