{"id":1289,"date":"2016-06-27T13:51:44","date_gmt":"2016-06-27T11:51:44","guid":{"rendered":"https:\/\/www.nico-maas.de\/?p=1289"},"modified":"2017-01-16T21:38:27","modified_gmt":"2017-01-16T20:38:27","slug":"ubuntu-radsecproy-for-secure-radius-over-wan","status":"publish","type":"post","link":"https:\/\/www.nico-maas.de\/?p=1289","title":{"rendered":"[Ubuntu] Radsecproy for secure Radius over WAN"},"content":{"rendered":"

Chances are you going to need an radius Auth over WAN - because your Radius and Identity Mngmnt is hosted in the security of the local datacenter of your corp... but the client (i.e. an network switch) is somewhere over the rainbow<\/del> WAN. You *could* just pipe the radius traffic over the internet - but there be dragons: radius communication is unencrypted. So... just no.<\/p>\n

Enter radsecproxy: Radsecproxy is - as the name implies, an radius proxy - which needs to be installed on both servers (the local one in your company, now called SERVER, and the remote one with the switch attached, now called CLIENT) - and does encrypt the communication between both server parts (over WAN i.e.) via TLS.<\/p>\n

1.) Install radsecproxy on Server ( sudo apt-get install radsecproxy )
\n2.) Create CA with generate-CA.sh (in \/etc\/radsecproxy\/) [ https:\/\/github.com\/owntracks\/tools\/blob\/master\/TLS\/generate-CA.sh - please change keybits to 4096 bits, thanks! ]
\n3.) Create Certs (Server, Client) with generate-client.sh (in \/etc\/radsecproxy\/) [ at the end of this post, http:\/\/rockingdlabs.dunmire.org\/exercises-experiments\/ssl-client-certs-to-secure-mqtt - please change keybits to 4096 bits as well! \ud83d\ude42 ]
\n4.) Configure \/etc\/radsecproxy.conf [UPPERLETTERS are constants which you need to change]<\/p>\n

# Master config file for radsecproxy\r\nsourceTLS IPADDR_OF_SERVER\r\nlistenTLS IPADDR_OF_SERVER:2083\r\n\r\nLogLevel 3\r\nLogDestination file:\/\/\/var\/log\/radsecproxy\/radsecproxy.log\r\n\r\nLoopPrevention on\r\n\r\ntls default {\r\nCACertificateFile \/etc\/radsecproxy\/ca.crt\r\nCertificateFile \/etc\/radsecproxy\/SERVER_NAME_FQDN.crt\r\nCertificateKeyFile \/etc\/radsecproxy\/SERVER_NAME_FAQN.key\r\n}\r\n\r\nclient CLIENT_NAME {\r\nhost IPADDR_OF_CLIENT\r\ntype tls\r\ncertificatenamecheck off\r\nsecret PW_OF_CLIENT_RADSEC\r\n}\r\n\r\nserver SERVER_NAME_auth {\r\nhost IPADDR_OF_SERVER:1812\r\ntype udp\r\nStatusServer on\r\nsecret PW_OF_SERVER_FOR_RADIUS\r\n}\r\n\r\nserver SERVER_NAME_acct {\r\nhost IPADDR_OF_SERVER:1813\r\ntype udp\r\nStatusServer on\r\nsecret PW_OF_SERVER_FOR_RADIUS\r\n}\r\n\r\nrealm * {\r\nserver SERVER_NAME_auth\r\naccountingserver SERVER_NAME_acct\r\n}\r\n\r\n# example config for localhost, rejecting all users\r\nclient 127.0.0.1 {\r\ntype udp\r\nsecret TEST_SECRET\r\n}\r\n\r\nrealm * {\r\nreplymessage \"User unknown\"\r\n}<\/pre>\n
5.) sudo service radsecproxy restart<\/p>\n
6.) Install radsecproxy on Client ( sudo apt-get install radsecproxy )
\n7.) Copy client cert and ca.crt to Client \/etc\/radsecproxy
\n8.) Configure \/etc\/radsecproxy.conf [UPPERLETTERS are constants which you need to change]<\/p>\n
#sourceUDP 127.0.0.1\r\nsourceUDP IPADDR_OF_CLIENT\r\nlistenUDP *:1812\r\nlistenUDP *:1813\r\n\r\nLogLevel 3\r\nLogDestination file:\/\/\/var\/log\/radsecproxy\/radsecproxy.log\r\n\r\nLoopPrevention on\r\n\r\ntls default {\r\nCACertificateFile \/etc\/radsecproxy\/ca.crt\r\nCertificateFile \/etc\/radsecproxy\/CLIENT_NAME_FQDN.crt\r\nCertificateKeyFile \/etc\/radsecproxy\/CLIENT_NAME_FQDN.key\r\n}\r\n\r\nclient CLIENT_NAME {\r\n#host 127.0.0.1\r\nhost IPADDR_OF_CLIENT\r\ntype udp\r\nsecret CLIENT_RADIUS_SECRET\r\n}\r\n\r\nclient SWITCH_NAME {\r\nhost SWITCH_IP\r\ntype udp\r\nsecret SWITCH_RADIUS_SECRET\r\n}\r\n\r\nserver SERVER_NAME {\r\ncertificatenamecheck off\r\nhost IPADDR_OF_SERVER\r\ntype tls\r\nStatusServer on\r\nsecret PW_OF_CLIENT_RADSEC\r\n}\r\n\r\nrealm * {\r\nserver SERVER_NAME\r\naccountingserver SERVER_NAME\r\n}\r\n\r\n# example config for localhost, rejecting all users\r\nclient 127.0.0.1 {\r\ntype udp\r\nsecret TEST_SECRET\r\n}\r\n\r\nrealm * {\r\nreplymessage \"User unknown\"\r\n}<\/pre>\n
9.) sudo service radsecproxy restart
\n10.) If you now point your switches to the CLIENT_IP with the correct credential, it should go via the radsecproxy to your main radius server and get the connection working. Please pay attention that on your CLIENT site no radiusd daemon is allowed to run, as it would block the ports needed for radsecproxy \/ radius. Make use of the radsecproxy log files to see, wheter the two radsecproxy servers do connect and talk to each other :).<\/p>\n