I have a WiMax customer who would like to authorize against an Active directory server. I noticed in the inner-tunnel config it says that the Auth-Type LDAP means that EAP won't work. Am I misunderstanding how to properly set up LDAP? Or would the active directory set up be better for an authorization requiring EAP-TTLS. David
David Peterson wrote:
I have a WiMax customer who would like to authorize against an Active directory server. I noticed in the inner-tunnel config it says that the Auth-Type LDAP means that EAP won't work.
Yes. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server.
Am I misunderstanding how to properly set up LDAP? Or would the active directory set up be better for an authorization requiring EAP-TTLS.
Active Directory isn't really an LDAP server. At least, not where it matters. http://deployingradius.com/documents/protocols/compatibility.html And: http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok.
On 21 Mar 2014, at 17:46, Alan DeKok <aland@deployingradius.com> wrote:
David Peterson wrote:
I have a WiMax customer who would like to authorize against an Active directory server. I noticed in the inner-tunnel config it says that the Auth-Type LDAP means that EAP won't work.
Yes. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server.
Am I misunderstanding how to properly set up LDAP? Or would the active directory set up be better for an authorization requiring EAP-TTLS.
Active Directory isn't really an LDAP server. At least, not where it matters.
It's the ladyboy of directory servers. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Active Directory isn't really an LDAP server. At least, not where it matters. There is a huge discussion at the moment at our University where the AD people want to get rid of our central Open-LDAP-Servers with exactly this argument: "AD is a ldap-server like any other". Now I read this comment and would really appreciate if someone could be a little more verbose on the topic or point me to the documentation on how it differs especially from a FreeRadius perspective. As an example: For me it is not clear if I could just use AD as a LDAP-Backend (instead of OpenLDAP) and keep my eduroam configuration otherwise the same or if I would have to switch to ntlm_auth to get things back to working - which I would really want to avoid since I don't see a reason making thing more complex by having samba and other new dependencies... Thanks, Mischa http://deployingradius.com/documents/protocols/compatibility.html And: http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 22 Mar 2014, at 08:29, Mischa Diehm <mischa.diehm@unibas.ch> wrote:
Hi
Active Directory isn't really an LDAP server. At least, not where it matters.
There is a huge discussion at the moment at our University where the AD people want to get rid of our central Open-LDAP-Servers with exactly this argument: "AD is a ldap-server like any other". Now I read this comment and would really appreciate if someone could be a little more verbose on the topic or point me to the documentation on how it differs especially from a FreeRadius perspective.
AD doesn't expose the cleartext version or NT-Password hash of the user's password meaning you have to use ntlm_auth for authentication.
As an example: For me it is not clear if I could just use AD as a LDAP-Backend (instead of OpenLDAP) and keep my eduroam configuration otherwise the same or if I would have to switch to ntlm_auth to get things back to working - which I would really want to avoid since I don't see a reason making thing more complex by having samba and other new dependencies...
