need help & advice getting started with freeradius
Hello everyone, this is my first time getting started with freeradius. I implement ICT at a local school and I would like to improve our wireless from a WPA pre-share key to a radius based system. We have an openldap server already with all our users and groups and use them to authticate them into our clients. I would like to extend this username and password requirement to our wireless systems rather than having to give out our wireless key. Our wireless users have a variety of Windows, OSX and Linux machines. Free-radius therefore seems to be the idea solution to this. First up i have read this guide: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centr... get me started on the idea of ldap and radius. Next up ive read this guide: http://ubuntuforums.org/archive/index.php/t-478804.html which works on the idea of PEAP. In my scenario I would like to use PEAP if possible but not require the user client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running? Second up how can i then extend this system so that i can ban specific users and groups from the wireless system. Obviously i could remove them from ldap but I would like to be able to have the flexibility to prevent a user using the wireless but to still be able to log onto one of our terminals. I believe in your FAQ article the section How do I deny access to a specific user, or group of users? would do this definatly for the user. If i make sure I add the user specifically before it goes onto the ldap auth. However how can i get it to deny access to ldap groups from this? Any help / guides online which you think will help me get pointed in the right direction would be super. Many Thanks.
In my scenario I would like to use PEAP if possible but not require the user client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running?
PEAP will require passwords stored as clear text or nt hash. If your passwords are stored as something else they will have to be changed. As for combining freeradius and ldap prehaps you should read freeradius documentation first (wiki or doc/rlm_ldap from the download) and then see is there any need to bother wiyh third party stuff.
Second up how can i then extend this system so that i can ban specific users
Read about dialupAccess attribute in rlm_ldap document.
and groups
Read about setting up group membership filter (you can guess by now - in rlm_ldap document) and use unlang in authorize section: if (Ldap-Group == whatever) { reject } Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
In my scenario I would like to use PEAP if possible but not require the user client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running?
TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS means you put a verifiable server certificate on the *server* end that the client can verify and know who it is talking to, then you can safely even send the password in plain text.
PEAP will require passwords stored as clear text or nt hash. If your passwords are stored as something else they will have to be changed.
...or...you use EAP-TTLS and get the client to send the passwords in plaintext and then do an LDAP bind() to check if the credentials are correct. Once you are doing this you can one day get around to (if you want to) putting in plaintext passwords into your LDAP database that FreeRADIUS can use and abuse.
As for combining freeradius and ldap prehaps you should read freeradius documentation first (wiki or doc/rlm_ldap from the download) and then see is there any need to bother wiyh third party stuff.
Well PEAP without AD means you have to jump through a lot of hoops manually configuring each client by hand. With something like SecureW2 you include a 'seeding' file and it will do all the hard manual priming. This is all overlooking that PEAP is horrible as if you want to play with OTP's or other fun custom things, good luck doing that with PEAP. Cheers -- Alexander Clouter .sigmonster says: Marriage causes dating problems.
Okie, I've spent some of this weekend looking into this and some of the files included in freeradius (havnt had a chance to play around testing it though). Am I right in guessing once i've configured the ldap group membership filter, i include the unlang statement: if (Ldap-Group == whatever) { reject } As Ivan suggested in my radiusd.conf file in the authorise part? Second up im still juggerling between what EAP type to use. It seems more an more PEAP is going to introduce a level of complexity which I would like to avoid. Whats the views of this list on what extension will be most suitable in this case. As i mentioned previously I would like to keep admin work down as much as possible in terms of certificates due to currently many of our users have to constantly come to ICT for help configuring their wireless. Hence the ideal of them just needing to use their username and password to firstly make it considerably easier for a user to get onto the wireless and to secondly increase the security of our wireless network. Also is the use of a different EAP type going to cause difficulty in terms of client compatability. Aka is a user with his poor windows laptop going to have to install something extra just to communicate with the wireless, or should it just be as simple as user sees wireless network, chooses it, it prompts for username and password and off he goes. Do I have to use a EAP type or can i get away with not having one / is this very ill advised? Basically if you were in my position how would you go about it, is probally what I'm asking for lols. I admit wireless security is something I have not gone very deep into before. Many thanks again. On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter <alex@digriz.org.uk>wrote:
tnt@kalik.net wrote:
In my scenario I would like to use PEAP if possible but not require the
user
client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running?
TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS means you put a verifiable server certificate on the *server* end that the client can verify and know who it is talking to, then you can safely even send the password in plain text.
PEAP will require passwords stored as clear text or nt hash. If your passwords are stored as something else they will have to be changed.
...or...you use EAP-TTLS and get the client to send the passwords in plaintext and then do an LDAP bind() to check if the credentials are correct.
Once you are doing this you can one day get around to (if you want to) putting in plaintext passwords into your LDAP database that FreeRADIUS can use and abuse.
As for combining freeradius and ldap prehaps you should read freeradius documentation first (wiki or doc/rlm_ldap from the download) and then see is there any need to bother wiyh third party stuff.
Well PEAP without AD means you have to jump through a lot of hoops manually configuring each client by hand. With something like SecureW2 you include a 'seeding' file and it will do all the hard manual priming.
This is all overlooking that PEAP is horrible as if you want to play with OTP's or other fun custom things, good luck doing that with PEAP.
Cheers
-- Alexander Clouter .sigmonster says: Marriage causes dating problems.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lol just actually read some stuff on WPA and learnt abit more about EAP. I realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues. On Sun, Apr 5, 2009 at 9:35 PM, daniel knox <mail@dknox.co.uk> wrote:
Okie, I've spent some of this weekend looking into this and some of the files included in freeradius (havnt had a chance to play around testing it though). Am I right in guessing once i've configured the ldap group membership filter, i include the unlang statement:
if (Ldap-Group == whatever) { reject } As Ivan suggested in my radiusd.conf file in the authorise part?
Second up im still juggerling between what EAP type to use. It seems more an more PEAP is going to introduce a level of complexity which I would like to avoid. Whats the views of this list on what extension will be most suitable in this case. As i mentioned previously I would like to keep admin work down as much as possible in terms of certificates due to currently many of our users have to constantly come to ICT for help configuring their wireless. Hence the ideal of them just needing to use their username and password to firstly make it considerably easier for a user to get onto the wireless and to secondly increase the security of our wireless network. Also is the use of a different EAP type going to cause difficulty in terms of client compatability. Aka is a user with his poor windows laptop going to have to install something extra just to communicate with the wireless, or should it just be as simple as user sees wireless network, chooses it, it prompts for username and password and off he goes. Do I have to use a EAP type or can i get away with not having one / is this very ill advised? Basically if you were in my position how would you go about it, is probally what I'm asking for lols. I admit wireless security is something I have not gone very deep into before.
Many thanks again.
On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter <alex@digriz.org.uk>wrote:
tnt@kalik.net wrote:
In my scenario I would like to use PEAP if possible but not require the
user
client to have a certificate, just the radius-server (which is why i believe the TTLS solution will be in-efficient here as i would have to deal with handy out client certificates to hundreds of users). And to be asked thern their username and password to authticate onto our wireless. Would combining these two guides work to get these two intial sets up and running?
TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS means you put a verifiable server certificate on the *server* end that the client can verify and know who it is talking to, then you can safely even send the password in plain text.
PEAP will require passwords stored as clear text or nt hash. If your passwords are stored as something else they will have to be changed.
...or...you use EAP-TTLS and get the client to send the passwords in plaintext and then do an LDAP bind() to check if the credentials are correct.
Once you are doing this you can one day get around to (if you want to) putting in plaintext passwords into your LDAP database that FreeRADIUS can use and abuse.
As for combining freeradius and ldap prehaps you should read freeradius documentation first (wiki or doc/rlm_ldap from the download) and then see is there any need to bother wiyh third party stuff.
Well PEAP without AD means you have to jump through a lot of hoops manually configuring each client by hand. With something like SecureW2 you include a 'seeding' file and it will do all the hard manual priming.
