Hi all. I have been running freeradius for quite a while now to authenticate dial-up users through our Cisco 3660. Additionally, I configured several of our internal devices for AAA. This has all worked quite well and I have been using a MySQL backend. Now I am getting ready to deploy a wireless network in our facility and need to lock it down. My idea is to have our users authenticate and authorize against our active directory. Then, to provide access to guests, just create a bogus wireless user that doesn't exist in the AD, so radius falls back to a different auth method (sql) to let the user at least get on and get an address from our dhcp. I basically have this model working through regular telnet and PPP right now, less the wireless piece. I have successfully set up authentication to AD, but I have some questions and concerns. I have done quite a bit of research on this and read the pertinent files in the /doc folder included with the FR software. So, I hope my questions make sense. First: We do not allow anonymous binding to our AD LDAP. So, for testing to date, I have used "Administrator" and the associated password in the config file. Obviously this is less than ideal :) What is the best or better alternative? Allowing anonymous bind? Creating a bind-only "user" for auth purposes? Am I correct that the NAS passes the username and password to FR in cleartext? Is there any method to send/receive the password between FR and AD encrypted? If I want to use WPA with TKIP (or preferably AES) do I *have* to have a supplicant? Most hosts will be XP, though there is a slim chance I may have to deal with others. Lastly, as I mentioned earlier, I have googles, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-) Thanks in advance, Laker __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
If I want to use WPA with TKIP (or preferably AES) do I *have* to have a supplicant? Most hosts will be XP,
WPA uses TKIP WPA2 uses AES Both use 802.1x/EAP with whatever cocktail of options you convolute.
though there is a slim chance I may have to deal with others. Lastly, as I mentioned earlier, I have googles, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-)
Thanks in advance, Laker
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Laker Netman <laker_netman@yahoo.com> wrote:
First: We do not allow anonymous binding to our AD LDAP. So, for testing to date, I have used "Administrator" and the associated password in the config file. Obviously this is less than ideal :) What is the best or better alternative? Allowing anonymous bind? Creating a bind-only "user" for auth purposes?
The server needs to bind to AD only to get group information. If you can configure a user on AD that is permitted only to do that, that would be the best thing.
Am I correct that the NAS passes the username and password to FR in cleartext?
Not for wireless.
Is there any method to send/receive the password between FR and AD encrypted?
SSL.
Lastly, as I mentioned earlier, I have googles, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-)
I'm not sure what you mean by that. The HOWTO's describe how to configure wireless with FreeRADIUS, and LDAP. Follow the instructions and they will work. Do you know what you want from wireless and AD? It sounds like the "one critical" piece you're looking for is something to solve a problem you haven't articulated. Alan DeKok.
Comments below. --- Alan DeKok <aland@ox.org> wrote:
Laker Netman <laker_netman@yahoo.com> wrote:
First: We do not allow anonymous binding to our AD LDAP. So, for testing to date, I have used "Administrator" and the associated password in the config file. Obviously this is less than ideal :) What is the best or better alternative? Allowing anonymous bind? Creating a bind-only "user" for auth purposes?
The server needs to bind to AD only to get group information. If you can configure a user on AD that is permitted only to do that, that would be the best thing.
Not sure I understand. To my knowledge, currently our AD doesn't contain any info that would differentiate a "wireless" user from one who is "wired". Based on the authenticating NAS (which is identifiable as wired vs wireless at least to RADIUS) how could I tie that to an AD group? If this is possible, where is the FAQ describing the setup process?
Am I correct that the NAS passes the username and password to FR in cleartext?
Not for wireless.
So, when I see cleartext passwords (provided to RADIUS via NAS auth dialogs) in a "radiusd -X" output to the terminal it's due to the fact that they have already been decoded via the symmetric NAS-RADIUS key?
Is there any method to send/receive the password between FR and AD encrypted?
SSL.
A URL or path to the RADIUS doc supporting this would be appreciated.
Lastly, as I mentioned earlier, I have googled, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-)
I'm not sure what you mean by that. The HOWTO's describe how to configure wireless with FreeRADIUS, and LDAP. Follow the instructions and they will work.
Do you know what you want from wireless and AD? It sounds like the "one critical" piece you're looking for is something to solve a problem you haven't articulated.
Alan DeKok.
