Blame - configuration/aaa.rst - trellis-docs

blob: 56846e283cb85cf03bd8d637db22b5c36647d5b1 [file] [log] [blame]

Charles Chan	9e5c617	2019-09-07 11:24:54 -0700	[diff] [blame]	1	AAA
				2	===
Charles Chan	20fabfb	2019-09-07 11:24:54 -0700	[diff] [blame^]	3
				4	Introduction
				5	------------
				6	In this section, we will explain how to use Trellis with AAA service, which can be used to authenticate a client host.
				7	We will explain how this works with a simple single switch topology.
				8
				9	.. image:: ../images/config-aaa.png
				10
				11
				12	Configure ONOS
				13	--------------
				14
				15	Activate AAA app
				16	^^^^^^^^^^^^^^^^
				17	We need to install and activate AAA app separately since it is located in a separate (CORD) repository.
				18	There are multiple methods to install and activate a pre-compiled app. Let's use CLI now.
				19
				20	.. code-block::console
				21
				22	$ onos-app localhost install! aaa-1.1-SNAPSHOT.oar
				23
				24
				25	Provide network configuration
				26	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
				27	We need to provide AAA configuration in the apps section of network configuration.
				28
				29	.. code-block:: json
				30	:linenos:
				31
				32	{
				33	"apps": {
				34	"org.opencord.aaa" : {
				35	"AAA" : {
				36	"radiusIp": "10.128.0.231",
				37	"radiusServerPort": "1812",
				38	"radiusSecret": "howdoyouturnthison"
				39	}
				40	}
				41	}
				42	}
				43
				44
				45	- ``radiusIp``: The IP address of the Radius server
				46	- ``radiusServerPort``: The UDP port of the Radius server. (Optional -- ONOS will use port 1812 by default).
				47	- ``radiusSecret``: The Radius secret. This needs to be consistent with the Radius server configuration
				48
				49	Then push the JSON to ONOS:
				50
				51	.. code-block:: console
				52
				53	$ onos-netcfg $OC1 aaa-config.json
				54
				55
				56	Configure Radius server
				57	-----------------------
				58
				59	Install FreeRadius
				60	^^^^^^^^^^^^^^^^^^
				61	Technically all Radius server should work.
				62	However, the way to configure them are probably different case to case.
				63	Here we use FreeRadius on Ubuntu as an example.
				64	To install the Radius server, simply run:
				65
				66	.. code-block:: console
				67
				68	sudo apt-get install freeradius
				69
				70	Configure FreeRadius
				71	^^^^^^^^^^^^^^^^^^^^
				72
				73	Add a user
				74	""""""""""
				75	We usually connect Radius server to a database where we store the user information.
				76	In this section, we statically configure a user to simplify the setup.
				77	To add a user ``admin`` with password ``cord_test``, edit ``/etc/freeradius/users`` and add following lines:
				78
				79	.. code-block:: text
				80
				81	admin Cleartext-Password := "cord_test"
				82	Reply-Message = "Hello, %{User-Name}"
				83
				84	Allow external clients
				85	""""""""""""""""""""""
				86	By default the Radius server only accepts requests from ``localhost``.
				87	To allow external clients, we need to modify ``/etc/freeradius/clients.conf``
				88	We also need to change the secret.
				89
				90	.. code-block:: diff
				91
				92	-client localhost {
				93	+client 0.0.0.0/0 {
				94
				95	- secret = testing123
				96	+ secret = howdoyouturnthison
				97
				98	Use TLS
				99	"""""""
				100	By default, FreeRadius use MD5 challenge response to authenticate clients.
				101	To use TLS, we need to modify ``/etc/freeradius/eap.conf``
				102	We also need to change the private key password.
				103
				104	.. code-block:: diff
				105
				106	- default_eap_type = md5
				107	+ default_eap_type = tls
				108
				109	- private_key_password = whatever
				110	+ private_key_password = onos_test
				111
				112	.. note::
				113	The key and certificates required by TLS will locate under ``/etc/freeradius/certs`` by default.
				114	There will be three symbolic links link to ``ca.pem``, ``server.key``, ``server.pem``.
				115	We only need to change the symbolic links after we generates the keys and certificates.
				116	Therefore, we don't need to change the path in ``/etc/freeradius/eap.conf``
				117
				118	.. note::
				119	Both server certificate and client certificate need to be signed by the same CA certificate.
				120	Also note that each key we generate below needs a unique Common Name.
				121
				122	Generate CA certificate (ca.pem) and private key (privkey.pem)
				123	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				124
				125	.. code-block:: console
				126
				127	openssl req -out ca.pem -new -x509
				128
				129	Generate and sign server certificate (server.pem) and private key (server.key)
				130	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				131
				132	.. code-block:: console
				133
				134	openssl genrsa -out server.key 1024
				135	openssl req -key server.key -new -out server.req
				136	openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
				137
				138	Generate and sign client certificate (client.pem) and private key (client.key)
				139	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				140
				141	.. code-block:: console
				142
				143	openssl genrsa -out client.key 1024
				144	openssl req -key client.key -new -out client.req
				145	openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
				146
				147
				148	Deploy keys and certificates
				149	""""""""""""""""""""""""""""
				150	On the server side, please link /etc/freeradius/{ca.pem, server.key, server.pem} to the files we just generated.
				151	Also copy ca.pem, client.key, client.pem to the client side through a secured channel.
				152	They will later be used when testing the Radius authentication.
				153
				154
				155	Testing
				156	-------
				157	We can use the ``wpa_supplicant`` as the test client. In case ``wpa_supplicant`` has not been installed, you can run ``sudo apt-get install wpasupplicant``
				158
				159	Compose wpa_supplicant.conf
				160	^^^^^^^^^^^^^^^^^^^^^^^^^^^
				161
				162	.. code-block:: text
				163
				164	ctrl_interface=/var/run/wpa_supplicant
				165	eapol_version=1
				166	ap_scan=0
				167	fast_reauth=0
				168	network={
				169	key_mgmt=WPA-EAP
				170	eap=TLS
				171	identity="admin"
				172	password="cord_test"
				173	ca_cert="ca.pem"
				174	client_cert="client.pem"
				175	private_key="client.key"
				176	private_key_passwd="onos_test"
				177	eapol_flags=3
				178	}
				179
				180	Run the test client
				181	^^^^^^^^^^^^^^^^^^^
				182	.. tip::
				183	If you are using a Linux VM behind a bridge to send out this authentication message, make sure the Linux kernel of your host machine is 3.2 or above.
				184	Otherwise the EAPOL messages won't go through the bridge.
				185
				186	.. code-block:: console
				187
				188	$ sudo wpa_supplicant -Dwired -ieth1 -cwpa_supplicant.conf
				189
				190	You should see the following message if authentication succeed:
				191
				192	.. code-block:: console
				193
				194	Successfully initialized wpa_supplicant
				195	eth1: Associated with 01:80:c2:00:00:03
				196	eth1: CTRL-EVENT-EAP-STARTED EAP authentication started
				197	eth1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
				198	eth1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
				199	eth1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=ca.cord.lab/emailAddress=xxx@xxx.xxx'
				200	eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=server.cord.lab/emailAddress=xxx@xxx.xxx'
				201	eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
				202
				203	Reference
				204	---------
				205	- https://tools.ietf.org/html/rfc3580
				206	- https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/
				207	- https://dst.lbl.gov/~boverhof/openssl_certs.html