Hi, I want to move away from PSK and use 802.1x in the future for our wireless clients. - 2 CentOS 7 Servers with Freeradius from repo, currently version: 3.0.4 - User Backend shall be OpenLDAP with passwords hashed in SSHA (inetOrgPerson/posixAccount) - Clients: Android 3,x or 4,x or bigger, iOS 7+, Windows 7+ but mainly 7 - Within our self-managed CA we will create a certificate that every client will get manually installed - We prefer credential based authentication over certificate based client authentication questions 1) A colleague mentioned that we would have a problem with connecting to LDAP, because the passwords stored there are SSHA and he also said that only unencrypted/unhashed passwords will do or NTLM. What road do we need to choose when it comes to authentication methods. 2) What do I have to consider when choosing the common name for the certificate? Thank you in advance -- Peakwork Signature *Jochen Demmer* Network Administrator T: +49-(0)241-4131146-29 jochen.demmer@peakwork.com peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 | F: +49-(0)241-4131146-17 peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: +49-(0)211-91368-500 | F: +49-(0)211-91368-509 Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt | Dr. Thomas van Kaldenkerken Chairman of the supervisory board: Markus Voelkel Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677 Peakwork Logo www.peakwork.com | www.peakwork.de
On Jun 23, 2015, at 10:37 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
Hi,
I want to move away from PSK and use 802.1x in the future for our wireless clients.
- 2 CentOS 7 Servers with Freeradius from repo, currently version: 3.0.4 - User Backend shall be OpenLDAP with passwords hashed in SSHA (inetOrgPerson/posixAccount) - Clients: Android 3,x or 4,x or bigger, iOS 7+, Windows 7+ but mainly 7 - Within our self-managed CA we will create a certificate that every client will get manually installed - We prefer credential based authentication over certificate based client authentication
questions 1) A colleague mentioned that we would have a problem with connecting to LDAP, because the passwords stored there are SSHA and he also said that only unencrypted/unhashed passwords will do or NTLM. What road do we need to choose when it comes to authentication methods.
With the common EAP methods you're limited to EAP-TTLS-PAP if using SSHA.
2) What do I have to consider when choosing the common name for the certificate?
Not sure what you mean by that... I've always used the full name of the employee, and encoded their email address in the certificate as a more unique identifier. -Arran
The SSHA are non reversible and LDAP won't do challenge response for PEAP. So you either need to have them in another encryption method or be limited to EAP-TTLS/PAP Regarding cert. ..and this is very important for TTLS/PAP. The common name is just a name that the clients are configured to check in the applicant properties. Common practice is to use a domain name that makes sense. ...but you can just call it 'networkaccess' if you want.....that'd even work across a proxied link. Use the same cert on both servers. ..its not like secure web where you are tied to DNS and host name mappings. alan
On Jun 23, 2015, at 12:12 PM, Alan Buxey <A.L.M.Buxey@LBORO.AC.UK> wrote:
The SSHA are non reversible and LDAP won't do challenge response for PEAP. So you either need to have them in another encryption method or be limited to EAP-TTLS/PAP
Regarding cert. ..and this is very important for TTLS/PAP.
Ah OP wasn't clear that, that, was the server side certificate. -Arran
Thanks for the response. So EAP-TTLS windows 7 doesn't support out of the box, right? I actually don't feel very comfortable with the idea of installing third party software on all machines. What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? What about revocation lists? How do I take care of them? The longer I write, the better I like third party software... Maybe there's another way. Our ldap also stores ntlm passwords for samba. Please someone share his experience with me. Sent from my cellphone
Am 23.06.2015 um 18:13 schrieb Alan Buxey <A.L.M.Buxey@lboro.ac.uk>:
The SSHA are non reversible and LDAP won't do challenge response for PEAP. So you either need to have them in another encryption method or be limited to EAP-TTLS/PAP
Regarding cert. ..and this is very important for TTLS/PAP. The common name is just a name that the clients are configured to check in the applicant properties. Common practice is to use a domain name that makes sense. ...but you can just call it 'networkaccess' if you want.....that'd even work across a proxied link. Use the same cert on both servers. ..its not like secure web where you are tied to DNS and host name mappings.
alan
Hi,
So EAP-TTLS windows 7 doesn't support out of the box, right?
correct. Windows 8 and above...
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background?
yes....if the client certs have identifiable attributes in them that can be checked against your LDAP - eg username is embedded in the CommonName..or use one of the other cert fields for options in your LDAP etc
What about revocation lists? How do I take care of them?
