Blame - configuration/aaa.rst - trellis-docs

blob: a2da53d96919262396822b80e0a25c23dfc64e18 [file] [log] [blame]

Charles Chan	9e5c617	2019-09-07 11:24:54 -0700	[diff] [blame]	1	AAA
				2	===
Charles Chan	20fabfb	2019-09-07 11:24:54 -0700	[diff] [blame]	3
				4	Introduction
				5	------------
				6	In this section, we will explain how to use Trellis with AAA service, which can be used to authenticate a client host.
				7	We will explain how this works with a simple single switch topology.
				8
				9	.. image:: ../images/config-aaa.png
				10
Charles Chan	20fabfb	2019-09-07 11:24:54 -0700	[diff] [blame]	11	Configure ONOS
				12	--------------
				13
				14	Activate AAA app
				15	^^^^^^^^^^^^^^^^
				16	We need to install and activate AAA app separately since it is located in a separate (CORD) repository.
				17	There are multiple methods to install and activate a pre-compiled app. Let's use CLI now.
				18
				19	.. code-block::console
				20
				21	$ onos-app localhost install! aaa-1.1-SNAPSHOT.oar
				22
				23
				24	Provide network configuration
				25	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
				26	We need to provide AAA configuration in the apps section of network configuration.
				27
				28	.. code-block:: json
				29	:linenos:
				30
				31	{
				32	"apps": {
				33	"org.opencord.aaa" : {
				34	"AAA" : {
				35	"radiusIp": "10.128.0.231",
				36	"radiusServerPort": "1812",
				37	"radiusSecret": "howdoyouturnthison"
				38	}
				39	}
				40	}
				41	}
				42
				43
				44	- ``radiusIp``: The IP address of the Radius server
				45	- ``radiusServerPort``: The UDP port of the Radius server. (Optional -- ONOS will use port 1812 by default).
				46	- ``radiusSecret``: The Radius secret. This needs to be consistent with the Radius server configuration
				47
				48	Then push the JSON to ONOS:
				49
				50	.. code-block:: console
				51
				52	$ onos-netcfg $OC1 aaa-config.json
				53
				54
				55	Configure Radius server
				56	-----------------------
				57
				58	Install FreeRadius
				59	^^^^^^^^^^^^^^^^^^
				60	Technically all Radius server should work.
				61	However, the way to configure them are probably different case to case.
				62	Here we use FreeRadius on Ubuntu as an example.
				63	To install the Radius server, simply run:
				64
				65	.. code-block:: console
				66
				67	sudo apt-get install freeradius
				68
				69	Configure FreeRadius
				70	^^^^^^^^^^^^^^^^^^^^
				71
				72	Add a user
				73	""""""""""
				74	We usually connect Radius server to a database where we store the user information.
				75	In this section, we statically configure a user to simplify the setup.
				76	To add a user ``admin`` with password ``cord_test``, edit ``/etc/freeradius/users`` and add following lines:
				77
				78	.. code-block:: text
				79
				80	admin Cleartext-Password := "cord_test"
				81	Reply-Message = "Hello, %{User-Name}"
				82
				83	Allow external clients
				84	""""""""""""""""""""""
				85	By default the Radius server only accepts requests from ``localhost``.
				86	To allow external clients, we need to modify ``/etc/freeradius/clients.conf``
				87	We also need to change the secret.
				88
				89	.. code-block:: diff
				90
				91	-client localhost {
				92	+client 0.0.0.0/0 {
				93
				94	- secret = testing123
				95	+ secret = howdoyouturnthison
				96
				97	Use TLS
				98	"""""""
				99	By default, FreeRadius use MD5 challenge response to authenticate clients.
				100	To use TLS, we need to modify ``/etc/freeradius/eap.conf``
				101	We also need to change the private key password.
				102
				103	.. code-block:: diff
				104
				105	- default_eap_type = md5
				106	+ default_eap_type = tls
				107
				108	- private_key_password = whatever
				109	+ private_key_password = onos_test
				110
				111	.. note::
				112	The key and certificates required by TLS will locate under ``/etc/freeradius/certs`` by default.
				113	There will be three symbolic links link to ``ca.pem``, ``server.key``, ``server.pem``.
				114	We only need to change the symbolic links after we generates the keys and certificates.
				115	Therefore, we don't need to change the path in ``/etc/freeradius/eap.conf``
				116
				117	.. note::
				118	Both server certificate and client certificate need to be signed by the same CA certificate.
				119	Also note that each key we generate below needs a unique Common Name.
				120
				121	Generate CA certificate (ca.pem) and private key (privkey.pem)
				122	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				123
				124	.. code-block:: console
				125
				126	openssl req -out ca.pem -new -x509
				127
				128	Generate and sign server certificate (server.pem) and private key (server.key)
				129	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				130
				131	.. code-block:: console
				132
				133	openssl genrsa -out server.key 1024
				134	openssl req -key server.key -new -out server.req
				135	openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
				136
				137	Generate and sign client certificate (client.pem) and private key (client.key)
				138	""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
				139
				140	.. code-block:: console
				141
				142	openssl genrsa -out client.key 1024
				143	openssl req -key client.key -new -out client.req
				144	openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
				145
				146
				147	Deploy keys and certificates
				148	""""""""""""""""""""""""""""
				149	On the server side, please link /etc/freeradius/{ca.pem, server.key, server.pem} to the files we just generated.
				150	Also copy ca.pem, client.key, client.pem to the client side through a secured channel.
				151	They will later be used when testing the Radius authentication.
				152
				153
				154	Testing
				155	-------
				156	We can use the ``wpa_supplicant`` as the test client. In case ``wpa_supplicant`` has not been installed, you can run ``sudo apt-get install wpasupplicant``
				157
				158	Compose wpa_supplicant.conf
				159	^^^^^^^^^^^^^^^^^^^^^^^^^^^
				160
				161	.. code-block:: text
				162
				163	ctrl_interface=/var/run/wpa_supplicant
				164	eapol_version=1
				165	ap_scan=0
				166	fast_reauth=0
				167	network={
				168	key_mgmt=WPA-EAP
				169	eap=TLS
				170	identity="admin"
				171	password="cord_test"
				172	ca_cert="ca.pem"
				173	client_cert="client.pem"
				174	private_key="client.key"
				175	private_key_passwd="onos_test"
				176	eapol_flags=3
				177	}
				178
				179	Run the test client
				180	^^^^^^^^^^^^^^^^^^^
				181	.. tip::
				182	If you are using a Linux VM behind a bridge to send out this authentication message, make sure the Linux kernel of your host machine is 3.2 or above.
				183	Otherwise the EAPOL messages won't go through the bridge.
				184
				185	.. code-block:: console
				186
				187	$ sudo wpa_supplicant -Dwired -ieth1 -cwpa_supplicant.conf
				188
				189	You should see the following message if authentication succeed:
				190
				191	.. code-block:: console
				192
				193	Successfully initialized wpa_supplicant
				194	eth1: Associated with 01:80:c2:00:00:03
				195	eth1: CTRL-EVENT-EAP-STARTED EAP authentication started
				196	eth1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
				197	eth1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
				198	eth1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=ca.cord.lab/emailAddress=xxx@xxx.xxx'
				199	eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=server.cord.lab/emailAddress=xxx@xxx.xxx'
				200	eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
				201
				202	Reference
				203	---------
				204	- https://tools.ietf.org/html/rfc3580
				205	- https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/
				206	- https://dst.lbl.gov/~boverhof/openssl_certs.html