Contemplating change to FreeRadius configuration....
Hi all, I've been on this list for a while, but I'm mostly just a lurker. But, I wanted to run a thought by folks here, before I spend too much time on the effort. Currently, I'm running Freeradius 3.0.13 (which I think was current when we installed) on RedHat Enterprise Linux 7 (7.6). I have a very simple implementation, using FreeRadius, Google Authenticator, and Linux. I create an account in Linux, and each Linux account has a Google Authenticator component, and I use FreeRadius as the backend to authenticate VPN users, coming from a Dell Sonicall TZ400. All this works with no issue. (The main reason I've been so quiet on this list. ;-)) Users come in from VPN, supply username, password, and Google auth OTP, and FreeRadius authenticates them. The users are defined in Linux, on the FreeRadius server itself. Since I first set this up a couple of years ago, we have made some changes, including moving to a Samba backend to do Active Directory authentication for Windows logins. So, my question is, instead of maintaining a separate database for VPN, is it possible (and how hard) to make my Samba server be the backend? So, when we add a user to the Samba AD server, they will gain VPN login access, in addition to the Windows domain for Windows login access. If I go that way, would the Google Auth stuff have to move over to the Samba server? Would two-factor auth apply to Windows domain login as well as VPN access? (That may be a Samba question, sorry.) Would the FreeRadius server need to move to the Samba server? Has anyone dome something like this? Was it difficult? I'm a little bit loathe to change a configuration that has been working so well for so long....but as we grow, I'm willing to bet it will pay for itself in time saved. Any helpful hints? Pointers to docs? All comments are much appreciated. Thanks, -Mark
On Jan 21, 2019, at 3:17 PM, Mark J. Bobak <mark@bobak.net> wrote:
But, I wanted to run a thought by folks here, before I spend too much time on the effort.
That's the best approach.
Currently, I'm running Freeradius 3.0.13 (which I think was current when we installed) on RedHat Enterprise Linux 7 (7.6).
Hmm... I guess.
I have a very simple implementation, using FreeRadius, Google Authenticator, and Linux. I create an account in Linux, and each Linux account has a Google Authenticator component, and I use FreeRadius as the backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
All this works with no issue. (The main reason I've been so quiet on this list. ;-))
Sounds good.
Users come in from VPN, supply username, password, and Google auth OTP, and FreeRadius authenticates them. The users are defined in Linux, on the FreeRadius server itself.
Since I first set this up a couple of years ago, we have made some changes, including moving to a Samba backend to do Active Directory authentication for Windows logins.
That's a common config.
So, my question is, instead of maintaining a separate database for VPN, is it possible (and how hard) to make my Samba server be the backend? So, when we add a user to the Samba AD server, they will gain VPN login access, in addition to the Windows domain for Windows login access.
That's pretty simple. VPNs usually send User-Password. So all of the normal MS-CHAP nonsense doesn't apply. And, you can largely treat AD as just another LDAP server.
If I go that way, would the Google Auth stuff have to move over to the Samba server?
I don't see why. FreeRADIUS can do all that.
Would two-factor auth apply to Windows domain login as well as VPN access? (That may be a Samba question, sorry.)
Nope. AD / Samba are just databases. FreeRADIUS is the one with the weird authentication logic.
Would the FreeRadius server need to move to the Samba server?
No.
Has anyone dome something like this? Was it difficult?
Yes, and it's not difficult.
I'm a little bit loathe to change a configuration that has been working so well for so long....but as we grow, I'm willing to bet it will pay for itself in time saved.
Exactly.
Any helpful hints? Pointers to docs?
If the VPNs send User-Password, then the LDAP documentation should work. Configure that, and make sure to set "Auth-Type := ldap", which isn't the default. But it is needed for AD. My only $0.02 is to read raddb/sites-available/README. See section 5. You can set up a different virtual server for VPN access. That way you're *guaranteed* it doesn't affect other users. And, the VPN virtual server will likely be ~30 lines long. Which makes it *very* easy to debug and/or modify. Alan DeKok.
