Contemplating change to FreeRadius configuration....
aland at deployingradius.com
Mon Jan 21 21:33:15 CET 2019
On Jan 21, 2019, at 3:17 PM, Mark J. Bobak <mark at bobak.net> wrote:
> But, I wanted to run a thought by folks here, before I spend too much time
> on the effort.
That's the best approach.
> Currently, I'm running Freeradius 3.0.13 (which I think was current when we
> installed) on RedHat Enterprise Linux 7 (7.6).
Hmm... I guess.
> I have a very simple implementation, using FreeRadius, Google
> Authenticator, and Linux. I create an account in Linux, and each Linux
> account has a Google Authenticator component, and I use FreeRadius as the
> backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
> All this works with no issue. (The main reason I've been so quiet on this
> list. ;-))
> Users come in from VPN, supply username, password, and Google auth OTP, and
> FreeRadius authenticates them. The users are defined in Linux, on the
> FreeRadius server itself.
> Since I first set this up a couple of years ago, we have made some changes,
> including moving to a Samba backend to do Active Directory authentication
> for Windows logins.
That's a common config.
> So, my question is, instead of maintaining a separate database for VPN, is
> it possible (and how hard) to make my Samba server be the backend? So,
> when we add a user to the Samba AD server, they will gain VPN login access,
> in addition to the Windows domain for Windows login access.
That's pretty simple. VPNs usually send User-Password. So all of the normal MS-CHAP nonsense doesn't apply. And, you can largely treat AD as just another LDAP server.
> If I go that way, would the Google Auth stuff have to move over to the
> Samba server?
I don't see why. FreeRADIUS can do all that.
> Would two-factor auth apply to Windows domain login as well
> as VPN access? (That may be a Samba question, sorry.)
Nope. AD / Samba are just databases. FreeRADIUS is the one with the weird authentication logic.
> Would the
> FreeRadius server need to move to the Samba server?
> Has anyone dome something like this? Was it difficult?
Yes, and it's not difficult.
> I'm a little bit loathe to change a configuration that has been working so
> well for so long....but as we grow, I'm willing to bet it will pay for
> itself in time saved.
> Any helpful hints? Pointers to docs?
If the VPNs send User-Password, then the LDAP documentation should work. Configure that, and make sure to set "Auth-Type := ldap", which isn't the default. But it is needed for AD.
My only $0.02 is to read raddb/sites-available/README. See section 5. You can set up a different virtual server for VPN access. That way you're *guaranteed* it doesn't affect other users. And, the VPN virtual server will likely be ~30 lines long. Which makes it *very* easy to debug and/or modify.
More information about the Freeradius-Users