Configuring Radiator for eduroam-US
If you have any questions or comments regarding these instructions please contact the eduroam-US Team and we will work with you to assist as much as possible.
Description
Radiator is a robust commercial RADIUS server written by Open System Consultants. The Radiator server is used by the eduroam-US Top-Level server as well as the European Top-Level servers. Below is a basic configuration to get Radiator to handle requests from your local wireless infrastructure as well as requests from eduroam-US.
Instructions
The Radiator configuration for an eduroam-US institution can be seen as four major components: The general configuration, the client configuration, the outer and inner handlers, and the eduroam handler.
# Sample Radiator configuration of a US Institution called example.edu LogDir /var/log/radius DbDir /etc/radiator LogFile %L/%Y/logfile.%y%m%d PidFile %L/radiusd.pid # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 3 AuthPort 1812 AcctPort 1813
# Client handler for connections from US Top-Level <Client [eduroam-US top level server 1]> IdenticalClients [eduroam-US top level server 2] Secret <SECRET> Identifier from_eduroam </Client>
The inner and outer-tunnel handlers are the most complicated portions of the Radiator configuration for eduroam-US. The outer-handler terminates the SSL tunnel and defines inner-authentication methods. This is where you configure your certificates and set some inner-tunnel specific settings. The AutoMPPEKeys directive instructs the server to pass back necessary key material to your NAS.
# Outer Handler, forwards based on tunnel type, to above handlers for TTLS or PEAP <Handler Client-Identifier=from_eduroam, Realm=/^(?:.+\.)*example\.edu$/i> <AuthBy FILE> # file containing the word "anonymous" w/o quotes on its own line Filename %D/dot1x_anon # your institution may not support both PEAP and TTLS but can EAPType TTLS, PEAP EAPAnonymous %0 EAPTLS_CAFile /etc/pki/tls/certs/cacert.pem EAPTLS_CertificateFile /etc/ssl/certs/radius.example.edu.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/ssl/private/radius.example.edu.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired AutoMPPEKeys </AuthBy> AcctLogFileName %L/%Y/eduroam_detail.%y%m%d </Handler>
For each inner-handler type (TTLS and/or PEAP) a separate tunneled inner-handler block is required. Within these blocks local authentication policies are handled, which may include authentication against LDAP, Active Directory (for PEAP handlers), local files, or another directory service supported by Radiator.
Below is an example of a PEAP handler. The only difference between a PEAP and TTLS handler in terms of the handler block is the TunnelledByPEAP directive is replaced by TunnelledByTTLS. In the below example we have samples of NTLM (Active Directory), LDAP authentication, and authentication by a plaintext file (this is an easy way to create temporary or permanent test accounts).
<Handler Client-Identifier=from_eduroam, TunnelledByPEAP=1, Realm=/^(?:.+\.)*example\.edu$/i > <AuthBy GROUP> AuthByPolicy ContinueUntilAcceptOrChallenge # For ActiveDirectory backed IdP's <AuthBy NTLM> Domain EXAMPLE UsernameMatchesWithoutRealm EAPType MSCHAP-V2 </AuthBy> # For LDAP backed IdPs <AuthBy LDAP2> UseSSL SSLCAClientCert /etc/ssl/certs/ldap.example.edu.pem SSLCAClientKey /etc/ssl/private/ldap.example.edu.pem SSLCAFile /etc/ssl/certs/cacert.pem Host ldap.example.edu BaseDN ou=People,dc=example,dc=edu ServerChecksPassword AuthAttrDef radiusReplyItem, GENERIC, reply HoldServerConnection Version 3 </AuthBy> # For temporary test credentials (if necessary) <AuthBy FILE> Filename %D/eduroam_test_users EAPType MSCHAP-V2 </AuthBy> </AuthBy> AcctLogFileName %L/%Y/eduroam_detail.%y%m%d </Handler>
The final block is the default eduroam-US handler which passes non-institutional users to the Top-Level server. Just as above the AutoMPPEKeys directive passes necessary keying information to the appropriate NAS.
# Default Handler forwards to eduroam-US Top-Level # This will load balance requests bewteen multiple RADIUS servers. <Handler> <AuthBy HASHBALANCE> Secret <SECRET> AuthPort 1812 AcctPort 1813 RetryTimeout 8 Retries 0 MaxFailedRequests 1 <Host [eduroam-US top level server 1]> </Host> <Host [eduroam-US top level server 2]> </Host> AutoMPPEKeys </AuthBy> </Handler>
For complete documentation on configuration of Radiator please see their reference manual.