Hi, check this document out https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Au... It might work. Eero On Mon, Jan 21, 2019, 22:14 Mark J. Bobak <mark@bobak.net wrote:
Hi all,
I've been on this list for a while, but I'm mostly just a lurker.
But, I wanted to run a thought by folks here, before I spend too much time on the effort.
Currently, I'm running Freeradius 3.0.13 (which I think was current when we installed) on RedHat Enterprise Linux 7 (7.6).
I have a very simple implementation, using FreeRadius, Google Authenticator, and Linux. I create an account in Linux, and each Linux account has a Google Authenticator component, and I use FreeRadius as the backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
All this works with no issue. (The main reason I've been so quiet on this list. ;-))
Users come in from VPN, supply username, password, and Google auth OTP, and FreeRadius authenticates them. The users are defined in Linux, on the FreeRadius server itself.
Since I first set this up a couple of years ago, we have made some changes, including moving to a Samba backend to do Active Directory authentication for Windows logins.
So, my question is, instead of maintaining a separate database for VPN, is it possible (and how hard) to make my Samba server be the backend? So, when we add a user to the Samba AD server, they will gain VPN login access, in addition to the Windows domain for Windows login access.
If I go that way, would the Google Auth stuff have to move over to the Samba server? Would two-factor auth apply to Windows domain login as well as VPN access? (That may be a Samba question, sorry.) Would the FreeRadius server need to move to the Samba server?
Has anyone dome something like this? Was it difficult?
I'm a little bit loathe to change a configuration that has been working so well for so long....but as we grow, I'm willing to bet it will pay for itself in time saved.
Any helpful hints? Pointers to docs?
All comments are much appreciated.
Thanks,
-Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the replies, Alan and Eero. Much appreciated. I'm not in any hurry, but I'll spin up a new server and try working on it in the background. -Mark On Mon, Jan 21, 2019 at 3:34 PM Eero Volotinen <eero.volotinen@iki.fi> wrote: > Hi, > > check this document out > > https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator > > It might work. > > Eero > > > On Mon, Jan 21, 2019, 22:14 Mark J. Bobak <mark@bobak.net wrote: > > > Hi all, > > > > I've been on this list for a while, but I'm mostly just a lurker. > > > > But, I wanted to run a thought by folks here, before I spend too much > time > > on the effort. > > > > Currently, I'm running Freeradius 3.0.13 (which I think was current when > we > > installed) on RedHat Enterprise Linux 7 (7.6). > > > > I have a very simple implementation, using FreeRadius, Google > > Authenticator, and Linux. I create an account in Linux, and each Linux > > account has a Google Authenticator component, and I use FreeRadius as the > > backend to authenticate VPN users, coming from a Dell Sonicall TZ400. > > > > All this works with no issue. (The main reason I've been so quiet on > this > > list. ;-)) > > > > Users come in from VPN, supply username, password, and Google auth OTP, > and > > FreeRadius authenticates them. The users are defined in Linux, on the > > FreeRadius server itself. > > > > Since I first set this up a couple of years ago, we have made some > changes, > > including moving to a Samba backend to do Active Directory authentication > > for Windows logins. > > > > So, my question is, instead of maintaining a separate database for VPN, > is > > it possible (and how hard) to make my Samba server be the backend? So, > > when we add a user to the Samba AD server, they will gain VPN login > access, > > in addition to the Windows domain for Windows login access. > > > > If I go that way, would the Google Auth stuff have to move over to the > > Samba server? Would two-factor auth apply to Windows domain login as > well > > as VPN access? (That may be a Samba question, sorry.) Would the > > FreeRadius server need to move to the Samba server? > > > > Has anyone dome something like this? Was it difficult? > > > > I'm a little bit loathe to change a configuration that has been working > so > > well for so long....but as we grow, I'm willing to bet it will pay for > > itself in time saved. > > > > Any helpful hints? Pointers to docs? > > > > All comments are much appreciated. > > > > Thanks, > > > > -Mark > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Eero Volotinen -
Mark J. Bobak