Phase 01 - Setting up Linux Virtul Machines for Institutional IDP and IRS
You are going to create and run two Linux (Ubuntu) VMs for the institutional LDAP server (IDP) and the Radius Server (IRS) on Oracle VirtualBox Installation of VirtualBox and Downloading Ubuntu CD imageCreating Two Ubuntu VMsSetting up boot deviceSetting up Network InterfaceTurn on VM for your IDP Installation of Ubuntu Linux Initial Installation optionsDisk ConfigurationFinal ConfigurationPlaying with LinuxCreate the Second VM for your IRSSetting UP IP Addresses Please use following IPs for your idp and irs
| Institute | Domain prefix under ac.lk | IDP IP | IRS IP | |
|---|---|---|---|---|
| Industrial Technology Institute | iti | 192.248.4.101 | 192.248.4.102 | |
| National Engineering Research & Development Center | nerdc | 192.248.4.103 | 192.248.1.104 | |
| Wayamba University of Sri Lanka | wyb | 192.248.4.105 | 192.248.4.106 | |
| University Grant Commission | ugc | 192.248.4.107 | 192.248.4.108 | |
| University of Vocational Technology | univotec | 192.248.4.109 | 192.248.4.110 | |
| National Institute of Social Development | nisd | 192.248.4.111 | 192.248.4.112 | |
| University of Peradeniya | pdn | 192.248.4.113 | 192.248.4.114 | |
| General Sir John Kotelawala Defence University | kdu | 192.248.4.115 | 192.248.4.116 | |
| Sri Palee Campus, University of Colombo | spc | 192.248.4.117 | 192.248.4.118 | |
| Rajarata University of Sri Lanka | rjt | 192.248.4.119 | 192.248.4.120 | |
| Uva Wellassa University of Sri Lanka | uwu | 192.248.4.121 | 192.248.4.122 | |
| University College of Kuliyapitiya | uck | 192.248.4.123 | 192.248.4.124 | |
| Buddhist & Pali University of Sri Lanka | bpu | 192.248.4.125 | 192.248.4.126 | |
| University of Jaffna | jfn | 192.248.4.127 | 192.248.4.128 | |
| Open University of Sri Lanka | ou | 192.248.4.129 | 192.248.4.130 | |
| Bhiksu University of Sri Lanka | busl | 192.248.4.131 | 192.248.4.132 | |
| National Center for Advanced Studies | ncas | 192.248.4.133 | 192.248.4.134 | |
| Informatics Institute of Technology | iit | 192.248.4.135 | 192.248.4.136 | |
| Sabaragamuwa University of Sri Lanka | sab | 192.248.4.137 | 192.248.4.138 | |
| Eastern University | esn | 192.248.4.139 | 192.248.4.140 | |
| University of Ruhuna | ruh | 192.248.4.141 | 192.248.4.142 | |
| University of Sri Jayawardenepura | sjp | 192.248.4.143 | 192.248.4.144 | |
| University of Colombo UCSC | ucsc | 192.248.4.145 | 192.248.4.146 | |
| South Eastern University of Sri Lanka | seu | 192.248.4.147 | 192.248.4.148 | |
| University of Kelaniya | kln | 192.248.4.149 | 192.248.4.150 | |
| University of Visual & Performing Arts | vpa | 192.248.4.151 | 192.248.4.152 | |
| University of Moratuwa | mrt | 192.248.4.153 | 192.248.4.154 | |
| Sri Lanka Institute of Advanced Technological Education | sliate | 192.248.4.155 | 192.248.4.156 | |
| Arthur C Clark Center | accmt | 192.248.4.157 | 192.248.4.158 | |
| University of Colombo | cmb | 192.248.4.165 | 192.248.4.166 |
Edit /etc/network/interfaces files to include your IP addresses in your IDP and IRS iface eth0 inet static When you completed the IP settings of both VMs, restart them and then login to confirm correct IP settings. Also confirm whether you could reach your idp and irs by their DNS. For example you may ping to If not LEARN manages your DNS, you may add the relevant entries to your primary DNS server. Getting you Ubuntu OS up to date
Phase 02 - Setting up OpenLDAP and Encrypt OpenLDAP connections using STARTTLS
OpenLDAP provides an LDAP directory service that is flexible and well-supported. In this lab, we will demonstrate how to encrypt connections to OpenLDAP using STARTTLS. Setting the Hostname and FQDN Before you get started, make sure you set up our server so that it correctly resolves its hostname and fully qualified domain name (FQDN). This will be necessary in order for our certificates to be validated by clients. Install the OpenLDAP Server
- Omit OpenLDAP server configuration? No (we want an initial database and configuration)
- DNS domain name: inst.ac.lk (use the server's domain name, minus the hostname. This will be used to create the base entry for the information tree)
- Organization name: Example Inc (This will simply be added to the base entry as the name of your institute)
- Administrator password: [whatever you'd like]
- Confirm password: [must match the above]
- Database backend to use: HDB (out of the two choices, this has the most functionality)
- Do you want the database to be removed when slapd is purged? (your choice. Choose "Yes" to allow a completely clean removal, choose "No" to save your data even when the software is removed)
- Move old database? Yes
- Allow LDAPv2 protocol? No
Install the SSL Components
Setting up the Client Machines
Configuring Remote Clients Force Connections to Use TLS We've successfully configured our OpenLDAP server so that it can seamlessly upgrade normal LDAP connections to TLS through the STARTTLS process. However, this still allows unencrypted sessions, which may not be what you want. We will use an LDIF file to make the changes. Create the LDIF file in your home directory of IDP. We will call it forcetls.ldif: Inside, target the DN you want to force TLS on. In our case, this will be dn: olcDatabase={1}hdb,cn=config. We will set the changetype to "modify" and add the olcSecurity attribute. Set the value of the attribute to "tls=1" to force TLS for this DIT: Save and close the file when you are finished. To apply the change, type: Reload the OpenLDAP service by typing: Now, if you search the dc=inst,dc=ac,dc=lk DIT, you will be refused if you do not use the -Z option to initiate a STARTTLS upgrade: TLS required failure Confidentiality required (13) Additional information: TLS confidentiality required We can demonstrate that STARTTLS connections still function correctly: TLS required success dn: dc=inst,dc=ac,dc=lk dn: cn=admin,dc=inst,dc=ac,dc=lk
