testing/radsec.mdwn

   1 # Using RadSec (RADIUS/TLS)
   2
   3 ### Make sure that libradsec is at bae5640d (or later), branch 'libradsec'
   4     git log | egrep bae5640d  || echo you need to pull
   5
   6 ### Get radsecproxy built
   7     cd ~/moonshot-tlv/libradsec
   8     git checkout master
   9     ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
  10     make all install
  11     git checkout libradsec
  12
  13 ### Configure radsecproxy like this:
  14     cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
  15     tls default {
  16         CACertificateFile   /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
  17         CertificateFile     /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
  18         CertificateKeyFile  /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
  19     }
  20     client 127.0.0.1 {
  21         type    tls
  22         secret  testing123
  23         certificateNameCheck off
  24     }
  25     server 127.0.0.1 {
  26         type    udp
  27         port    1812
  28         secret  testing123
  29     }
  30     realm * {
  31         server 127.0.0.1
  32     }
  33     EOF
  34
  35 ### Start radsecproxy
  36     /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
  37
  38 ### Configure /usr/local/moonshot/etc/radsec.conf as
  39         realm gss-eap-tls {
  40                 type = TLS
  41                 cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
  42                 certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
  43                 certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
  44                 server {
  45                         hostname = "localhost"
  46                         service = "2083"
  47                         secret = "testing123"
  48                 }
  49         }
  50
  51 Note that this adds a second "realm" called gss-eap-tls.  In order to
  52 make mech_eap use this instead of the ordinare gss-eap, edit
  53 createRadiusHandle() in mech_eap/accept_sec_context.c to read
  54
  55         const char *configStanza = "gss-eap-tls";
  56
  57 If you intend to switch to RadSec entirely, name the realm "gss-eap"
  58 in radsec.conf and don't make the change createRadiusHandle().
  59
  60 ### Test with a simple RadSec client
  61     lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
  62         Code: 2, Identifier: 0, Lenght: 20
  63         Good auth.
  64
  65 ### Test with gss-server and gss-client
  66     ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
  67     ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing  127.0.0.1 host@localhost bar
  68
  69 This should produce lots of interesting output, ending with
  70
  71         Received message: "bar"
  72         Signature verified.
  73         NOOP token