Active Directory/freeradius/enterasys - combination
hello, we are testing the 802.1x authentication in a small test network. (http://www.enterasys.com/products/whitepapers/secure-networks-wp.pdf) The user management works via an active directory on a Windows 2003 server, a Freeradius on a Linux machine, and the switch is an Enterasys Matrix-series. Windows 2003 (AD) <---> Freeradius <---> Enterasys switch <---> Linux/MS-Client The user is able to authenticate with PEAP and MD5 from a Linux and a Windows Client. Active Directory and Freeradius (ntlm_auth) give the OK as well. The Enterasys switch is dynamically configured with the Policy Manager. Therefore it is possible to define rules for various user groups, and in the AD different user groups are defined. Now the switch needs the group to user information from the AD with the filter ID, which normally looks like this: Filter-Id = "Enterasys:version=1:mgmt=su:policy=adminrole" If I define the users on the Radius with the help of the users file it is no problem and it works perfectly, but how can I use the information from the AD? The problem is that the users are correctly authenticated, but the switch doesn't have information what to do with these users and they get an invalid role and furthermore they don't get access to the network (they are assigned to the default role which is a blocking role)! We made the first tests with the IAS from Microsoft where we created different "Remote Access Policies", and there we added the different user groups from the AD. I've not found anything in the Internet concerning this very matter, so I hope someone of you can give me more information how this can be realized. Thanks! mIke
Michael Messner wrote:
If I define the users on the Radius with the help of the users file it is no problem and it works perfectly, but how can I use the information from the AD?
Use the "ldap" module to query AD and add attributes to the reply dynamically. For example: DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com" Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole" ...or similar.
hey Phil, hey list Phil Mayers wrote:
Michael Messner wrote:
If I define the users on the Radius with the help of the users file it is no problem and it works perfectly, but how can I use the information from the AD?
Use the "ldap" module to query AD and add attributes to the reply dynamically. For example:
DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com" Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
...or similar.
thanks for your help, now I have configured the Ldap connection to AD with the Ldap Groups and yea it works! :-) But as I understood I can't use PEAP or MD5 authentication, am I right? So there is nothing with 802.1x security?!? If so, are there any other possible solutions/workarounds? I hope somebody can give me any help, information, links or something else. thanks ca mIke
Michael Messner wrote:
Use the "ldap" module to query AD and add attributes to the reply dynamically. For example:
DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com" Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
...or similar.
thanks for your help, now I have configured the Ldap connection to AD with the Ldap Groups and yea it works! :-)
But as I understood I can't use PEAP or MD5 authentication, am I right? So there is nothing with 802.1x security?!? If so, are there any other possible solutions/workarounds?
I hope somebody can give me any help, information, links or something else.
You can use LDAP just for the group checking. You don't have to use it for processing the authentication. So if you've already got 802.1x working e.g. using the mschap module and ntlm_auth, you can carry on using that. *If* you're having problems, this might be because the "ldap" module is the first one to process the request and it sets Auth-Type to LDAP because it thinks it is authoritative. Easiest is to re-order the modules like so: authorize { preprocess # let the various auth types get detected and set chap mschap eap # now process the other stuff ldap files } ...and remove the "Auth-Type LDAP" section from "authenticate" Alternatively, the ldap module has a "set_auth_type" option - set it to "no" and it will never override the auth-type and thus
hey Phil, hey list, Phil Mayers sagte:
Michael Messner wrote:
Use the "ldap" module to query AD and add attributes to the reply dynamically. For example:
DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com" Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
...or similar.
But as I understood I can't use PEAP or MD5 authentication, am I right? So there is nothing with 802.1x security?!?
You can use LDAP just for the group checking. You don't have to use it for processing the authentication. So if you've already got 802.1x working e.g. using the mschap module and ntlm_auth, you can carry on using that.
