On Jan 21, 2019, at 3:17 PM, Mark J. Bobak <mark@bobak.net> wrote:
But, I wanted to run a thought by folks here, before I spend too much time on the effort.
That's the best approach.
Currently, I'm running Freeradius 3.0.13 (which I think was current when we installed) on RedHat Enterprise Linux 7 (7.6).
Hmm... I guess.
I have a very simple implementation, using FreeRadius, Google Authenticator, and Linux. I create an account in Linux, and each Linux account has a Google Authenticator component, and I use FreeRadius as the backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
All this works with no issue. (The main reason I've been so quiet on this list. ;-))
Sounds good.
Users come in from VPN, supply username, password, and Google auth OTP, and FreeRadius authenticates them. The users are defined in Linux, on the FreeRadius server itself.
Since I first set this up a couple of years ago, we have made some changes, including moving to a Samba backend to do Active Directory authentication for Windows logins.
That's a common config.
So, my question is, instead of maintaining a separate database for VPN, is it possible (and how hard) to make my Samba server be the backend? So, when we add a user to the Samba AD server, they will gain VPN login access, in addition to the Windows domain for Windows login access.
That's pretty simple. VPNs usually send User-Password. So all of the normal MS-CHAP nonsense doesn't apply. And, you can largely treat AD as just another LDAP server.
If I go that way, would the Google Auth stuff have to move over to the Samba server?
I don't see why. FreeRADIUS can do all that.
Would two-factor auth apply to Windows domain login as well as VPN access? (That may be a Samba question, sorry.)
Nope. AD / Samba are just databases. FreeRADIUS is the one with the weird authentication logic.
Would the FreeRadius server need to move to the Samba server?
No.
Has anyone dome something like this? Was it difficult?
Yes, and it's not difficult.
I'm a little bit loathe to change a configuration that has been working so well for so long....but as we grow, I'm willing to bet it will pay for itself in time saved.
Exactly.
Any helpful hints? Pointers to docs?
If the VPNs send User-Password, then the LDAP documentation should work. Configure that, and make sure to set "Auth-Type := ldap", which isn't the default. But it is needed for AD. My only $0.02 is to read raddb/sites-available/README. See section 5. You can set up a different virtual server for VPN access. That way you're *guaranteed* it doesn't affect other users. And, the VPN virtual server will likely be ~30 lines long. Which makes it *very* easy to debug and/or modify. Alan DeKok.