Adding Initial Identity to your LDAP Directory Service
LDAP Bind Deleting ldap entity
Setting LDAP Access Control You can simply see the existing ACLs by Create new file named acc1.ldif with following modification to ACLs. This will provide your irs to read users passwords. Use following command to externally modify the ACLs
Optional If your have finished above LDAP configuration, you may optionally try to install PHPLDAPAdmin Install phpLDAPadmin to Manage LDAP with a Web Interface Although it is very possible to administer LDAP through the command line, most users will find it easier to use a web interface. We're going to install phpLDAPadmin, which provides this functionality, to help remove some of the friction of learning the LDAP tools. The Ubuntu repositories contain the phpLDAPadmin package. You can install it by first login to your IDP and then typing: Edit configuration file to make following adjustments Create SSL Certificate for you apache web server Next, we can create the key and certificate in one movement by typing: Create a Password Authentication File We also want to password protect our phpLDAPadmin location. Even though phpLDAPadmin has password authentication, this will provide an extra level of protection. Then enter your password. Secure Apache The first thing we should do is enable the SSL module in Apache. We can do this by typing: This will enable the module, allowing us to use it. We still need to configure Apache to take advantage of this though. Currently, Apache is reading a file called 000-default.conf for regular, unencrypted HTTP connections. We need to tell it to redirect requests for our phpLDAPadmin interface to our HTTPS interface so that the connection is encrypted. When we redirect traffic to use our SSL certificates, we'll also implement the password file to authenticate users. While we're modifying things, we'll also change the location of the phpLDAPadmin interface itself to minimize targeted attacks. Configure the HTTP Virtual Host Next, we need to modify our current Virtual Hosts file. Open it with root privileges in your editor: The changes we discussed will end up looking like this. Modify the items in bold with your own values: Configure the HTTPS Virtual Host File Apache includes a default SSL Virtual Host file. However, it is not enabled by default. We can enable it by typing: This will link the file from the sites-available directory into the sites-enabled directory. We can edit this file now by typing: This file is a bit more involved than the last one, so we will only discuss the changes that we have to make. All of the changes below should go within the Virtual Host block in the file. First of all, set the ServerName value to your server's domain name or IP address again and change the ServerAdmin directive as well: Next, we need to set the SSL certificate directives to point to the key and certificate that we created. The directives should already exist in your file, so just modify the files they point to: The last thing we need to do is set up the location block that will implement our password protection for the entire phpLDAPadmin installation. We do this by referencing the location where we are serving the phpLDAPadmin and setting up authentication using the file we generated. We will require anyone attempting to access this content to authenticate as a valid user: Save and close the file when you are finished. Restart Apache to implement all of the changes that we have made: We can now move on to the actual interface. https://idp.inst.ac.lk/phpldapadmin/ Enter your apache password first and then ldap admin password
Phase 03 - Linking Your IRS with IDP
Before you continue with the rest of the lab exercise below, you need a working Radius server in your IRS. It is going to be installed and configured tomorrow at the eduroam session. So wait till tomorrow afternoon. Then you need to install freeradius ldap modules by Configure your FreeRadius to use LDAP authentication Edit /etc/freeradius/mods-available/ldap to add following lines needed for IRS to connect with your IDP (LDAP). Add them in where appropriate. Find the ttls block down below the same file to uncomment Locate edir_qutz=no and change it to edir_autz = yes Create a symbolic link as Edit mods-available/eap to change tls default_eap_type to mschapv2 locate ttls{ block down below the file and modify as follows Edit sites-available/eduroam-inner-tunnel to locate ldap directive in Authorize section and then uncomment it. Then restart your freeradius service If nothing went wrong, you should be able to do a radius eap test to verify authontication by your IDP. ./rad_eap_test -H 127.0.0.1 -S testing123 -P 1812 -u testme@learn.ac.lk -p Ask_LEARN -e PEAP -m WPA-EAP -c
Setting up Wireless APs First you need to add your WAP as client to freeradius server. Add following to the end of /etc/freeradius/clients file client waps { ipaddr = 192.248.4.0/24 secret = labpass } It is now time to quickly setup your WAPs to use 802.1X radius authentication through your IRS. One AP is going to be shared by four people. Each can create a eduroam SSID to get your IRS attached. SSIDs should be as follows AP - 01 - 192.248.4.181 AP - 02 - 192.248.4.182 AP - 03 - 192.248.4.183 ... ... AP - 10 - 192.248.4.190 Login to Your WAP Login to your AP by entering IP address of the AP as the URL in you web browser Then login using following credentials User name: admin Password: admin Creating SSID for Aruba WAPs Locate Network Tab on the left of your web GUI and Click on New to add new SSID. At the New WLAN dialog box Enter Name (SSID): eduroam1XX and click on Next Click no Next again to accept default setting for VLAN at the Security tab, move the pointer in your left to Enterprise then set Now try you laptop or mobile device to connect your SSID Congratulation !!. You have done