4
This is an implementation of the GSS EAP mechanism, as described in
5
draft-ietf-abfab-gss-eap-01.txt.
10
In order to build this, a recent Kerberos implementation (MIT or
11
Heimdal), Shibboleth, and EAP libraries are required, along with
12
all of their dependencies.
14
Note: not all SPIs are supported by the Heimdal mechanism glue,
15
so not all features will be available.
23
When installing, be sure to edit $prefix/etc/gss/mech to register
24
the EAP mechanisms. A sample configuration file is in this directory.
25
You may need to specify an absolute path.
30
Make sure your RADIUS library is configured to talk to the server of
31
your choice: see the example radsec.conf in this directory. If you
32
want to use TCP or TLS, you'll need to run radsecproxy in front of
38
These instructions apply to FreeRADIUS only, which is downloadable
39
from http://freeradius.org/. After configure, make, install, do the
42
On the RADIUS server side, you need to install dictionary.ukerna to
43
$prefix/etc/raddb and include it from the main dictionary file, by
46
$INCLUDE dictionary.ukerna
48
to $prefix/etc/raddb/dictionary. Make sure these files are world-
49
readable; they weren't in my installation.
51
Edit $prefix/etc/raddb/users to add your test user and password:
53
bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
55
Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
60
require_message_authenticator = yes
63
Edit $prefix/etc/raddb/eap.conf and set:
67
default_eap_type = ttls
72
private_key_file = ...
73
certificate_file = ...
76
default_eap_type = mschapv2
77
copy_request_to_tunnel = no
78
use_tunneled_reply = no
79
virtual_server = "inner-tunnel"
86
If you want the acceptor be able to identify the user, the RADIUS
87
server needs to echo back the EAP username from the inner tunnel;
88
for privacy, mech_eap only sends the realm in the EAP Identity
89
response. To configure this with FreeRADIUS, add:
92
User-Name = "%{request:User-Name}"
95
If you want to add a SAML assertion, do this with "update reply"
96
in $prefix/etc/raddb/sites-available/default:
99
SAML-AAA-Assertion = '<saml:Assertion ...'
100
SAML-AAA-Assertion += '...'
103
You'll need to split it into multiple lines because of the RADIUS
104
attribute size limit.
109
You can then test the MIT or Cyrus GSS and SASL example programs.
110
Sample usage is given below. Substitute <user>, <pass> and <host>
111
appropriately (<host> is the name of the host running the server,
112
not the RADIUS server).
114
% gss-client -port 5555 -spnego -mech "{1 3 6 1 5 5 15 1 1 18}" \
115
-user <user>@<realm> -pass <pass> <host> host@<host> \
117
% gss-server -port 5555 -export host@<host>
119
Note: for SASL you will be prompted for a username and password.
121
% client -C -p 5556 -s host -m EAP-AES128 <host>
122
% server -c -p 5556 -s host -h <host>
124
To test fast reauthentication support, add the following to
129
reauth_use_ccache = TRUE
132
This will store a Kerberos ticket for a GSS-EAP authenticated user
133
in a credentials cache, which can then be used for re-authentication
134
to the same acceptor. You must have a valid keytab configured.
136
In this testing phase of Moonshot, it's also possible to store a
137
default identity and credential in a file. The format consists of
138
the string representation of the initiator identity and the password,
139
separated by newlines. The default location of this file is
140
.gss_eap_id in the user's home directory, however the GSSEAP_IDENTITY
141
environment variable can be used to set an alternate location.
143
You can also set a default realm in [appdefaults]; the Kerberos
144
default realm is never used by mech_eap (or at least, that is the
145
intention), so if unspecified you must always qualify names. It should
146
generally not be necessary to specify this.