CRL or OSCP - I'd go down the OSCP route myself...
Maybe there's another way. Our ldap also stores ntlm passwords for samba.
in that case, use that attribute for the authentication....once the FreeRADIUS server has read that, then you can use EAP-PEAP/MSCHAPv2 and your life will be simpler alan
Does someone maybe have a good howto for my scenario? Freeradius 3 + OpenLDAP with MSCHAPv2 and NTLM based passwords, which are by the way stored in an attibute called sambaNTPassword. I keep trying to setup Radius 3 but it keeps saying: Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8) I've just configured the ldap module and also activated it. Also I have added a client so far. Do I have to install this radius schema into my LDAP backend if I'm going with the LDAP connection? I thought ideally the user is checked and additionally if he belongs to some group to have access control. Thank you Am 23.06.2015 um 23:35 schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
So EAP-TTLS windows 7 doesn't support out of the box, right? correct. Windows 8 and above...
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? yes....if the client certs have identifiable attributes in them that can be checked against your LDAP - eg username is embedded in the CommonName..or use one of the other cert fields for options in your LDAP etc
What about revocation lists? How do I take care of them? CRL or OSCP - I'd go down the OSCP route myself...
Maybe there's another way. Our ldap also stores ntlm passwords for samba. in that case, use that attribute for the authentication....once the FreeRADIUS server has read that, then you can use EAP-PEAP/MSCHAPv2 and your life will be simpler
alan
-- Peakwork Signature *Jochen Demmer* Network Administrator T: +49-(0)241-4131146-29 jochen.demmer@peakwork.com peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 | F: +49-(0)241-4131146-17 peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: +49-(0)211-91368-500 | F: +49-(0)211-91368-509 Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt | Dr. Thomas van Kaldenkerken Chairman of the supervisory board: Markus Voelkel Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677 Peakwork Logo www.peakwork.com | www.peakwork.de
2015-06-25 13:31 GMT+02:00 Jochen Demmer <jochen.demmer@peakwork.com>:
Does someone maybe have a good howto for my scenario? Freeradius 3 + OpenLDAP with MSCHAPv2 and NTLM based passwords, which are by the way stored in an attibute called sambaNTPassword.
I had such a setup before but moved to EAP-TLS and completely dropped LDAP. In fact it is not that difiicult to get it working. You just need to configure the ldap moduel correctly enable LDAP in sites-enabled/ and that's it.
I keep trying to setup Radius 3 but it keeps saying:
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
That's fine. FR closes unused connections after a specified amount of time. If it then needs a connection but has none open already it prints out that message and reopens connections.
I've just configured the ldap module and also activated it. Also I have added a client so far.
A client or a user? A client is a NAS that requires a user to authenticate and forwards user access requests to the RADIUS. And a user is a user, obviously :)
Do I have to install this radius schema into my LDAP backend if I'm going with the LDAP connection?
If you just want to read username & password out of LDAP you don't need it. If you additionally want to manage clients and other stuff like RADIUS Attributes (eg. Calling-Station-Id or Tunnel-Private-Group-Id) then you have to install it. There are two schema files. One for radius itself and all attributes and one for radius clients.
I thought ideally the user is checked and additionally if he belongs to some group to have access control.
RADIUS does only authentication of users. If you want to apply more attributes, eg. VLAN you have to tell RADIUS to additionally read these attributes stored in LDAP. If these are present for a user/group it applies them. If not it doesn't. If you want more you have to script unlang.
On Jun 25, 2015, at 7:31 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
Does someone maybe have a good howto for my scenario? Freeradius 3 + OpenLDAP with MSCHAPv2 and NTLM based passwords, which are by the way stored in an attibute called sambaNTPassword.
That should work. Take the default configuration. Enable the LDAP module. Configure the LDAP module to talk to OpenLDAP. MS-CHAP will work.
I keep trying to setup Radius 3 but it keeps saying:
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
It says rather a lot more than that. The point of the debug log is to read *all* of it.
I've just configured the ldap module and also activated it. Also I have added a client so far.
Then post the full debug log. If authentication fails, the debug log will say why.
Do I have to install this radius schema into my LDAP backend if I'm going with the LDAP connection?
No.
I thought ideally the user is checked and additionally if he belongs to some group to have access control.
That's easy. Read http://wiki.freeradius.org/modules/Rlm_ldap Look for "group". Alan DeKok.
