4 This is an implementation of the GSS EAP mechanism, as described in
5 draft-ietf-abfab-gss-eap-01.txt.
10 In order to build this, a recent Kerberos implementation (MIT or
11 Heimdal), Shibboleth, and EAP libraries are required, along with
12 all of their dependencies.
14 Note: not all SPIs are supported by the Heimdal mechanism glue,
15 so not all features will be available.
23 When installing, be sure to edit $prefix/etc/gss/mech to register
24 the EAP mechanisms. A sample configuration file is in this directory.
25 You may need to specify an absolute path.
30 Make sure your RADIUS library is configured to talk to the server of
31 your choice: see the example radsec.conf in this directory. If you
32 want to use TCP or TLS, you'll need to run radsecproxy in front of
38 These instructions apply to FreeRADIUS only, which is downloadable
39 from http://freeradius.org/. After configure, make, install, do the
42 On the RADIUS server side, you need to install dictionary.ukerna to
43 $prefix/etc/raddb and include it from the main dictionary file, by
46 $INCLUDE dictionary.ukerna
48 to $prefix/etc/raddb/dictionary. Make sure these files are world-
49 readable; they weren't in my installation.
51 Edit $prefix/etc/raddb/users to add your test user and password:
53 bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
55 Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
60 require_message_authenticator = yes
63 Edit $prefix/etc/raddb/eap.conf and set:
67 default_eap_type = ttls
72 private_key_file = ...
73 certificate_file = ...
76 default_eap_type = mschapv2
77 copy_request_to_tunnel = no
78 use_tunneled_reply = no
79 virtual_server = "inner-tunnel"
86 If you want the acceptor be able to identify the user, the RADIUS
87 server needs to echo back the EAP username from the inner tunnel;
88 for privacy, mech_eap only sends the realm in the EAP Identity
89 response. To configure this with FreeRADIUS, add:
92 User-Name = "%{request:User-Name}"
95 If you want to add a SAML assertion, do this with "update reply"
96 in $prefix/etc/raddb/sites-available/default:
99 SAML-AAA-Assertion = '<saml:Assertion ...'
100 SAML-AAA-Assertion += '...'
103 You'll need to split it into multiple lines because of the RADIUS
104 attribute size limit.
109 You can then test the MIT or Cyrus GSS and SASL example programs.
110 Sample usage is given below. Substitute <user>, <pass> and <host>
111 appropriately (<host> is the name of the host running the server,
112 not the RADIUS server).
114 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
115 -user <user>@<realm> -pass <pass> <host> host@<host> \
117 % gss-server -port 5555 -export host@<host>
119 Note: for SASL you will be prompted for a username and password.
121 % client -C -p 5556 -s host -m EAP-AES128 <host>
122 % server -c -p 5556 -s host -h <host>
124 To test fast reauthentication support, add the following to
129 reauth_use_ccache = TRUE
132 This will store a Kerberos ticket for a GSS-EAP authenticated user
133 in a credentials cache, which can then be used for re-authentication
134 to the same acceptor. You must have a valid keytab configured.
136 In this testing phase of Moonshot, it's also possible to store a
137 default identity and credential in a file. The format consists of
138 the string representation of the initiator identity and the password,
139 separated by newlines. The default location of this file is
140 .gss_eap_id in the user's home directory, however the GSSEAP_IDENTITY
141 environment variable can be used to set an alternate location.
143 You can also set a default realm in [appdefaults]; the Kerberos
144 default realm is never used by mech_eap (or at least, that is the
145 intention), so if unspecified you must always qualify names. It should
146 generally not be necessary to specify this.
projects / moonshot.git / blob