From: Linus Nordberg <linus@nordberg.se>
Date: Fri, 25 Mar 2011 15:53:27 +0000 (+0100)
Subject: Add testing/radsec.
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=devwiki.git;a=commitdiff_plain;h=d7f024831eba0f938307b441533411275c855de5

Add testing/radsec.
---

diff --git a/testing/radsec.mdwn b/testing/radsec.mdwn
new file mode 100644
index 0000000..b0b4c5e
--- /dev/null
+++ b/testing/radsec.mdwn
@@ -0,0 +1,72 @@
+# Using RadSec (RADIUS/TLS)
+
+### Make sure that libradsec is at bae5640d (or later)
+
+### Get radsecproxy built
+    cd ~/moonshot-tlv/libradsec
+    git checkout master
+    ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
+    make all install
+    git checkout libradsec
+
+### Configure radsecproxy like this:
+    cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
+    tls default {
+        CACertificateFile   /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
+        CertificateFile     /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
+        CertificateKeyFile  /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
+    }
+    client 127.0.0.1 {
+        type    tls
+        secret  testing123
+        certificateNameCheck off
+    }
+    server 127.0.0.1 {
+        type    udp
+        port    1812
+        secret  testing123
+    }
+    realm * {
+        server 127.0.0.1
+    }
+    EOF
+
+### Start radsecproxy
+    /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
+
+### Configure /usr/local/moonshot/etc/radsec.conf as
+	realm gss-eap-tls {
+		type = TLS
+		cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
+		certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
+		certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
+		server {
+			hostname = "localhost"
+			service = "2083"
+			secret = "testing123"
+		}
+	}
+
+Note that this adds a second "realm" called gss-eap-tls.  In order to
+make mech_eap use this instead of the ordinare gss-eap, edit
+createRadiusHandle() in mech_eap/accept_sec_context.c to read 
+
+	const char *configStanza = "gss-eap-tls";
+
+If you intend to switch to RadSec entirely, name the realm "gss-eap"
+in radsec.conf and don't make the change createRadiusHandle().
+
+### Test with a simple RadSec client
+    lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
+        Code: 2, Identifier: 0, Lenght: 20
+	Good auth.
+
+### Test with gss-server and gss-client
+    ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
+    ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing  127.0.0.1 host@localhost bar
+
+This should produce lots of interesting output, ending with
+
+	Received message: "bar"
+	Signature verified.
+	NOOP token