You are here
- Home
- Scott's eduroam blog
- Blogs
- eduroam CUI how to using FreeRADIUS 2.2.0
Group administrators:
Recent members:
eduroam CUI how to using FreeRADIUS 2.2.0
WARNING - These settings should be tested on a suitable test/dev server before implmentation into a live working eduroam service.
Step 1 - Add a salt for generating CUIs to policy.conf
In the policy.conf in /etc/raddb find the CUI section and add a salt for your site. This value should be a long random string which is the same across all of your sites radius servers and should not change over time.
#
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
# The policies below can be called as just 'cui' (not
# cui.authorize etc..) from the various config sections.
#
#
# cui_hash_key definition
# This key serves the purpose of protecting CUI values against
# dictionary attacks, therefore should be chosen as a "random"
# string and kept secret.
#
cui_hash_key = "exampleString1234-CHANGE-ME"
Step 2 - Add CUI required Flag to policy.conf
In the policy.conf file, after the cui_hash_key, add a new variable called cui_require_operator_name and set it to 1.
#
# cui_require_operator_name switch
# If this is set to nonzero value then CUI will only be added
# when a non-empty Operator-Name value is present in the request
#
cui_require_operator_name = 1
Step 3 - Add CUI pre-proxy section to policy.conf
In the policy.conf file, after the cui.authorize section, add a section which will send the a NUL CUI value when proxying (e.g. to the National RADIUS Proxy servers).
#
# Before proxing an Access-Request to a remote server, a NUL CUI
# attribute should be added, unless it is already present in the request.
#
cui.pre-proxy {
if ("%{Packet-Type}" == Access-Request ) {
update proxy-request {
Chargeable-User-Identity = '\\000'
}
}
}
Step 4 - Change CUI post-auth section in policy.conf
In policy.conf locate the cui.post-auth section and replace it with the following code:
#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
# For EAP-TTLS and EAP-PEAP methods
# use_tunneled_reply parameter MUST be set to yes
#
cui.post-auth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity && \
(outer.request:Operator-Name || !("${policy.cui_require_operator_name}"))) {
update reply {
Chargeable-User-Identity:="%{md5:${policy.cui_hash_key}%{%{Stripped-User-Name}:-%{User-Name}}%{outer.request:Operator-Name:-}}"
}
}
}
else {
if (!("%{control:Proxy-To-Realm}") && \
Chargeable-User-Identity && \
!(reply:Chargeable-User-Identity) && \
(Operator-Name || !("${policy.cui_require_operator_name}")) ) {
update reply {
Chargeable-User-Identity="%{md5:${policy.cui_hash_key}%{%{Stripped-User-Name}:-%{User-Name}}%{%{Operator-Name}:-}}"
}
}
update reply {
User-Name-="%{reply:User-Name}"
}
#
# The section below will store a CUI for the User in the DB.
# You need to configure the cuisql module and your database for this to work.
# If your NAS-es can do CUI based accounting themselves
# or you do not care about accounting, comment out the three lines below.
#
#if (reply:Chargeable-User-Identity) {
# cuisql
#}
}
}
Step 5 - Requesting CUI when proxying to eduroam National Roaming Proxy Servers
In the pre-proxy section of your sites-enabled server which handles local reqeusts, call cui. This will call the relevant (pre-proxy) section in the policy.conf
e.g. in /etc/raddb/sites-enabled/camford
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
cui
Step 6 - Replying with CUI to incoming requests from eduroam National Roaming Proxy Servers
post-auth {
cui
Step 7 - Annoucing availability of CUI to servers sending incoming authentication requests
To annouce to other servers the availablity of CUI from your server you can send back a NUL CUI when responding to an Access-Request (which doesn't contain a NUL CUI itself). This is done by uncommenting to the cui in the authorize section of the relevant sites-enabled server.
e.g. in /etc/raddb/sites-enabled/eduroam
authorize {
cui
Step 8 - Logging CUI Values
In the modules directory create a new linelog module called eduroam_log. This will be used to syslog (to the localmachine) the authentication details.
e.g. /etc/raddb/modules/eduroam_log
linelog eduroam_log {
filename = syslog
format = ""
reference = "eduroam_log.%{%{reply:Packet-Type}:-format}"
eduroam_log {
Access-Accept = "eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{reply:Chargeable-User-Identity}#RESULT=OK#"
Access-Reject = "eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{reply:Chargeable-User-Identity}#RESULT=FAIL#"
}
}
post-auth {
cui
Post-Auth-Type REJECT {
attr_filter.access_reject
}
#
# Syslog the login details
#
eduroam_log
/etc/raddb/sites-enabled/camford
post-auth {
#
# Syslog the login details
#
if ( request:Realm != "local") {
eduroam_log
}