Hi,
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
which version of FR 3.0.x , I cant recall what you said earlier in this thread... I ask because there were a few connection pool bugs with LDAP and SQL where the connections would get closed down..and no new ones got opened when needed. upgrade. (or set the leepalive and timeout etc to 0 in the ldap config so that it doesnt close the connections at all) alan
A.L.M.Buxey@lboro.ac.uk wrote:
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
which version of FR 3.0.x , I cant recall what you said earlier in this thread...
radiusd -v radiusd: FreeRADIUS Version 3.0.9, for host amd64-portbld-freebsd10.1, built on Jun 24 2015 at 11:20:18
-- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
oops ... my previous post is mistake :( A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
which version of FR 3.0.x , I cant recall what you said earlier in this thread... I ask because there were a few connection pool bugs with LDAP and SQL where the connections would get closed down..and no new ones got opened when needed. upgrade. (or set the leepalive and timeout etc to 0 in the ldap config so that it doesnt close the connections at all)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<#secure method=pgp mode=sign sender=0FF7A32A> -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
rpm -qi freeradius Name : freeradius Version : 3.0.4 Release : 6.el7 Architecture: x86_64 This is what comes with CentOS 7 Base repos Actually it's working now. It didn't work because I queried the LDAP DB anonymously which isn't granting access to the password attribute of course. Anyway it didn't give a reasonable error message in the radius.log about that. Thank you Am 25.06.2015 um 22:06 schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8) which version of FR 3.0.x , I cant recall what you said earlier in this thread... I ask because there were a few connection pool bugs with LDAP and SQL where the connections would get closed down..and no new ones got opened when needed. upgrade. (or set the leepalive and timeout etc to 0 in the ldap config so that it doesnt close the connections at all)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Peakwork Signature *Jochen Demmer* Network Administrator T: +49-(0)241-4131146-29 jochen.demmer@peakwork.com peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 | F: +49-(0)241-4131146-17 peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: +49-(0)211-91368-500 | F: +49-(0)211-91368-509 Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt | Dr. Thomas van Kaldenkerken Chairman of the supervisory board: Markus Voelkel Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677 Peakwork Logo www.peakwork.com | www.peakwork.de
On Jun 26, 2015, at 11:39 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
Actually it's working now. It didn't work because I queried the LDAP DB anonymously which isn't granting access to the password attribute of course. Anyway it didn't give a reasonable error message in the radius.log about that.
Does the LDAP server return a reasonable error to FreeRADIUS? Probably not. That's why FreeRADIUS doesn't give a reasonable error. We've put a lot of work into 3.0.9, in order to make all of the messages better / clearer. This will help, but won't be perfect. Because we depend on third-party libraries which aren't perfect. Alan DeKok.
On Jun 26, 2015, at 11:39 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
rpm -qi freeradius Name : freeradius Version : 3.0.4 Release : 6.el7 Architecture: x86_64
This is what comes with CentOS 7 Base repos
The server comes with perfectly good spec files. Roll your own RPMs.
Actually it's working now. It didn't work because I queried the LDAP DB anonymously which isn't granting access to the password attribute of course. Anyway it didn't give a reasonable error message in the radius.log about that.
It should have given you an error about no known good password being found. Other than that, if you request an attribute, and you either don't have access, or it doesn't exist, you simply don't get the attribute value in the entry. Indicating the possibility of an attribute being present, for which you don't have access, was probably, rightly, determined by the overlords of the LDAP working group, to be a security flaw. So I'm not sure what the 'reasonable' error message would be in this case, other than the one we provide. ...and you may want to re-read your statement above. If the LDAP server allowed consumers of the LDAP directory to read the password attribute after an *ANONYMOUS* bind, it wouldn't be a very secure setup would it. That would mean that anyone who could communicate with the LDAP directory could download the credentials of *ANYONE* stored within that LDAP directory. But wait THERE'S MORE! The message that does get emitted EXPLICITLY SAYS CHECK THE PERMISSIONS *EXPLICITLY* /** Verify we got a password from the search * * Checks to see if after the LDAP to RADIUS mapping has been completed that a reference password. * * @param inst rlm_ldap configuration. * @param request Current request. */ void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request) { /* * More warning messages for people who can't be bothered to read the documentation. * * Expect_password is set when we process the mapping, and is only true if there was a mapping between * an LDAP attribute and a password reference attribute in the control list. */ if (inst->expect_password && (rad_debug_lvl > 1)) { if (!pairfind(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) && !pairfind(request->config, PW_NT_PASSWORD, 0, TAG_ANY) && !pairfind(request->config, PW_USER_PASSWORD, 0, TAG_ANY) && !pairfind(request->config, PW_PASSWORD_WITH_HEADER, 0, TAG_ANY) && !pairfind(request->config, PW_CRYPT_PASSWORD, 0, TAG_ANY)) { RWDEBUG("No \"known good\" password added. Ensure the admin user has permission to " "read the password attribute"); RWDEBUG("PAP authentication will *NOT* work with Active Directory (if that is what you " "were trying to configure)"); } } } I thought i'd accounted for all the common mistakes in rlm_ldap. But apparently some special flavour of idiocy has escaped my attention. So please enlighten me, what steps of progressive misthought led you to claim that there was no reasonable error message. AH, AH! you weren't running the server in *DEBUG* mode, like every other goddamn post says to do. If you *HAD* been running in the mode SPECIFICALLY CREATED TO HELP DIAGNOSE CONFIGURATION ISSUES, you would have *SEEN* the error message that told you that you BROKE THE SERVER CONFIGURATION. sigh...
