Charles Chan | 9e5c617 | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 1 | AAA |
| 2 | === |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 3 | |
| 4 | Introduction |
| 5 | ------------ |
| 6 | In this section, we will explain how to use Trellis with AAA service, which can be used to authenticate a client host. |
| 7 | We will explain how this works with a simple **single switch** topology. |
| 8 | |
| 9 | .. image:: ../images/config-aaa.png |
| 10 | |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 11 | Configure ONOS |
| 12 | -------------- |
| 13 | |
| 14 | Activate AAA app |
| 15 | ^^^^^^^^^^^^^^^^ |
| 16 | We need to install and activate AAA app separately since it is located in a separate (CORD) repository. |
| 17 | There are multiple methods to install and activate a pre-compiled app. Let's use CLI now. |
| 18 | |
| 19 | .. code-block::console |
| 20 | |
| 21 | $ onos-app localhost install! aaa-1.1-SNAPSHOT.oar |
| 22 | |
| 23 | |
| 24 | Provide network configuration |
| 25 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 26 | We need to provide AAA configuration in the apps section of network configuration. |
| 27 | |
| 28 | .. code-block:: json |
| 29 | :linenos: |
| 30 | |
| 31 | { |
| 32 | "apps": { |
| 33 | "org.opencord.aaa" : { |
| 34 | "AAA" : { |
| 35 | "radiusIp": "10.128.0.231", |
| 36 | "radiusServerPort": "1812", |
| 37 | "radiusSecret": "howdoyouturnthison" |
| 38 | } |
| 39 | } |
| 40 | } |
| 41 | } |
| 42 | |
| 43 | |
| 44 | - ``radiusIp``: The IP address of the Radius server |
| 45 | - ``radiusServerPort``: The UDP port of the Radius server. (Optional -- ONOS will use port 1812 by default). |
| 46 | - ``radiusSecret``: The Radius secret. This needs to be consistent with the Radius server configuration |
| 47 | |
| 48 | Then push the JSON to ONOS: |
| 49 | |
| 50 | .. code-block:: console |
| 51 | |
| 52 | $ onos-netcfg $OC1 aaa-config.json |
| 53 | |
| 54 | |
| 55 | Configure Radius server |
| 56 | ----------------------- |
| 57 | |
| 58 | Install FreeRadius |
| 59 | ^^^^^^^^^^^^^^^^^^ |
| 60 | Technically all Radius server should work. |
| 61 | However, the way to configure them are probably different case to case. |
| 62 | Here we use FreeRadius on Ubuntu as an example. |
| 63 | To install the Radius server, simply run: |
| 64 | |
| 65 | .. code-block:: console |
| 66 | |
| 67 | sudo apt-get install freeradius |
| 68 | |
| 69 | Configure FreeRadius |
| 70 | ^^^^^^^^^^^^^^^^^^^^ |
| 71 | |
| 72 | Add a user |
| 73 | """""""""" |
| 74 | We usually connect Radius server to a database where we store the user information. |
| 75 | In this section, we statically configure a user to simplify the setup. |
| 76 | To add a user ``admin`` with password ``cord_test``, edit ``/etc/freeradius/users`` and add following lines: |
| 77 | |
| 78 | .. code-block:: text |
| 79 | |
| 80 | admin Cleartext-Password := "cord_test" |
| 81 | Reply-Message = "Hello, %{User-Name}" |
| 82 | |
| 83 | Allow external clients |
| 84 | """""""""""""""""""""" |
| 85 | By default the Radius server only accepts requests from ``localhost``. |
| 86 | To allow external clients, we need to modify ``/etc/freeradius/clients.conf`` |
| 87 | We also need to change the secret. |
| 88 | |
| 89 | .. code-block:: diff |
| 90 | |
| 91 | -client localhost { |
| 92 | +client 0.0.0.0/0 { |
| 93 | |
| 94 | - secret = testing123 |
| 95 | + secret = howdoyouturnthison |
| 96 | |
| 97 | Use TLS |
| 98 | """"""" |
| 99 | By default, FreeRadius use MD5 challenge response to authenticate clients. |
| 100 | To use TLS, we need to modify ``/etc/freeradius/eap.conf`` |
| 101 | We also need to change the private key password. |
| 102 | |
| 103 | .. code-block:: diff |
| 104 | |
| 105 | - default_eap_type = md5 |
| 106 | + default_eap_type = tls |
| 107 | |
| 108 | - private_key_password = whatever |
| 109 | + private_key_password = onos_test |
| 110 | |
| 111 | .. note:: |
| 112 | The key and certificates required by TLS will locate under ``/etc/freeradius/certs`` by default. |
