Freeradius + EAP-TLS + LDAP
Hi, with my FR 1.x installation I'am authenticating via EAP-TLS Computers against my Switches. User are authenticated with PEAP, all are held in the users-textfile in $RADDB/users But with rising number of PCs and Users the edit of the users file is a bit uncomfortable. I want to upgrade everything to FR 2.1 on my Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs in my OpenLDAP (for the use of Samba). I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP and no crypted passwords. If I read here, I have the impression that this is something what some people already do. I like to authenticate PCs with EAP-TLS, which are in the LDAP List by name, there is no need to extract an cert from the LDAP-Tree. Just check the name and if the cert matches to the server-cert the access is granted. As I already do now. The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree). Is this possible or not? TIA Alex
Alexandros Gougousoudis <gougousoudis-list@servicecenter-khs.de> wrote:
The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree).
Is this possible or not?
No, impossible. If you want to use LDAP to authenticate your users, you _need_ a cleartext password somewhere. Grüße, Sven. -- Sigmentation fault. Core dumped.
On 19/04/11 15:24, Sven Hartge wrote:
Alexandros Gougousoudis<gougousoudis-list@servicecenter-khs.de> wrote:
The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree).
Is this possible or not?
No, impossible.
If you want to use LDAP to authenticate your users, you _need_ a cleartext password somewhere.
Hang on - the OP said he wanted to do EAP-TLS. For EAP-TLS there is no inner-auth, and no passwords.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 19/04/11 15:24, Sven Hartge wrote:
Alexandros Gougousoudis<gougousoudis-list@servicecenter-khs.de> wrote:
The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree).
Is this possible or not?
No, impossible.
If you want to use LDAP to authenticate your users, you _need_ a cleartext password somewhere.
Hang on - the OP said he wanted to do EAP-TLS.
For EAP-TLS there is no inner-auth, and no passwords.
Ah, yes. But he also wrote about checking the password. EAP-TLS uses client certificates, no user password involved. Grüße, S° -- Sigmentation fault. Core dumped.
On 19/04/11 13:55, Alexandros Gougousoudis wrote:
Hi,
with my FR 1.x installation I'am authenticating via EAP-TLS Computers against my Switches. User are authenticated with PEAP, all are held in the users-textfile in $RADDB/users
EAP-TLS and PEAP are different. Which do you mean?
But with rising number of PCs and Users the edit of the users file is a bit uncomfortable. I want to upgrade everything to FR 2.1 on my Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs in my OpenLDAP (for the use of Samba).
Don't do both at once. First upgrade to 2.1 Then implement LDAP.
I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP and no crypted passwords. If I read here, I have the impression that this is something what some people already do.
EAP-TLS doesn't use passwords. It uses client certificates. PEAP requires plaintext or NT passwords. Which do you mean?
I like to authenticate PCs with EAP-TLS, which are in the LDAP List by name, there is no need to extract an cert from the LDAP-Tree. Just check the name and if the cert matches to the server-cert the access is granted. As I already do now.
Can you show us an example of what you have now? One of the entries from your "users" file?
The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree).
EAP-TLS doesn't use passwords.
Is this possible or not?
Your query doesn't make sense.
Hi Folks, the question makes sense, I think I wrote it not understandible enough. 1. What I already do is: 1.1. Authenticating via EAP-TLS Computers/Workstations against my Switches 1.2. Users are authenticated with PEAP and Cleartext-Passwords in $RADDB/users 2. What I want to do is: 2.1. Upgrade to 2.1 2.2. Use my LDAP to collect and control authentification of Workstations and Users 3. What I have is: 3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords). 3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain). 4. Question is: 4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access? 4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP? I hope it's clear enough now. TIA Alex
On 04/20/2011 10:23 AM, Alexandros Gougousoudis wrote:
3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords).
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.
3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain).
4. Question is:
4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access?
Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject)
4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP?
Yes. You will need to configure FreeRADIUS to bind to LDAP with an account that has permission to read the ntPassword attrbute, but if you do that, it should just work.
Hi Phil, Phil Mayers schrieb:
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. Great! Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject)
Thanks, I'll start to do this. Machine account name should work for me. Any hints, or how to do this? Is there somewhere an example availlable to start with? I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine. bye Alex
Hi,
Thanks, I'll start to do this. Machine account name should work for me.
Any hints, or how to do this? Is there somewhere an example availlable to start with?
I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine.
after altering ntlm_auth command line in the default config, the default config just works with machine authentication(*), if you've edited things, or dropped an old config into the /etc/raddb config space then things will be 'interesting' alan (*) obviously clients.conf and ldap and eap config need to be edited as required ;-)
On 04/20/2011 11:37 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. Great! Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject)
Thanks, I'll start to do this. Machine account name should work for me.
Any hints, or how to do this? Is there somewhere an example availlable to start with?
Well, as I said - there are lots of ways of doing this. The simplest possible way is to configure the LDAP module appropriately. Since you're doing both user- and host-based auth, you will need to make sure that the filter is correct: raddb/modules/ldap: ... # the mschap:User-Name will turn: # # domain\user -> user # host/name.domain -> name$ filter = "(samaccountname=%{mschap:User-Name})" ...and then you just call the "ldap" module in your "authorize" section e.g. raddb/sites-enabled/default: authorize { ... eap { ok = return } ldap if (notfound) { reject } }
I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine.
Unless you're a FreeRADIUS expert, you're going to find that hard. Start with a clean slate. Put the config into version control. Make small changes and test, then commit to version control when each change is done. Build your config up that way.
participants (4)
-
Alan Buxey -
Alexandros Gougousoudis -
Phil Mayers -
Sven Hartge