On 29/07/2014 17:17, David Rickard wrote:
> Hi,
>
> We're in the early stages of setting up our eduroam implementation
> (finally joining the party!) and I'm now looking to set up the RADIUS
> proxies in our DMZ. We're having Cisco ISE at the heart of our
> wireless (and everything else), so we'll be running FreeRadius out on
> the edge to talk to the NRPS.
>
> I've been looking at various bits of documentation, but most seems
> more geared towards a single server implementation, in that the
> single server handles the AD/backend auth, as well as the proxy role.
> However, our server simply needs to send incoming requests to ISE,
> and any requests ISE doesn't understand to the NRPS. I've not yet
Not quite.
Your ORPS should:
1. Take inbound request from the NRPS, and pass to your auth system.
This is relatively easy, as you can trust the NRPS to send you sane stuff.
2. Take outbound requests from your wireless, apply the substantial
list of sanity, loop and other failure prevention logic, and only then
pass to the NRPS.
As Alan has suggested, all you do is replace callouts to "local" auth
with forcing to a proxy. The only difference from a "standard"
single-tier FreeRADIUS setup is on the inbound direction, from the NRPS
to the FR server. Basically, define a realm in proxy.conf that
represents your ISE servers, and have something like this:
# home_server & home_server_pool defs for your ISE server(s) here, then
realm BUCKS-ISE {
pool = <defined above>
nostrip
}
client roaming0 {
ipaddr = ..
secret = ..
virtual_server = from_nrps
}
server from_nrps {
authorize {
# proxy all traffic on to ISE
update control {
Proxy-To-Realm := BUCKS-ISE
}
}
}
The other direction - ISE sending to NRPS - looks exactly the same as a
normal FreeRADIUS config; FR doesn't care if the client is a wireless AP
or downstream radius server. Using the above style it's basically:
# home_server & home_server_pool defs for NRPS as per
# the templates on the support server.
realm NRPS {
pool = <defined above>
nostrip
}
client ise0 {
ipaddr = ..
secret = ..
virtual_server = from_ise
}
server from_nrps {
authorize {
# NOTE NOTE NOTE: various checks MUST go here to avoid problems
# including loop-prevention and similar. Very, very skeletal example
# check for loops
if (User-Name =~ /^.*@bucks.ac.uk/i) {
reject
}
#
if (User-Name =~ /^.*@bucks.ac.uk/i) {
reject
}
# check for invalid usernames
# dumb regexp but catches much badness
if (User-Name !~ /^.*@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) {
reject
}
# proxy all traffic on to ISE
update control {
Proxy-To-Realm := NRPS
}
}
pre-proxy {
update proxy-request {
Operator-Name := "1bucks.ac.uk"
}
# must define this filter and permitted attributes
# e.g. don't leak internals! But don't block required
# attributes e.g. EAP-Message and similar!
attr_filter.to_nrps
}
post-proxy {
# must define this filter and permitted attributes
# e.g. don't trust a vlan from Hogwarts or similar!
attr_filter.from_nrps
}
}
|