Charles Chan | 9e5c617 | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 1 | AAA |
| 2 | === |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 3 | |
| 4 | Introduction |
| 5 | ------------ |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 6 | In this section, we will explain how to use Trellis with AAA service, which can |
| 7 | be used to authenticate a client host. We will explain how this works with a |
| 8 | simple **single switch** topology. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 9 | |
| 10 | .. image:: ../images/config-aaa.png |
| 11 | |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 12 | Configure ONOS |
| 13 | -------------- |
| 14 | |
| 15 | Activate AAA app |
| 16 | ^^^^^^^^^^^^^^^^ |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 17 | We need to install and activate AAA app separately since it is located in a |
| 18 | separate (CORD) repository. There are multiple methods to install and activate |
| 19 | a pre-compiled app. Let's use CLI now. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 20 | |
| 21 | .. code-block::console |
| 22 | |
| 23 | $ onos-app localhost install! aaa-1.1-SNAPSHOT.oar |
| 24 | |
| 25 | |
| 26 | Provide network configuration |
| 27 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 28 | We need to provide AAA configuration in the apps section of network |
| 29 | configuration. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 30 | |
| 31 | .. code-block:: json |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 32 | |
| 33 | { |
| 34 | "apps": { |
| 35 | "org.opencord.aaa" : { |
| 36 | "AAA" : { |
| 37 | "radiusIp": "10.128.0.231", |
| 38 | "radiusServerPort": "1812", |
| 39 | "radiusSecret": "howdoyouturnthison" |
| 40 | } |
| 41 | } |
| 42 | } |
| 43 | } |
| 44 | |
| 45 | |
| 46 | - ``radiusIp``: The IP address of the Radius server |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 47 | |
| 48 | - ``radiusServerPort``: The UDP port of the Radius server. (Optional -- ONOS |
| 49 | will use port 1812 by default). |
| 50 | |
| 51 | - ``radiusSecret``: The Radius secret. This needs to be consistent with the |
| 52 | Radius server configuration |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 53 | |
| 54 | Then push the JSON to ONOS: |
| 55 | |
| 56 | .. code-block:: console |
| 57 | |
| 58 | $ onos-netcfg $OC1 aaa-config.json |
| 59 | |
| 60 | |
| 61 | Configure Radius server |
| 62 | ----------------------- |
| 63 | |
| 64 | Install FreeRadius |
| 65 | ^^^^^^^^^^^^^^^^^^ |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 66 | |
| 67 | Technically, any Radius server should work. However, the way to configure them |
| 68 | are probably different case to case. Here we use FreeRadius on Ubuntu as an |
| 69 | example. To install the Radius server, simply run: |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 70 | |
| 71 | .. code-block:: console |
| 72 | |
| 73 | sudo apt-get install freeradius |
| 74 | |
| 75 | Configure FreeRadius |
| 76 | ^^^^^^^^^^^^^^^^^^^^ |
| 77 | |
| 78 | Add a user |
| 79 | """""""""" |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 80 | |
| 81 | We usually connect Radius server to a database where we store the user |
| 82 | information. In this section, we statically configure a user to simplify the |
| 83 | setup. To add a user ``admin`` with password ``cord_test``, edit |
| 84 | ``/etc/freeradius/users`` and add following lines: |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 85 | |
| 86 | .. code-block:: text |
| 87 | |
| 88 | admin Cleartext-Password := "cord_test" |
| 89 | Reply-Message = "Hello, %{User-Name}" |
| 90 | |
| 91 | Allow external clients |
| 92 | """""""""""""""""""""" |
| 93 | By default the Radius server only accepts requests from ``localhost``. |
| 94 | To allow external clients, we need to modify ``/etc/freeradius/clients.conf`` |
| 95 | We also need to change the secret. |
| 96 | |
| 97 | .. code-block:: diff |
| 98 | |
| 99 | -client localhost { |
| 100 | +client 0.0.0.0/0 { |
| 101 | |
| 102 | - secret = testing123 |
| 103 | + secret = howdoyouturnthison |
| 104 | |
| 105 | Use TLS |
| 106 | """"""" |
| 107 | By default, FreeRadius use MD5 challenge response to authenticate clients. |
| 108 | To use TLS, we need to modify ``/etc/freeradius/eap.conf`` |
| 109 | We also need to change the private key password. |
| 110 | |
| 111 | .. code-block:: diff |
| 112 | |
| 113 | - default_eap_type = md5 |
| 114 | + default_eap_type = tls |
| 115 | |
| 116 | - private_key_password = whatever |
| 117 | + private_key_password = onos_test |
| 118 | |
| 119 | .. note:: |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 120 | The key and certificates required by TLS will locate under |
| 121 | ``/etc/freeradius/certs`` by default. There will be three symbolic links |
