...
You should see an output like {"href":"./","http://letswifi.app/api#2": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named found at /etc/apache2/sites-enabled/letswifi-portal.conf.
At this point you may find out that the SimpleSAMLphp version that your OS comes with is too old. Please download a new one and install it. Copy the apache.conf of the newly installed SimpleSAMLphp to the /config - directory and take it into use at /etc/apache2/conf-available with
...
Code Block |
---|
./metarefresh.php -s https://PATH/TO/your-metadata.xml |
Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron. Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/
Code Block |
---|
20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1 |
Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.
As a final remark, you can make the web server enforce HSTS with
Code Block |
---|
a2enmod headers
systemctl restart apache2 |
Then please add to letswifi-portal.conf
Code Block |
---|
Header always set Strict-Transport-Security "max-age=15768000" |
and do another web server restart.
If you want to change the validity of the issued certificates, you can do this by updating the column default_validity_days in the table realm_signer in the letswifi.sqlite database.
If you want to have the letswifi-portal sign the installer file, you can set signing.cert
to a file containing the signing certificate and the corresponding key:
Code Block |
---|
'signing.cert' => '/data/certificate.pem'; |
This will only work for the mobileconfig files, which are used on MacOS. On Windows, you'll use the geteduroam installer which is already signed. MacOS shows a warning if the profiles are not signed. The signing certificate can be any certificate signed by a publicly trusted authority.
Connecting to a RADIUS server
In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with
Code Block |
---|
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem |
In the eap file you define this cert as the ca_file and then you also need something like the following
Code Block |
---|
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/radius.geteduroam.TLD.key
certificate_file = ${certdir}/radius.geteduroam.TLD.crt
ca_file = ${cadir}/geteduroam-ca.pem
auto_chain = no
dh_file = ${certdir}/dh
ca_path = ${cadir}
#check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
fragment_size = 1450
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
virtual_server = check-eap-tls
}
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
} |
In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to
Code Block |
---|
server check-eap-tls {
authorize {
#if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
if (&Realm == "%{1}") {
update config {
Auth-Type = Accept
}
}
else {
update config {
Auth-Type = Reject
}
}
}
}
} |
in order to accept anonymous outer IDs, if needed.
In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with
Code Block |
---|
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php |
You can view the result with sqlite> select * from ca;
You also need to update the realm trust with
Code Block |
---|
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';
|
You can view the result with sqlite> select * from realm_trust;
Also check the server name and change it if needed
Code Block |
---|
sqlite> SELECT * FROM realm_server_name;
YOUR-REALM|radius.YOUR-REALM
sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM'; |
In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.