You would have to switch to ntlm_auth, or change EAP method. The current ntlm_auth interface with Active Directory is comparatively slow to libldap and OpenLDAP. Performance is likely to be in the hundreds of requests per second, whereas FreeRADIUS and OpenLDAP is in the 10s of thousands. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, The was a interesting discussion on one of the UK university wireless mailing lists about AD performance and freeradius.... as when you hit that wall you notice!! :/ There hasn't been, so far, a completion of that conversation. .. ie exhaustive list of things you can do our steps to take to improve that queries/sec value with AD. The discussion did cover certain things , samba 4 rather than 3, tweaks to ntlm_auth, tweaks to code... tweaks to the AD system you're talking to etc. Am keeping my eyes/ears open for further input and will write up where necessary. Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi, first of all thanks for the clarifying and quick responses - really appreciate it! There hasn't been, so far, a completion of that conversation. .. ie exhaustive list of things you can do our steps to take to improve that queries/sec value with AD. The discussion did cover certain things , samba 4 rather than 3, tweaks to ntlm_auth, tweaks to code... tweaks to the AD system you're talking to etc. Am keeping my eyes/ears open for further input and will write up where necessary. For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth. Using it for group-validation is a different story and could - for us - be very handy since our Groups are defined and stored in AD and haven't found their way into LDAP yet. So I was looking for a way to achieve that. When looking around I found that radiator has sth. called Auth-By ADSI (Active Directory Service Interfaces<https://en.wikipedia.org/w/index.php?title=Active_Directory_Service_Interfaces&redirect=no>). In the description it says: "During authentication, AuthBy ADSI check and honours AccountDisabled, IsAccount- Locked and LoginHours for the user being authenticated. It also checks the users pass- word (by attempting to change it). Because Active Directory does not make the plaintext password available, <AuthBy ADSI> only supports PAP, not CHAP or MSCHAP authentication." This would not be usable in case of eduroam (restrictions you guys already mentioned concerning AD as LDAP equivalent) but in almost all of our other use cases where we have the Password transmitted. Has this been looked at or event implemented within freeradius? Maybe it's already possible to use this with the LDAP module? I guess it also gets rid of the performance issues since we're back to ldap. It also removes the complexity addons due to samba installation. Mischa
Hi,
This would not be usable in case of eduroam (restrictions you guys already mentioned concerning AD as LDAP equivalent) but in almost all of our other use cases where we have the Password transmitted. Has this been looked at or event implemented within freeradius? Maybe it's already possible to use this with the LDAP module? I guess it also gets rid of the performance issues since we're back to ldap. It also removes the complexity addons due to samba installation.
you can use AD with LDAP module for authorization (AuthZ) - its the Authentication (AuthN) that is the problem alan
Mischa Diehm wrote:
For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth.
You're missing the point. Active Directory does *not* give a password to FreeRADIUS, so that FreeRADIUS can do the authentication. For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth. It doesn't matter if you think it's complex. It's the ONLY choice.
Using it for group-validation is a different story and could - for us - be very handy since our Groups are defined and stored in AD and haven't found their way into LDAP yet. So I was looking for a way to achieve that.
For group lookups, AD is just an LDAP server. That works.
"During authentication, AuthBy ADSI check and honours AccountDisabled, IsAccount- Locked and LoginHours for the user being authenticated. It also checks the users pass- word (by attempting to change it). Because Active Directory does not make the plaintext password available, <AuthBy ADSI> only supports PAP, not CHAP or MSCHAP authentication."
Yes.... FreeRADIUS can do "Auth-Type := LDAP" with PAP authentication to AD. You don't need ntlm_auth for that.
This would not be usable in case of eduroam (restrictions you guys already mentioned concerning AD as LDAP equivalent) but in almost all of our other use cases where we have the Password transmitted.
The use Auth-Type := LDAP.
Has this been looked at or event implemented within freeradius?
Yes... we've been doing this for 15 years.
Maybe it's already possible to use this with the LDAP module?
Yes, for User-Password in the Access-Request. Alan DeKok.
Hi, From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Dienstag, 25. März 2014 21:55 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP and/or Active Directory
Mischa Diehm wrote:
For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth.
You're missing the point. Active Directory does *not* give a password to FreeRADIUS, so that FreeRADIUS can do the authentication.
For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth. It doesn't matter if you think it's complex. It's the ONLY choice.
Thanks for the clarification. My main intent wasn't to make PEAP/MS-CHAP work but to have PAP work with AD. Now after some more reading and discussion I'm quite confident it is possible to sync sambaNTPassword to the global catalog of AD (which we use also use in the PAP auth) and have things aligned and in a way that is actually less complex and less slow using the ldap module. I will be testing this in the near future. In a private discussion with a list member I was told that PAP is much less secure than using MSCHAPv2 but I disagree with this argument. No gain in terms of security when using MSCHAPv2. Both need a secure transport layer. Summing this up I think the lesson learned - at least for me - is that it doesn't really matter if you have AD or LDAP as a backend store. You can have the full flexibility with both backends. Mischa
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
David Peterson -
Mischa Diehm