2015-06-23 23:28 GMT+02:00 Jochen Demmer <jochen.demmer@peakwork.com>:
So EAP-TTLS windows 7 doesn't support out of the box, right? I actually don't feel very comfortable with the idea of installing third party software on all machines.
The required software is used for many years by many people. For example various universities provide it with their eduroam program to enable their students and employees to use EAP-TTLS. Just do a quick google for "SecureW2" and even the first two pages list plenty of known universities. But if you still don't want to use it: Why not using EAP-TLS? It's not tunneled but supported by nearly everything, even Windows XP. And if you want it to be very secure you could require users to enter the private key password every time they use it and additionally store the key/cert on a smartcard (yubikey neo).
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? What about revocation lists? How do I take care of them?
You can add your own OID to your client certificates as Certificate Policies (https://www.openssl.org/docs/apps/x509v3_config.html#Certificate-Policies) and those can be used by RADIUS / LDAP.
Hi,
The required software is used for many years by many people. For example various universities provide it with their eduroam program to enable their students and employees to use EAP-TTLS. Just do a quick google for "SecureW2" and even the first two pages list plenty of known universities.
Who have all stopped doing this because SecureW2 is throwing cease-and-dedists against them for using the GPL version of the SecureW2 client. Beware. Greetings, Stefan Winter
But if you still don't want to use it: Why not using EAP-TLS? It's not tunneled but supported by nearly everything, even Windows XP. And if you want it to be very secure you could require users to enter the private key password every time they use it and additionally store the key/cert on a smartcard (yubikey neo).
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background? What about revocation lists? How do I take care of them?
You can add your own OID to your client certificates as Certificate Policies (https://www.openssl.org/docs/apps/x509v3_config.html#Certificate-Policies) and those can be used by RADIUS / LDAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
2015-06-23 16:37 GMT+02:00 Jochen Demmer <jochen.demmer@peakwork.com>:
Hi,
Hallo nach Aachen :)
2) What do I have to consider when choosing the common name for the certificate?
common name has to be the same as the user entry in eg. FR clients.conf or uid in LDAP. In short: common name = username. As an alternative you can specify any common name you want but then have to enable the "use different username" option. I know that Android (tested with 4.4) and iOS (5, 6, 7) and Windows can do that. In case of iOS you'll definitely have to use the "iPhone Konfigurationsprogramm" (which is no longer availabe at apple or supported at all but still works well with iOS 5,6,7,8) or the replacement tool but that is only available on MacOS. If you manually install the certificates you'll experience many weird problems like "device is connected to wifi but super slow or no data is flowing at all".
Hello,
In case of iOS you'll definitely have to use the "iPhone Konfigurationsprogramm" (which is no longer availabe at apple or supported at all but still works well with iOS 5,6,7,8) or the replacement tool but that is only available on MacOS. If you manually install the certificates you'll experience many weird problems like "device is connected to wifi but super slow or no data is flowing at all".
He doesn't have to use that tool. There are other, multi-platform tools which create those configs. You should maybe read http://freeradius.org/enterprise-wifi.html which among others points you to the Enterprise Network Configuration Assistant Tool https://802.1x-config.org - or for eduroam customers, https://cat.eduroam.org. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Ben Humpert -
Jochen Demmer -
Stefan Winter -
Zeus Panchenko