Versions Compared

Old Version 12

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version Current

changes.mady.by.user Tom Ivar Myren

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You should see an output like {"href":"./","http://letswifi.app/api#2": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named found at /etc/apache2/sites-enabled/letswifi-portal.conf.

At this point you may find out that the SimpleSAMLphp version that your OS comes with is too old. Please download a new one and install it.  Copy the apache.conf of the newly installed SimpleSAMLphp to the /config - directory and take it into use at /etc/apache2/conf-available with

...

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.

As a final remark, you can make the web server enforce HSTS with

Code Block
a2enmod headers
systemctl restart apache2

Then please add to letswifi-portal.conf

Code Block
Header always set Strict-Transport-Security "max-age=15768000"

and do another web server restart.

If you want to change the validity of the issued certificates, you can do this by updating the column default_validity_days in the table realm_signer in the letswifi.sqlite database.

If you want to have the letswifi-portal sign the installer file, you can set signing.cert to a file containing the signing certificate and the corresponding key:

Code Block
'signing.cert' => '/data/certificate.pem';

This will only work for the mobileconfig files, which are used on MacOS. On Windows, you'll use the geteduroam installer which is already signed. MacOS shows a warning if the profiles are not signed. The signing certificate can be any certificate signed by a publicly trusted authority.

Connecting to a RADIUS server

In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with

...

Code Block
eap {
        default_eap_type = tls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = ${max_requests}

        tls-config tls-common {
                private_key_file = ${certdir}/radius.geteduroam.TLD.key
                certificate_file = ${certdir}/radius.geteduroam.TLD.crt
                ca_file = ${cadir}/geteduroam-ca.pem
                auto_chain = no
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                #check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"

                cipher_server_preference = no

                tls_min_version = "1.2"
                tls_max_version = "1.3"

        fragment_size = 1450

                ecdh_curve = "prime256v1"

                cache {
                        enable = no

                        store {
                                Tunnel-Private-Group-Id
                        }
                }

                verify {
                }

                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }


        tls {
                tls = tls-common
        		virtual_server = check-eap-tls
        }

        ttls {
                tls = tls-common
                virtual_server = "inner-tunnel"
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
        }
}

In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to

Code Block
server check-eap-tls {

  authorize {

    #if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {

    if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {

      if (&Realm == "%{1}") {

        update config {

          Auth-Type = Accept

        }

      }

      else {

        update config {

          Auth-Type = Reject

        }

      }

    }

  }

}

in order to accept anonymous outer IDs, if needed.

In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with

Code Block
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php

You can view the result with sqlite> select * from ca;

You also need to update the realm trust with

Code Block
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';

You can view the result with sqlite> select * from realm_trust;

Also check the server name and change it if needed

Code Block
sqlite> SELECT * FROM realm_server_name;

YOUR-REALM|radius.YOUR-REALM

sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM';

In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.