Easiest is to re-order the modules like so:
authorize { preprocess
# let the various auth types get detected and set chap mschap eap
# now process the other stuff ldap files }
...and remove the "Auth-Type LDAP" section from "authenticate"
real great, everything works now! :-) thanks a lot for your help ca mIke
Hi, I need a few tips onto radius authenticated ssh I need some basic info like how to configure linux to authenticate (and account) ssh users with radius, but I couldn't find a guide about it. I have some experience both with Linux and freeradius, but not in using them like I explained. Could somebody point me to some FAQ or guide on how to get this working? Thanks, Marcos Roberto Greiner -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Roberto Greiner <mrgreiner@gmail.com> wrote:
I need some basic info like how to configure linux to authenticate (and account) ssh users with radius, but I couldn't find a guide about it
See the SSH documentation. If it doesn't say it does RADIUS, then it would appear that it doesn't do RADIUS. Maybe you could try using PAM authentication with SSH, and then the pam_radius_auth module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I'm building a new radius server. I'm copying an existing one. I'm getting the following error from freeRADIUS when I run it -x (FreeRADIUS 1.1.3) Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=mking --challenge=46b51a98d607a3a9 --nt-response= hex decode of failed! (only got 0 bytes) Of course, if I run it via the command line, it works flawlessly. rad2:/etc/freeradius# ntlm_auth --username=mking password: NT_STATUS_OK: Success (0x0) I've copied the ntlm_auth line from my working radius server (which is on 1.0.1, hence the reason I'm upgrading) ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response)" I'm at a loss why I would get 0 bytes..... I've even chgrp freerad /var/run/samba/winbindd_privileged chmod g+rx /var/run/samba/winbindd_privileged Just to be sure (Even thought I didn't have to do that on my old radius server) Help?
On 24 Aug 2006, at 21:24, King, Michael wrote:
I'm building a new radius server. I'm copying an existing one.
I'm getting the following error from freeRADIUS when I run it -x (FreeRADIUS 1.1.3)
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=mking --challenge=46b51a98d607a3a9 --nt-response= hex decode of failed! (only got 0 bytes) ^^^^^^^^ = of .... nothing because you have got --nt- response= nothing. So decoding nothing doesn't work.
Of course, if I run it via the command line, it works flawlessly. rad2:/etc/freeradius# ntlm_auth --username=mking password: NT_STATUS_OK: Success (0x0) So ntlm_auth can talk to winbind, ...which can talk to the domain. The problem is the cranky parameter --nt-response above.
I've copied the ntlm_auth line from my working radius server (which is on 1.0.1, hence the reason I'm upgrading)
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response)" ^^^^^^^^^^^^^^^ You seem to have the wrong variety of bracket here!?? This may be the reason --nt-response is being set to nul, and hence the above error.
Regards, James -- James J J Hooper Information Services University of Bristol --
-----Original Message-----
--nt-response=%{mschap:NT-Response)" ^^^^^^^^^^^^^^^ You seem to have the wrong variety of bracket here!?? This may be the reason --nt-response is being set to nul, and hence the above error.
Score one for the eagle eyed gentlement. That was it. (I was ready to put my head through the wall on this)
Ok, I now have 1.1.3 working great. However, my log files now have an extra (and repeated) error message Thu Aug 24 16:50:33 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Aug 24 16:50:33 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Thu Aug 24 16:50:33 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Line 1 has always been there, and I've been told to safely ignore it. Lines 2 & 3 are new. Same deal, safe to ignore, or indicitive I screwed something else up? I'm getting on... So I'm assuming it's another ignore error (Maybe even more info about the first line)
On 24 Aug 2006, at 21:53, King, Michael wrote:
Ok, I now have 1.1.3 working great.
However, my log files now have an extra (and repeated) error message
Thu Aug 24 16:50:33 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Aug 24 16:50:33 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Thu Aug 24 16:50:33 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Line 1 has always been there, and I've been told to safely ignore it.
Lines 2 & 3 are new. Same deal, safe to ignore, or indicitive I screwed something else up?
I'm getting on... So I'm assuming it's another ignore error (Maybe even more info about the first line)
I don't know if it is safe to ignore the messages, but from the Changelog, as of 1.1.2: * Write SSL errors to log file, rather than stderr. This closes bug #347. Which may explain the extra lines. -James -- James J J Hooper Information Services University of Bristol --
James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
* Write SSL errors to log file, rather than stderr. This closes bug #347.
Which may explain the extra lines.
Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (6)
-
Alan DeKok -
James J J Hooper -
King, Michael -
Michael Messner -
Phil Mayers -
Roberto Greiner