freeradius + ldap (AD) + dot1x
Hello, I'm newbie at FreeRADIUS. I'm trying to prepare a solution which will provide authentication for PC/laptop's in corporate network. I need this for Cisco switches and Ubiquiti APs/controller. There is Samba4 configured as domain controller which is central authentication point. I installed Freeradius 3.0.14 on Fedora 25. I red all the man pages and documentation stored in configuration files and to be honest it's huge amount of information which is not clear for a newbie. I also used tutorial which seems to be third-party, however link was on official freeradius wiki I think. Tutorial: http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+... I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it. Is it a way to configure this to be securely? radiusd -X Ready to process requests (0) Received Access-Request Id 193 from 127.0.0.1:47794 to 127.0.0.1:1812 length 72 (0) User-Name = "mn" (0) User-Password = "password" (0) NAS-IP-Address = 10.10.150.150 (0) NAS-Port = 18120 (0) Message-Authenticator = 0xdbdb908f917ea12c4cce408922a4b23d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mn", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> mn (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 193 from 127.0.0.1:1812 to 127.0.0.1:47794 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 193 with timestamp +21 Ready to process requests
Am 11.06.2017 um 11:41 schrieb Paweł Grzęda:
Hello,
[...]
Tutorial:
http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+...
I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it. Is it a way to configure this to be securely?
Assuming Samba 4 tries to work and behave like AD on Windows Server I imagine it does the same by default: "Active Directory does not allow FreeRADIUS to query the user's password via LDAP, or LDAPS." (Alan D. on a thread only a couple of days before) I haven't confirmed this since I did never use FR with a Samba 4 Domain, but only with Windows-based AD services. Though there seems to be a possibility to permit it by an ACL in smb.conf to allows this. By default I'd assume like with a Windows AD: Join the FR server to your Samba 4 AD domain and use NTLM authentication (like mentioned in your linked page). You'd have to select between the older method using ntlm_auth, oder directly via Winbind. (read the config file for the mschap module) Have a look on integrating with a Windows-based AD: * http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... * http://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind Good luck. -- Mathieu
On 11 June 2017 10:41:27 BST, "Paweł Grzęda" <pawel.grzeda@kamieniarstwo.pl> wrote:
I'm trying to prepare a solution which will provide authentication for PC/laptop's in corporate network. I need this for Cisco switches and Ubiquiti APs/controller.
So you will be doing EAP. Have you decided what EAP methods you want to use?
There is Samba4 configured as domain controller which is central authentication point. I installed Freeradius 3.0.14 on Fedora 25.
OK
I red all the man pages and documentation stored in configuration files and to be honest it's huge amount of information which is not clear for a newbie.
I understand. It's a big learning curve to start with.
I also used tutorial which seems to be third-party, however link was on official freeradius wiki I think.
Well, anyone can edit the wiki, so being there doesn't make anything official. That describes LDAP against AD, which isn't a great experience. You're basically limited to EAP-TTLS/PAP, as AD won't give you the password hash.
I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it. Is it a way to configure this to be securely?
What devices are you connecting? If they are all joined to your Samba domain then presumably there is a domain certificate authority in use like real AD? In which case configure EAP-TLS with certificates and forget about LDAP. It'll be far more secure and faster to authenticate as well. Otherwise installing Samba on your FreeRADIUS server and using ntlm_auth type methods with MSCHAPv2 is probably the only real option. -- Matthew
On Jun 11, 2017, at 5:41 AM, Paweł Grzęda <pawel.grzeda@kamieniarstwo.pl> wrote:
,
I'm newbie at FreeRADIUS. I'm trying to prepare a solution which will provide authentication for PC/laptop's in corporate network. I need this for Cisco switches and Ubiquiti APs/controller. There is Samba4 configured as domain controller which is central authentication point. I installed Freeradius 3.0.14 on Fedora 25. I red all the man pages and documentation stored in configuration files and to be honest it's huge amount of information which is not clear for a newbie.
You should read the documentation at: http://networkradius.com/freeradius-documentation/ Specifically the technical guide.
I also used tutorial which seems to be third-party, however link was on official freeradius wiki I think.
That's one of the better ones. But...most of the third-party documentation is terrible. Wrong, misleading, out of date, etc. Worse, many people don't read the wiki / FR documentation, and just "google it". Then, they read random documentation and wonder why it doesn't work. :(
I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it.
If you read the debug output, you'll see that it doesn't query the LDAP module. That's why it can't find the password. While the server is complex, each individual piece is relatively simple. The problem is in tying them all together. So the solution is simple: configure one piece at a time. Save the configuration, test it, etc. Follow the procedure in "man radiusd". This *is* documented. And for testing EAP, follow the guide at: http://deployingradius.com/documents/configuration/active_directory.html It will work. Even for Samba. The nic thing about Samba is that it will give FreeRADIUS the user's credentials via a simple LDAP query. So the whole "ntlm_auth" stuff isn't necessary. But still... follow the guide. It's documented, it has multiple intermediate steps, it explains what's going on. Alan DeKok.
participants (4)
-
Alan DeKok -
Mathieu Simon (Lists) -
Matthew Newton -
Paweł Grzęda