Charles Chan | 9e5c617 | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 1 | AAA |
| 2 | === |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame^] | 3 | |
| 4 | Introduction |
| 5 | ------------ |
| 6 | In this section, we will explain how to use Trellis with AAA service, which can be used to authenticate a client host. |
| 7 | We will explain how this works with a simple **single switch** topology. |
| 8 | |
| 9 | .. image:: ../images/config-aaa.png |
| 10 | |
| 11 | |
| 12 | Configure ONOS |
| 13 | -------------- |
| 14 | |
| 15 | Activate AAA app |
| 16 | ^^^^^^^^^^^^^^^^ |
| 17 | We need to install and activate AAA app separately since it is located in a separate (CORD) repository. |
| 18 | There are multiple methods to install and activate a pre-compiled app. Let's use CLI now. |
| 19 | |
| 20 | .. code-block::console |
| 21 | |
| 22 | $ onos-app localhost install! aaa-1.1-SNAPSHOT.oar |
| 23 | |
| 24 | |
| 25 | Provide network configuration |
| 26 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 27 | We need to provide AAA configuration in the apps section of network configuration. |
| 28 | |
| 29 | .. code-block:: json |
| 30 | :linenos: |
| 31 | |
| 32 | { |
| 33 | "apps": { |
| 34 | "org.opencord.aaa" : { |
| 35 | "AAA" : { |
| 36 | "radiusIp": "10.128.0.231", |
| 37 | "radiusServerPort": "1812", |
| 38 | "radiusSecret": "howdoyouturnthison" |
| 39 | } |
| 40 | } |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | |
| 45 | - ``radiusIp``: The IP address of the Radius server |
| 46 | - ``radiusServerPort``: The UDP port of the Radius server. (Optional -- ONOS will use port 1812 by default). |
| 47 | - ``radiusSecret``: The Radius secret. This needs to be consistent with the Radius server configuration |
| 48 | |
| 49 | Then push the JSON to ONOS: |
| 50 | |
| 51 | .. code-block:: console |
| 52 | |
| 53 | $ onos-netcfg $OC1 aaa-config.json |
| 54 | |
| 55 | |
| 56 | Configure Radius server |
| 57 | ----------------------- |
| 58 | |
| 59 | Install FreeRadius |
| 60 | ^^^^^^^^^^^^^^^^^^ |
| 61 | Technically all Radius server should work. |
| 62 | However, the way to configure them are probably different case to case. |
| 63 | Here we use FreeRadius on Ubuntu as an example. |
| 64 | To install the Radius server, simply run: |
| 65 | |
| 66 | .. code-block:: console |
| 67 | |
| 68 | sudo apt-get install freeradius |
| 69 | |
| 70 | Configure FreeRadius |
| 71 | ^^^^^^^^^^^^^^^^^^^^ |
| 72 | |
| 73 | Add a user |
| 74 | """""""""" |
| 75 | We usually connect Radius server to a database where we store the user information. |
| 76 | In this section, we statically configure a user to simplify the setup. |
| 77 | To add a user ``admin`` with password ``cord_test``, edit ``/etc/freeradius/users`` and add following lines: |
| 78 | |
| 79 | .. code-block:: text |
| 80 | |
| 81 | admin Cleartext-Password := "cord_test" |
| 82 | Reply-Message = "Hello, %{User-Name}" |
| 83 | |
| 84 | Allow external clients |
| 85 | """""""""""""""""""""" |
| 86 | By default the Radius server only accepts requests from ``localhost``. |
| 87 | To allow external clients, we need to modify ``/etc/freeradius/clients.conf`` |
| 88 | We also need to change the secret. |
| 89 | |
| 90 | .. code-block:: diff |
| 91 | |
| 92 | -client localhost { |
| 93 | +client 0.0.0.0/0 { |
| 94 | |
| 95 | - secret = testing123 |
| 96 | + secret = howdoyouturnthison |
| 97 | |
| 98 | Use TLS |
| 99 | """"""" |
| 100 | By default, FreeRadius use MD5 challenge response to authenticate clients. |
| 101 | To use TLS, we need to modify ``/etc/freeradius/eap.conf`` |
| 102 | We also need to change the private key password. |
| 103 | |
| 104 | .. code-block:: diff |
| 105 | |
| 106 | - default_eap_type = md5 |
| 107 | + default_eap_type = tls |
| 108 | |
| 109 | - private_key_password = whatever |
| 110 | + private_key_password = onos_test |
| 111 | |
| 112 | .. note:: |
| 113 | The key and certificates required by TLS will locate under ``/etc/freeradius/certs`` by default. |