| 113 | There will be three symbolic links link to ``ca.pem``, ``server.key``, ``server.pem``. |
| 114 | We only need to change the symbolic links after we generates the keys and certificates. |
| 115 | Therefore, we don't need to change the path in ``/etc/freeradius/eap.conf`` |
| 116 | |
| 117 | .. note:: |
| 118 | Both server certificate and client certificate need to be signed by the same CA certificate. |
| 119 | Also note that each key we generate below needs a unique Common Name. |
| 120 | |
| 121 | Generate CA certificate (ca.pem) and private key (privkey.pem) |
| 122 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 123 | |
| 124 | .. code-block:: console |
| 125 | |
| 126 | openssl req -out ca.pem -new -x509 |
| 127 | |
| 128 | Generate and sign server certificate (server.pem) and private key (server.key) |
| 129 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 130 | |
| 131 | .. code-block:: console |
| 132 | |
| 133 | openssl genrsa -out server.key 1024 |
| 134 | openssl req -key server.key -new -out server.req |
| 135 | openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem |
| 136 | |
| 137 | Generate and sign client certificate (client.pem) and private key (client.key) |
| 138 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 139 | |
| 140 | .. code-block:: console |
| 141 | |
| 142 | openssl genrsa -out client.key 1024 |
| 143 | openssl req -key client.key -new -out client.req |
| 144 | openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem |
| 145 | |
| 146 | |
| 147 | Deploy keys and certificates |
| 148 | """""""""""""""""""""""""""" |
| 149 | On the server side, please link **/etc/freeradius/{ca.pem, server.key, server.pem}** to the files we just generated. |
| 150 | Also copy **ca.pem, client.key, client.pem** to the client side through a secured channel. |
| 151 | They will later be used when testing the Radius authentication. |
| 152 | |
| 153 | |
| 154 | Testing |
| 155 | ------- |
| 156 | We can use the ``wpa_supplicant`` as the test client. In case ``wpa_supplicant`` has not been installed, you can run ``sudo apt-get install wpasupplicant`` |
| 157 | |
| 158 | Compose wpa_supplicant.conf |
| 159 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 160 | |
| 161 | .. code-block:: text |
| 162 | |
| 163 | ctrl_interface=/var/run/wpa_supplicant |
| 164 | eapol_version=1 |
| 165 | ap_scan=0 |
| 166 | fast_reauth=0 |
| 167 | network={ |
| 168 | key_mgmt=WPA-EAP |
| 169 | eap=TLS |
| 170 | identity="admin" |
| 171 | password="cord_test" |
| 172 | ca_cert="ca.pem" |
| 173 | client_cert="client.pem" |
| 174 | private_key="client.key" |
| 175 | private_key_passwd="onos_test" |
| 176 | eapol_flags=3 |
| 177 | } |
| 178 | |
| 179 | Run the test client |
| 180 | ^^^^^^^^^^^^^^^^^^^ |
| 181 | .. tip:: |
| 182 | If you are using a Linux VM behind a bridge to send out this authentication message, make sure the Linux kernel of your host machine is 3.2 or above. |
| 183 | Otherwise the EAPOL messages won't go through the bridge. |
| 184 | |
| 185 | .. code-block:: console |
| 186 | |
| 187 | $ sudo wpa_supplicant -Dwired -ieth1 -cwpa_supplicant.conf |
| 188 | |
| 189 | You should see the following message if authentication succeed: |
| 190 | |
| 191 | .. code-block:: console |
| 192 | |
| 193 | Successfully initialized wpa_supplicant |
| 194 | eth1: Associated with 01:80:c2:00:00:03 |
| 195 | eth1: CTRL-EVENT-EAP-STARTED EAP authentication started |
| 196 | eth1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 |
| 197 | eth1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected |
| 198 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=ca.cord.lab/emailAddress=xxx@xxx.xxx' |
| 199 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=server.cord.lab/emailAddress=xxx@xxx.xxx' |
| 200 | eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully |
| 201 | |
| 202 | Reference |
| 203 | --------- |
| 204 | - https://tools.ietf.org/html/rfc3580 |
| 205 | - https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/ |
| 206 | - https://dst.lbl.gov/~boverhof/openssl_certs.html |