Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients
Hi everyone, I've been assigned the exciting task to setup a wired 802.1x environment to manage the access to our office infrastructure. I'm currently gathering all the possible informations to plan and deploy the solution since it's the first time I approach 802.1x and FreeRadius. I'm reading Freeradius beginner's guide by Dirk Van Der Walt and experimenting a bit with a freshly installed Ubuntu 12.04 freeradius server. Since I'm still in the planning phase I'd like to correctly understand which possibilities I have to deploy this of setup according to the needs of my company. This would be the list of requirements, my thoughts will follow: 1. user authentication and authorisation against our OpenLDAP directory, which is currently setup to store passwords with a SASL mechanism (the pass is hashed, and Apache Directory Studio shows the value of the UserPassword attribute of each user as "SASL hashed password". This note is important, see further on) 2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches depending on the gidNumber of the user 3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04) 4. FreeRadius server certificate validation (no client certificates used) and 802.1x authentication by providing user/pass My concerns and thoughts, point by point: 1. From what I had the opportunity to read in the FreeRadius configuration files, using LDAP as a password store is not possible when having hashed passwords. Yet, when I test the password validation via radtest the software succeeds and gives me an accept-accept. Intentionally mistyping the pass gives a reject. What am I doing wrong? Is the radtest tool using some other mechanism then MSCHAPv2? 2. this appears to be fairly easy to achieve by configuring the users file with one line per LDAP group like "DEFAULT LdapGroup == xxx" to return the "Tunnel-private-group-ID [81]" VDA depending on the match... or maybe in some other place of the config via ulang? I still need to understand how it works 3. and 4. Both of these points, together with our infrastructure not being ready yet for client certificates validation, led me to the conclusion that PEAPv0/EAP-MSCHAPv2 could be the way to go... but point 1 would invalidate this assumption. Is my reasoning correct? I'm still at a very early stage of the planning and a bit confused. Thanks for your help! Nicola -- Nicola Volpini The information in this email is confidential and may be legally privileged. If you are not the intended recipient, you must not read, use or disseminate that information and upon reception, permanently delete the original and destroy any copies. Although this email and any attachments are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Kambi for any loss or damage arising in any way from receipt or use thereof.
Hi,
1. user authentication and authorisation against our OpenLDAP directory, which is currently setup to store passwords with a SASL mechanism (the pass is hashed, and Apache Directory Studio shows the value of the UserPassword attribute of each user as "SASL hashed password". This note is important, see further on)
you can use external code for validation....but that could get tricky for different EAP types
2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches depending on the gidNumber of the user
not a problem. reply items can contain whatever you need...which can be gleaned from whatever oracle you choose
3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04)
..they all do EAP
4. FreeRadius server certificate validation (no client certificates used) and 802.1x authentication by providing user/pass
works out of the box.
software succeeds and gives me an accept-accept. Intentionally mistyping the pass gives a reject. What am I doing wrong? Is the radtest tool using some other mechanism then MSCHAPv2?
radtest is a PAP method - you need to use eg eapol_test (part of wpa_supplicant package) or radeaptest with required configuration files.....or any other test tool (NTRadping for windows , JRadiusSimulator etc)
2. this appears to be fairly easy to achieve by configuring the users file with one line per LDAP group like "DEFAULT LdapGroup == xxx" to return the "Tunnel-private-group-ID [81]" VDA depending on the match... or maybe in some other place of the config via ulang? I still need to understand how it works
that method (users file) is basic but works. unlang or external script can also be used client certificates would mean no problem with LDAP for authentication. then you just need to work out how to deploy the client certs.. alan
On 01/24/2013 03:35 PM, A.L.M.Buxey@lboro.ac.uk wrote:
<snip> Hi Alan, Thanks for all the information. Much appreciated, at least we can move from there.
Nicola -- Nicola Volpini Infrastructure Operations The information in this email is confidential and may be legally privileged. If you are not the intended recipient, you must not read, use or disseminate that information and upon reception, permanently delete the original and destroy any copies. Although this email and any attachments are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Kambi for any loss or damage arising in any way from receipt or use thereof.
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Nicola Volpini