testing/radsec.mdwn

   1 # Using RadSec (RADIUS/TLS)
   2
   3 ### Make sure that libradsec is at bae5640d (or later)
   4
   5 ### Get radsecproxy built
   6     cd ~/moonshot-tlv/libradsec
   7     git checkout master
   8     ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
   9     make all install
  10     git checkout libradsec
  11
  12 ### Configure radsecproxy like this:
  13     cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
  14     tls default {
  15         CACertificateFile   /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
  16         CertificateFile     /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
  17         CertificateKeyFile  /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
  18     }
  19     client 127.0.0.1 {
  20         type    tls
  21         secret  testing123
  22         certificateNameCheck off
  23     }
  24     server 127.0.0.1 {
  25         type    udp
  26         port    1812
  27         secret  testing123
  28     }
  29     realm * {
  30         server 127.0.0.1
  31     }
  32     EOF
  33
  34 ### Start radsecproxy
  35     /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
  36
  37 ### Configure /usr/local/moonshot/etc/radsec.conf as
  38         realm gss-eap-tls {
  39                 type = TLS
  40                 cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
  41                 certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
  42                 certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
  43                 server {
  44                         hostname = "localhost"
  45                         service = "2083"
  46                         secret = "testing123"
  47                 }
  48         }
  49
  50 Note that this adds a second "realm" called gss-eap-tls.  In order to
  51 make mech_eap use this instead of the ordinare gss-eap, edit
  52 createRadiusHandle() in mech_eap/accept_sec_context.c to read
  53
  54         const char *configStanza = "gss-eap-tls";
  55
  56 If you intend to switch to RadSec entirely, name the realm "gss-eap"
  57 in radsec.conf and don't make the change createRadiusHandle().
  58
  59 ### Test with a simple RadSec client
  60     lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
  61         Code: 2, Identifier: 0, Lenght: 20
  62         Good auth.
  63
  64 ### Test with gss-server and gss-client
  65     ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
  66     ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing  127.0.0.1 host@localhost bar
  67
  68 This should produce lots of interesting output, ending with
  69
  70         Received message: "bar"
  71         Signature verified.
  72         NOOP token