cisco vpn authentication, freeradius and best practices
Greetings, I have a best practices question. I am currently building a freeradius+LVS cluster to replace an existing radius server. In the process I am trying to do things as solidly as possible. Part of this process is tidying up the users file. In the process I noticed a rule that made me a little squishy. The purpose of the rule is to handle incoming requests from a cisco pix for VPN authentication. It is supposed to validate it using ntlm_auth. There are two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one is for ntlm_auth_plaintext. I tested this rule with radtest (Making the necessary modifications and it worked fine. DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this? While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
Elizabeth Steinke wrote:
I tested this rule with radtest (Making the necessary modifications and it worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject
Then it's fine.
Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this?
If it works... it's fine. The big rants about not forcing Auth-Type are because of the people who force it without understanding the consequences... and then complain when it doesn't work.
While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
It's good practice. But doing all of those LDAP-Group queries can get expensive. i.e. you're doing *two* queries instead of one. You could fix this with "unlang": if (Huntgroup-Name == "vpn-pix") { if (LDAP-Group == ...) { update control { Auth-Type := ntlm_auth_plaintext } } else { reject } } Only one LDAP-Group check is more efficient. Alan DeKok.
Fantastic! Thanks so much. unlang looks pretty interesting. Ill need to do more reading. Is there a book coming out on freeradius 2 soon? I've gotten alot of good info from the oreilly freeradius 1 book. Thanks! Liz On Sun, Oct 19, 2008 at 11:17 AM, Alan DeKok <aland@deployingradius.com>wrote:
Elizabeth Steinke wrote:
I tested this rule with radtest (Making the necessary modifications and it worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject
Then it's fine.
Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this?
If it works... it's fine.
The big rants about not forcing Auth-Type are because of the people who force it without understanding the consequences... and then complain when it doesn't work.
While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?
It's good practice. But doing all of those LDAP-Group queries can get expensive. i.e. you're doing *two* queries instead of one.
You could fix this with "unlang":
if (Huntgroup-Name == "vpn-pix") { if (LDAP-Group == ...) { update control { Auth-Type := ntlm_auth_plaintext } } else { reject }
}
Only one LDAP-Group check is more efficient.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The purpose of the rule is to handle incoming requests from a cisco pix for VPN authentication. It is supposed to validate it using ntlm_auth. There are two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one is for ntlm_auth_plaintext. I tested this rule with radtest (Making the necessary modifications and it worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject
Is it a good idea to force the auth-type in the users file?
No. Forcing auth type should be avoided as a rule. But in this case it can't be avoided. But the entry is wrong. If you get mschap request this entry will force auth type to plaintext authentication and authentication will fail. Change operator := to =. That way, if auth type mschap was set already (mschap is listed before files in authorize) it won't be changed. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Elizabeth Steinke -
tnt@kalik.net