ONGOING WORK
Installation using the installation script
The installation script is available at https://github.com/geteduroam/letswifi-portal/blob/main/contrib/install/install-letswifi-portal.sh . The script sets up a portal at the web address (DNS entry) that you provide, with which you obtain certificates from one CA and for a specific realm, which you specify. Additionally, the script copies the metadata from the link but if automatic refresh is needed, you need to set this up later. At the end of the installation process, you get a link to find the SAML SP metadata to register with your federation. In the firewall you need to open the ports TCP/80 and TCP/443 . In order to check that everything is OK at this point, please use the command
curl -sSk --resolve DOMAIN:443:127.0.0.1 https://DOMAIN; echo
You should see an output like {"href":"./","http://letswifi.app/api#2": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named letswifi-portal.conf.
At this point you may find out that the SimpleSAMLphp version that your OS comes with is too old. Please download a new one and install it. Copy the apache.conf of the newly installed SimpleSAMLphp to the /config - directory and take it into use at /etc/apache2/conf-available with
ln -sf /NEW-SIMPLESAMLPHP/config/apache.conf /etc/apache2/conf-available/simplesamlphp.conf
In config.php you may need to change 'baseurlpath' from 'simplesaml/' to 'simplesamlphp/'. In /usr/share/letswifi-portal/etc/letswifi.conf.php the 'autoloadInclude' needs to be changed to point to the correct SimpleSAMLphp version. Do a web server restart.
Next, connect your SimpleSAMLphp to your federation. More extensive guidelines can be found here and here. In case you need certificates for signing and encryption, you can generate them with:
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-geteduroam.crt -keyout saml-geteduroam.key
In /etc/simplesamlphp/authsources.php, under ’default-sp’, please insert the following
'certificate' => '/PATH/TO/saml-geteduroam.crt', 'privatekey' => '/PATH/TO/saml-geteduroam.key', 'redirect.sign' => true, 'redirect.validate' => true,
You should see the changes in https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. If needed, enable automatic metadata refresh, extensive guidelines can be found here. In the module section of /SIMPLESAMLPHP/config/config.php you need
'module.enable' => [ 'cron' => true, 'metarefresh' => true, 'core' => true, 'saml' => true ],
instead of 'exampleauth'.
Please copy the necessary templates with
cp modules/cron/config-templates/*.php /etc/simplesamlphp/ cp modules/metarefresh/config-templates/*.php /etc/simplesamlphp/
From /modules/metarefresh/bin you can test with
./metarefresh.php -s https://PATH/TO/your-metadata.xml
Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron. Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/
20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1
Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.
As a final remark, you can make the web server enforce HSTS with
a2enmod headers systemctl restart apache2
Then please add to letswifi-portal.conf
Header always set Strict-Transport-Security "max-age=15768000"
and do another web server restart.
Connecting to a RADIUS server
In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem
In the eap file you define this cert as the ca_file and then you also need something like the following
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/radius.geteduroam.TLD.key
certificate_file = ${certdir}/radius.geteduroam.TLD.crt
ca_file = ${cadir}/geteduroam-ca.pem
auto_chain = no
dh_file = ${certdir}/dh
ca_path = ${cadir}
#check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
fragment_size = 1450
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
virtual_server = check-eap-tls
}
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
}
In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to
server check-eap-tls {
authorize {
#if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
if (&Realm == "%{1}") {
update config {
Auth-Type = Accept
}
}
else {
update config {
Auth-Type = Reject
}
}
}
}
}
in order to accept anonymous outer IDs, if needed.
In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php
You can view the result with sqlite> select * from ca;
You also need to update the realm trust with
/var/lib/letswifi/database# sqlite3 letswifi.sqlite sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';
You can view the result with sqlite> select * from realm_trust;
Also check the server name and change it if needed
sqlite> SELECT * FROM realm_server_name; YOUR-REALM|radius.YOUR-REALM sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM';
In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.
1 Comment
Mohácsi János
Better alternative of OCSP would be to us freeradius to check validity of certifcate. - working on this type of solution.