This is all overlooking that PEAP is horrible as if you want to play with OTP's or other fun custom things, good luck doing that with PEAP.
Cheers
-- Alexander Clouter .sigmonster says: Marriage causes dating problems.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Lol just actually read some stuff on WPA and learnt abit more about EAP. I realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues.
yep - your RADIUS server could be signed by a global CA (verisign, globalsign etc) so that you dont need to worry about getting your CA onto random laptops etc (I still say a closed-loop system where your RADIUS server is verified by your own CA may lead to more secure system). for dealing with plain text passwords, EAP-TTLS gives you easier admin time - though more effort for the client - SecureW2 and OpenSEA are choices... alan
daniel knox <mail@dknox.co.uk> wrote:
Lol just actually read some stuff on WPA and learnt abit more about EAP. I realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues.
You use server certificates for PEAP too, it's madness not to use a server certificate in either case. If you do not then the clients are more than happy to dish out user credentials to anyone who asks. I prefer TTLS as although PEAP is already built into Mac OS X and Windows, neither can be easily autoconfigured with some kind of priming script[1]. We use TTLS as it's not braindead[2] and in the case of SecureW2 it can be trivially autoconfigured. If you tie it in with a NSIS script then you can do some *really* nice things for wireless workstation priming for your Windows userbase. Cheers [1] not that I know of anyway, and Mac OS X 10.5 seems to have dropped support for wireless profile importing [2] well from my perspective, I'm sure implentators out their might say otherwise -- Alexander Clouter .sigmonster says: Neil Armstrong tripped.
Okies long day trying to deploy radius, i think it might be in a working state though. Basically I had to use radius 1.7 something as it was in the repos. If problems persist Ill try and compile a binary up for the distro they are using (pclinuxOS). Off topic I agree with people that a server orientated OS such as centos would make life far easier more often. Anyways PclinuxOS it is currently. Initially got ldap up and running and local radtest worked well with a user from the directory, when i tried getting my iphone to connect problems ensued. quickly worked out that the iphone defaults to sending a PEAP eap request, which as your documentation states would stop the ldap bit as i hadnt touched anything to do with TLS, PEAP etc at that point. I have NTPassword in my ldap directory so i could use PEAP, however maybe through miss-configuration by me or the fact that my entry does not have a preceding 0x. Instead it just has 32digits without the preceding two characters could be why this wasnt working. However my ldap field is set to max 32chars long so not sure how to append these two characters and changing alot of entries if i fuzz up will be very bad news. So instead went with TTLS. This time i started from scratch as im convinced by now the config files were probally messed over, and this time when i set it up i still find that i can query ldap user with radtest locally which is good. Havnt tried the wireless point yet as the iphone requires a profile sent to it from the iphone configurator tool to set TTLS. However it also asks for inner authetication protocol. Ive set this to PAP as im assuming that ms-chap is going to require NT-password. Is this likely to work or do i have to do something to configure PAP. I realise if i get TTLS up and running im going to have to create some deployment stuff to get it out there but i will cross that bridge when it comes to it. Will post up if i get anymore problems tomorrow when i try the profiled iphone. As if it doesnt work I'm not sure what would be causing these problems so will send my configs and errors tomorrow. Atm the setup is like this: openldap directory and freeradius 1.7 on same server (xen), freeradius refers to ldap by localhost. Linksys wireless access point in enterprise mix mode which only has an ip for radius server and port options. Linksys point added to client.conf. Iphone for testing. On Sun, Apr 5, 2009 at 10:24 PM, Alexander Clouter <alex@digriz.org.uk>wrote:
daniel knox <mail@dknox.co.uk> wrote:
Lol just actually read some stuff on WPA and learnt abit more about EAP.
I
realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues.
You use server certificates for PEAP too, it's madness not to use a server certificate in either case. If you do not then the clients are more than happy to dish out user credentials to anyone who asks.
