Konfiguration anhand (fiktiver) "Gustav-Kirchhoff-Berufsschule"

Quelle: https://de.wikipedia.org/wiki/Gustav_Robert_Kirchhoff

  • Domainname extern: kirchhoff-bs.de
  • Domainname intern: kirchhoff-bs.local
  • Netzwerk WLAN-AccessPoints (und -Controller): 10.0.0.0/24
  • RADSEC-Proxy (debian GNU/Linux): 10.0.0.20
  • IP-Adresse NPS (Netzwerkrichtlinienserver) 10.0.0.21
  • statische öffentliche IP-Adresse (optional)
  • gültiges Zertifikat (auch Let's Encrypt)
  • auflösbarer Hostname, z. B. radsec.kirchhoff-bs.de
  • Portforwarding (NAT-Rule) in Firewall auf RADSEC-Proxy, Port 2083



radsecproxy.conf
# Master config file for radsecproxy
 
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
ListenUDP		*:1814
#ListenUDP		localhost
ListenTCP		*:1814
ListenTLS		*:2083
#ListenTLS		[2001:700:1:7:215:f2ff:fe35:307d]:2084
ListenDTLS		*:2084
 
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP		*:1814
#SourceTCP		*:1814
#SourceTLS		*:2803
#SourceDTLS		*:2803
 
# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel		3
# Optional LogDestination, else stderr used for logging
# Logging to file
LogDestination		file:///var/log/radsecproxy.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination         x-syslog:///
#LogDestination         x-syslog:///log_local2
# Optional log thread Id
#LogThreadId on
 
# There is an option for doing some simple loop prevention.  Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention		on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20
 
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
tls default {
    # You must specify at least one of CACertificateFile or CACertificatePath
    # for TLS to work. We always verify peer certificate (client and server)
    # CACertificateFile /etc/ssl/certs/ca-certificates.crt
    CACertificatePath	/etc/ssl/certs
 
    # You must specify the below for TLS, we always present our certificate
    # CertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
    # CertificateKeyFile	/etc/ssl/private/ssl-cert-snakeoil.key
    CertificateFile	/etc/ssl/letsencrypt/fullchain.pem
    CertificateKeyFile	/etc/ssl/letsencrypt/privkey.pem
    # Optionally specify password if key is encrypted (not very secure)
    # CertificateKeyPassword	"follow the white rabbit"
    #
    # Optionally enable CRL checking
    # CRLCheck on
    # Optionally specify how long CAs and CRLs are cached, default forever
    CacheExpiry 3600
    #
    # Optionally require that peer certs have one of the specified policyOIDs
    # policyoid     1.2.3 # this option can be used multiple times
    # policyoid     1.3.4
}
 
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
 
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
 
client 127.0.0.1 {
	type udp
	secret testing123
}
 
client local_LAN {
	host 10.0.0.0/24
	type udp
	secret ******
}
client AKB-Muenchen {
	#host radsec.akb-muenchen.de
	host 88.217.236.83
	port 2083
	type tls
 
server NPS {
	host 10.0.0.21
	type udp
}
 
server AKB-Muenchen {
	#host radsec.akb-muenchen.de
	host 88.217.236.83
	port 2083
	type tls
	certificatenamecheck off
	statusserver on
}
 
# Equivalent to example.com
#realm /@example\.com$ {
#	server 2001:db8::1
#}
 
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
#realm /\.com$ {
#}
#
#realm /^anonymous$ {
#	replymessage "No Access"
#	AccountingResponse On
#}
 
#realm /^$/ {
#	server freeradius
#}
 
realm /@kirchhoff-bs\.de$ {
	server NPS
}
 
realm /@kirchhoff-bs\.local$ {
	server NPS
}
 
realm /@akb-muenchen\.de$ {
	server AKB-Muenchen
}
 
realm * {
        replymessage "User unknown"
}
  • schoolroam/radsecproxy.txt
  • Zuletzt geändert: 10.11.2024 21:56
  • von adminfiit