| 122 | link to ``ca.pem``, ``server.key``, ``server.pem``. We only need to change |
| 123 | the symbolic links after we generates the keys and certificates. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 124 | Therefore, we don't need to change the path in ``/etc/freeradius/eap.conf`` |
| 125 | |
| 126 | .. note:: |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 127 | Both server certificate and client certificate need to be signed by the |
| 128 | same CA certificate. Also note that each key we generate below needs a |
| 129 | unique Common Name. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 130 | |
| 131 | Generate CA certificate (ca.pem) and private key (privkey.pem) |
| 132 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 133 | |
| 134 | .. code-block:: console |
| 135 | |
| 136 | openssl req -out ca.pem -new -x509 |
| 137 | |
| 138 | Generate and sign server certificate (server.pem) and private key (server.key) |
| 139 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 140 | |
| 141 | .. code-block:: console |
| 142 | |
| 143 | openssl genrsa -out server.key 1024 |
| 144 | openssl req -key server.key -new -out server.req |
| 145 | openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem |
| 146 | |
| 147 | Generate and sign client certificate (client.pem) and private key (client.key) |
| 148 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
| 149 | |
| 150 | .. code-block:: console |
| 151 | |
| 152 | openssl genrsa -out client.key 1024 |
| 153 | openssl req -key client.key -new -out client.req |
| 154 | openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem |
| 155 | |
| 156 | |
| 157 | Deploy keys and certificates |
| 158 | """""""""""""""""""""""""""" |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 159 | On the server side, please link **/etc/freeradius/{ca.pem, server.key, |
| 160 | server.pem}** to the files we just generated. Also copy **ca.pem, client.key, |
| 161 | client.pem** to the client side through a secured channel. They will later be |
| 162 | used when testing the Radius authentication. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 163 | |
| 164 | |
| 165 | Testing |
| 166 | ------- |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 167 | We can use the ``wpa_supplicant`` as the test client. In case |
| 168 | ``wpa_supplicant`` has not been installed, you can run ``sudo apt-get install |
| 169 | wpasupplicant`` |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 170 | |
| 171 | Compose wpa_supplicant.conf |
| 172 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 173 | |
| 174 | .. code-block:: text |
| 175 | |
| 176 | ctrl_interface=/var/run/wpa_supplicant |
| 177 | eapol_version=1 |
| 178 | ap_scan=0 |
| 179 | fast_reauth=0 |
| 180 | network={ |
| 181 | key_mgmt=WPA-EAP |
| 182 | eap=TLS |
| 183 | identity="admin" |
| 184 | password="cord_test" |
| 185 | ca_cert="ca.pem" |
| 186 | client_cert="client.pem" |
| 187 | private_key="client.key" |
| 188 | private_key_passwd="onos_test" |
| 189 | eapol_flags=3 |
| 190 | } |
| 191 | |
| 192 | Run the test client |
| 193 | ^^^^^^^^^^^^^^^^^^^ |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 194 | |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 195 | .. tip:: |
Zack Williams | d63d35b | 2020-06-23 14:12:46 -0700 | [diff] [blame] | 196 | If you are using a Linux VM behind a bridge to send out this authentication |
| 197 | message, make sure the Linux kernel of your host machine is 3.2 or above. |
Charles Chan | 20fabfb | 2019-09-07 11:24:54 -0700 | [diff] [blame] | 198 | Otherwise the EAPOL messages won't go through the bridge. |
| 199 | |
| 200 | .. code-block:: console |
| 201 | |
| 202 | $ sudo wpa_supplicant -Dwired -ieth1 -cwpa_supplicant.conf |
| 203 | |
| 204 | You should see the following message if authentication succeed: |
| 205 | |
| 206 | .. code-block:: console |
| 207 | |
| 208 | Successfully initialized wpa_supplicant |
| 209 | eth1: Associated with 01:80:c2:00:00:03 |
| 210 | eth1: CTRL-EVENT-EAP-STARTED EAP authentication started |
| 211 | eth1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 |
| 212 | eth1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected |
| 213 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=ca.cord.lab/emailAddress=xxx@xxx.xxx' |
| 214 | eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/L=Menlo Park/O=ON.Lab/CN=server.cord.lab/emailAddress=xxx@xxx.xxx' |
| 215 | eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully |
| 216 | |
| 217 | Reference |
| 218 | --------- |
| 219 | - https://tools.ietf.org/html/rfc3580 |
| 220 | - https://www.vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/ |
| 221 | - https://dst.lbl.gov/~boverhof/openssl_certs.html |