I prefer TTLS as although PEAP is already built into Mac OS X and Windows, neither can be easily autoconfigured with some kind of priming script[1]. We use TTLS as it's not braindead[2] and in the case of SecureW2 it can be trivially autoconfigured. If you tie it in with a NSIS script then you can do some *really* nice things for wireless workstation priming for your Windows userbase.
Cheers
[1] not that I know of anyway, and Mac OS X 10.5 seems to have dropped support for wireless profile importing [2] well from my perspective, I'm sure implentators out their might say otherwise
-- Alexander Clouter .sigmonster says: Neil Armstrong tripped.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
daniel knox wrote:
Basically I had to use radius 1.7 something as it was in the repos.
Source code *does* exist for newer versions.
I have NTPassword in my ldap directory so i could use PEAP, however maybe through miss-configuration by me or the fact that my entry does not have a preceding 0x. Instead it just has 32digits without the preceding two characters could be why this wasnt working. However my ldap field is set to max 32chars long so not sure how to append these two characters and changing alot of entries if i fuzz up will be very bad news.
Newer versions of the server will work without the 0x.
Atm the setup is like this: openldap directory and freeradius 1.7 on same server (xen), freeradius refers to ldap by localhost. Linksys wireless access point in enterprise mix mode which only has an ip for radius server and port options. Linksys point added to client.conf. Iphone for testing.
Or... http://deployingradius.com/ There are step-by-step instructions for testing EAP from the command line. Alan DeKok.
I think I agree with you and will compile 1.7 from source. Would likely make this whole thing much easier as it seems like your suggesting. I will try make an rpm and send it to the PclinuxOS repositories as well if possible. That way other users will be able to get the up to date binary. :) On Mon, Apr 6, 2009 at 5:05 PM, Alan DeKok <aland@deployingradius.com>wrote:
daniel knox wrote:
Basically I had to use radius 1.7 something as it was in the repos.
Source code *does* exist for newer versions.
I have NTPassword in my ldap directory so i could use PEAP, however maybe through miss-configuration by me or the fact that my entry does not have a preceding 0x. Instead it just has 32digits without the preceding two characters could be why this wasnt working. However my ldap field is set to max 32chars long so not sure how to append these two characters and changing alot of entries if i fuzz up will be very bad news.
Newer versions of the server will work without the 0x.
Atm the setup is like this: openldap directory and freeradius 1.7 on same server (xen), freeradius refers to ldap by localhost. Linksys wireless access point in enterprise mix mode which only has an ip for radius server and port options. Linksys point added to client.conf. Iphone for testing.
Or... http://deployingradius.com/
There are step-by-step instructions for testing EAP from the command line.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
daniel knox <mail@dknox.co.uk> wrote:
Hello everyone, this is my first time getting started with freeradius.
I implement ICT at a local school and I would like to improve our wireless from a WPA pre-share key to a radius based system. We have an openldap server already with all our users and groups and use them to authticate them into our clients. I would like to extend this username and password requirement to our wireless systems rather than having to give out our wireless key. Our wireless users have a variety of Windows, OSX and Linux machines. Free-radius therefore seems to be the idea solution to this.
Because of your 'location' you might be interested in familiarising yourself with 'eduroam' (you probably already are as Portsmouth university has implemented it): http://www.ja.net/services/authentication-and-authorisation/janet-roaming.ht... It's not quite something for the school level (I'm guessing this is your primary school project?) but it's something that is pretty prevalent in the university world and being pushed for the further education world. You can see Arran blowing his trumpet (I tease, it's actually good stuff) with his step-by-step guide too: http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-st... If you need any assistance on this, best take it off list as it starts going off topic for FreeRADIUS. Although 'eduroam' might not be available to the local school for whatever reasons, all the documentation relating to deploying FreeRADIUS for 'eduroam' is exactly what you are looking for. Cheers [1] as far as I am aware, I'm sure Mark O'Leary will correct me here if need be -- Alexander Clouter .sigmonster says: "But this one goes to eleven." -- Nigel Tufnel
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alexander Clouter -
daniel knox -
tnt@kalik.net