Workshop (to be) held from 11:00-17:00 on 2019/06/01 in Zepler CLS Lecture Room
- Look at how the SOWN works and consider how it can be modularised
- Discuss how to implement SOWN login for SSH to SOWN servers.
- Possible Modules
- User Authentication
- Possible abstract with implementation for first RADIUS and maybe later others and
- Single Sign On (uses User authentication)
- VPN (OpenVPN sits underneath)
- Node setup
- Node admin
- Node config
- Node firmware build
- Node package management
- Monitoring (nodes and servers)
- Usage accounting
- User Authentication
- May help with implementation of SSH login to individual servers for individual users described above.
- Consider how we can expand SOWN coverage
- More SOWN nodes
- Make it easier to deploy eduroam on own hardware
- Update keepalived on gateway servers
- Renew CRLs for tunnelbroker
- Investigate reboot issues with sown-auth2 where routes do not get setup as needed
- Planning for what needs to be done before upgrading sown-auth2 OS
- Update to SOWN firmware to fix known issue with dnsmasq amongst other bug fixes
- Routing issues between sown-www and sown-monitor
- Remove routes to force traffic to ECS DMZ servers, via the gateways' DMZ interface as ECS firewall changes should have been made
- Switch SSH checks for sown-www and suws-marconi to be proxy checks using nrpe on sown-auth2
- Upgrade sown-radius2 and sown-vpn2 to Ubuntu 18.04
- Maybe worth installing from scratch and using Ansible playbooks to reinstall stuff.
Todo list tasks
It is unlikely we would actually do any of these tasks but they are useful to be aware of during our discussions of points in the main task list.
- Munge check_eapol script to allow it to send RADIUS accounting start and stop messages to keep iSolutions happy
- Consider how to setup openwrt git repo and branches so it can easily be pushed/pulled on buildroot and buildroot-dev
- Consider the repercussions of allowing 3rd party configured nodes
- Figure out how to setup LAN port on AR150 to passive passthrough
- Provide a mechanism to prevent certain MAC addresses connecting to certain nodes without breaking eduroam for those MACs
- Figure out why snmpd is missing on node303 and add it manually
- Node-owner firewall control
- Add support for client isolation on wireless interface.
- Build a serial (DS9097E one wire) temperature sensor we can plug into a B32 server.
- Figure out what to do with node UPGRADEABLE checks
- Improve security of our OpenWRT packages
- Build VM on sown-vms as a new-style package management server on its existing addresses
- Check/add support for IPv6 on nodes where host network supports IPv6.
- Review maintain_sown_tunnel script to see why old openvpn processes hang about
- De-brick script for misconfigured nodes