| 114 | There will be three symbolic links link to ``ca.pem``, ``server.key``, ``server.pem``. |
| 115 | We only need to change the symbolic links after we generates the keys and certificates. |
| 116 | Therefore, we don't need to change the path in ``/etc/freeradius/eap.conf`` |
| 117 | |
| 118 | .. note:: |
| 119 | Both server certificate and client certificate need to be signed by the same CA certificate. |
| 120 | Also note that each key we generate below needs a unique Common Name. |
| 121 | |
| 122 | Generate CA certificate (ca.pem) and private key (privkey.pem) |
| 123 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 124 | |
| 125 | .. code-block:: console |
| 126 | |
| 127 | openssl req -out ca.pem -new -x509 |
| 128 | |
| 129 | Generate and sign server certificate (server.pem) and private key (server.key) |
| 130 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 131 | |
| 132 | .. code-block:: console |
| 133 | |
| 134 | openssl genrsa -out server.key 1024 |
| 135 | openssl req -key server.key -new -out server.req |
| 136 | openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem |
| 137 | |
| 138 | Generate and sign client certificate (client.pem) and private key (client.key) |
| 139 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 140 | |
| 141 | .. code-block:: console |
| 142 | |
| 143 | openssl genrsa -out client.key 1024 |
| 144 | openssl req -key client.key -new -out client.req |
| 145 | openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem |
| 146 | |
| 147 | |
| 148 | Deploy keys and certificates |
| 149 | """""""""""""""""""""""""""" |
| 150 | On the server side, please link **/etc/freeradius/{ca.pem, server.key, server.pem}** to the files we just generated. |
| 151 | Also copy **ca.pem, client.key, client.pem** to the client side through a secured channel. |
| 152 | They will later be used when testing the Radius authentication. |
| 153 | |
| 154 | |
| 155 | Testing |
| 156 | ------- |
| 157 | We can use the ``wpa_supplicant`` as the test client. In case ``wpa_supplicant`` has not been installed, you can run ``sudo apt-get install wpasupplicant`` |
| 158 | |
| 159 | Compose wpa_supplicant.conf |
| 160 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 161 | |
| 162 | .. code-block:: text |
| 163 | |
| 164 | ctrl_interface=/var/run/wpa_supplicant |
| 165 | eapol_version=1 |
| 166 | ap_scan=0 |
| 167 | fast_reauth=0 |
| 168 | network={ |
| 169 | key_mgmt=WPA-EAP |
| 170 | eap=TLS |
| 171 | identity="admin" |
| 172 | password="cord_test" |
| 173 | ca_cert="ca.pem" |
| 174 | client_cert="client.pem" |
| 175 | private_key="client.key" |
| 176 | private_key_passwd="onos_test" |
| 177 | eapol_flags=3 |
| 178 | } |
| 179 | |
| 180 | Run the test client |
| 181 | ^^^^^^^^^^^^^^^^^^^ |
| 182 | .. tip:: |
| 183 | If you are using a Linux VM behind a bridge to send out this authentication message, make sure the Linux kernel of your host machine is 3.2 or above. |
| 184 | Otherwise the EAPOL messages won't go through the bridge. |
| 185 | |
| 186 | .. code-block:: console |
| 187 | |
| 188 | $ sudo wpa_supplicant -Dwired -ieth1 -cwpa_supplicant.conf |
| 189 | |
| 190 | You should see the following message if authentication succeed: |
| 191 | |
| 192 | .. code-block:: console |
| 193 | |
| 194 | Successfully initialized wpa_supplicant |
| 195 | eth1: Associated with 01:80:c2:00:00:03 |
| 196 | eth1: CTRL-EVENT-EAP-STARTED EAP authentication started |
| 197 | eth1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 |
| 198 | eth1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected |
| 199 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=ca.cord.lab/emailAddress=xxx@xxx.xxx' |
| 200 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=server.cord.lab/emailAddress=xxx@xxx.xxx' |
| 201 | eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully |
| 202 | |
| 203 | Reference |
| 204 | --------- |
| 205 | - https://tools.ietf.org/html/rfc3580 |
| 206 | - https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/ |
| 207 | - https://dst.lbl.gov/~boverhof/openssl_certs.html |