Request for directions: WinXP + Samba + LDAP + 802.1x
Fellows, I have a samba+ldap domain with a bunch of WinXP clients. I intend to get those clients to get access on switch through 802.1x authentication. The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. It's tested locally with radtest. Can you give me the next step? Is there some specific docs on that subject? I found lots of docs talking about AD and ntlm_auth. That's not what I'm looking for. Many thanks in advance. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
Fabiano Caixeta Duarte wrote:
The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth.
Then configure 802.1X.
What I got so far?
I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius.
http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok.
Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x. Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. I know I'm lacking of knowledge. That's why I'm looking for your guidance. I thank you again. 2009/12/11 Alan DeKok <aland@deployingradius.com>:
Fabiano Caixeta Duarte wrote:
The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth.
Then configure 802.1X.
What I got so far?
I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius.
http://deployingradius.com/documents/configuration/active_directory.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far.
I know I'm lacking of knowledge. That's why I'm looking for your guidance.
Bear in mind that you must try to ask the right questions to be guided into the correct path ;)
I thank you again.
2009/12/11 Alan DeKok <aland@deployingradius.com>:
Fabiano Caixeta Duarte wrote:
The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth.
Then configure 802.1X.
What I got so far?
I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius.
http://deployingradius.com/documents/configuration/active_directory.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2009/12/11 nf-vale <nf-vale@critical-links.com>:
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius.
You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far.
Ok. Let's follow that path. The confs I touched: eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } modules/ldap: ldap { server = "sti-teste.domain.br" identity = "cn=system,dc=domain,dc=br" password = secret basedn = "ou=Users,dc=domain,dc=br" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = "radiusFilterId" dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no } sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 } # radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = "teste" User-Password = "secret" NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = "Enterasys:version=1:policy=Enterprise User" -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote:
2009/12/11 nf-vale <nf-vale@critical-links.com>:
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius.
You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far.
Ok. Let's follow that path.
The confs I touched:
eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
modules/ldap: ldap { server = "sti-teste.domain.br" identity = "cn=system,dc=domain,dc=br" password = secret basedn = "ou=Users,dc=domain,dc=br" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = "radiusFilterId" dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no }
sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 }
# radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = "teste" User-Password = "secret" NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = "Enterasys:version=1:policy=Enterprise User"
Ok, but what about a debug from a request made a XP client using PEAP connected to your switch?
Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x.
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
No. The question "how do I set clients" is meaningless.
I know I'm lacking of knowledge. That's why I'm looking for your guidance.
If you are storing passwords in LDAP, then *you* know where the passwords are stored. Configure FreeRADIUS to use LDAP authentication. Configure it to do 802.1X. There is documentation and configuration examples for both. Alan DeKok.
2009/12/11 Alan DeKok <aland@deployingradius.com>:
Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x.
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
No. The question "how do I set clients" is meaningless.
I know I'm lacking of knowledge. That's why I'm looking for your guidance.
If you are storing passwords in LDAP, then *you* know where the passwords are stored. Configure FreeRADIUS to use LDAP authentication. Configure it to do 802.1X. There is documentation and configuration examples for both.
Mr. Alan, Somehow we started with the wrong foot. Sorry if I did something wrong. In my first post I told you that freeradius is set (with some mistakes thanks to my lack of knowledge) and working (tested with radtest). I'll try to improve on writing to make myself clear. Thank you all for your attention. PS: My last post shows what I've done so far. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
Fabiano Caixeta Duarte wrote:
In my first post I told you that freeradius is set (with some mistakes thanks to my lack of knowledge) and working (tested with radtest).
I understand. However, saying "I did LDAP" is insufficient to know precisely what you did. That's what the FAQ, README, INSTALL, "man page", etc. say to post the debug output.
I'll try to improve on writing to make myself clear.
Thank you all for your attention.
PS: My last post shows what I've done so far.
That satisfies "what you did". We need to know "what is happening", and "why it is wrong". As for configuring "ldap + peap"... it's easy. If you have LDAP working, read the guides for configuring PEAP. Then... it should all work. Alan DeKok.
participants (3)
-
Alan DeKok -
Fabiano Caixeta Duarte -
nf-vale