My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data to make a functional system, yet, all of the pages tend to end with the cliche (paraphrasing now) "and some other settings we all know it needs..." We who? I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list. If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't. Please refrain from the "holier than thou" routine. I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome? Laker
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Laker Netman <laker_netman@yahoo.com> wrote:
Not sure I understand. To my knowledge, currently our AD doesn't contain any info that would differentiate a "wireless" user from one who is "wired". Based on the authenticating NAS (which is identifiable as wired vs wireless at least to RADIUS) how could I tie that to an AD group?
You're completely down the wrong path. AD is a database. It's a directory. Using anonymous bind, there is very little data you can get from it. Stop talking about solutions, as you don't know how the technology works. Instead, talk about your goals, independent of the underlying technology.
So, when I see cleartext passwords (provided to RADIUS via NAS auth dialogs) in a "radiusd -X" output to the terminal it's due to the fact that they have already been decoded via the symmetric NAS-RADIUS key?
Yes. But you don't see that for wireless.
Is there any method to send/receive the password between FR and AD encrypted?
SSL.
A URL or path to the RADIUS doc supporting this would be appreciated.
raddb/radiusd.conf. See the "tls" comments in the ldap configuration.
My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data to make a functional system, yet, all of the pages tend to end with the cliche (paraphrasing now) "and some other settings we all know it needs..." We who?
Please point to FreeRADIUS documentation that says that. I've never seen it. If you're talking about non-freeradius web sites, go complain to them.
I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list.
Let me be perfectly clear: No one will be able to help you if you cannot describe what you want in a manner they understand. So far, you've made it clear you're confused about the terminology, and you haven't articulated what you want to do.
If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't.
Part of helping you is asking you for information you haven't supplied. That information is needed to help you. If your response is to get upset, then everyone can only conclude you don't want to solve your problem.
I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome?
For people who get angry when I ask for more information, insults. For people who answer the questions I ask, help. And then they solve their problem. You choose which group you fall into. I don't have time to care what you think about me. Alan DeKok.
On Sun, 20 Nov 2005, Alan DeKok wrote:
Laker Netman <laker_netman@yahoo.com> wrote:
You're completely down the wrong path. AD is a database. It's a directory. Using anonymous bind, there is very little data you can get from it.
Stop talking about solutions, as you don't know how the technology works. Instead, talk about your goals, independent of the underlying technology.
My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data
If you're talking about non-freeradius web sites, go complain to them.
I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list.
Let me be perfectly clear: No one will be able to help you if you cannot describe what you want in a manner they understand. So far, you've made it clear you're confused about the terminology, and you haven't articulated what you want to do.
If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't.
Part of helping you is asking you for information you haven't supplied. That information is needed to help you. If your response is to get upset, then everyone can only conclude you don't want to solve your problem.
I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome?
For people who get angry when I ask for more information, insults.
You choose which group you fall into. I don't have time to care what you think about me.
Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples. I made a trip to my local bookstore and just read in the oreilly 802.11 book on building wireless infrastructure that I would need to use Microsoft IAS. Is this false ? Are people using Active Directory successfully ? I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well. If anyone has any good links with an explanation on how to do this I would greatly appreciate it.
Robin Mordasiewicz <rmordasiewicz@samuelmanutech.com> wrote:
I made a trip to my local bookstore and just read in the oreilly 802.11 book on building wireless infrastructure that I would need to use Microsoft IAS. Is this false ?
Yes. I think, though, at the time the book was written, machine authentication wasn't possible. Now it is.
Are people using Active Directory successfully ?
Yes.
I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well.
If a tacacs server can do it, FreeRADIUS can do it. :) Alan DeKok.
Alan DeKok wrote:
You choose which group you fall into. I don't have time to care what you think about me. I remember when I was very new to Linux. I had made an incredibly stupid basic networking mistake and was trying to find out why a specific Linux ethernet driver was "acting up". The esteemed Donald Becker expressed his amazement, in a funny way, in regard to why anyone would want to design something so inherently evil and no driver should handle it without error.
I then went on a tirade instructing him on why I would want to do this and why he should "fix" his broken driver. I can only hope it wasn't on a public list so my exact stupidity isn't recorded for all time. But, as time went on, I learned how ignorant I really was, and have made a point of tracking down developers of tools I use (likely freeradius and even useradd) and thanking them even if I have just used the tool and not needed help with it. So I guess the moral of the story is that one day, he'll look back on this list and realize how stupid and indignant he was. So many people new to open source seem to believe they are owed not only the source but free support for it without much effort on their part to actually test a hypothesis and dig for an answer. For my part, you have personally helped me and I appreciate it.
participants (5)
-
Alan DeKok -
Brian A. Seklecki -
Laker Netman -
Lewis Bergman -
Robin Mordasiewicz