Trying to wrap my head around FreeRadius config

[Gary Gatten]

Let me TRY to address a couple points here.

1.) Admins "logging in" to network devices: telnet, ssh, etc.

The Network Device, if "properly" configured, sends a RADIUS request to the RADIUS server.  If you run FR in debug mode you'll see the request come in and all the attributes thereof.  FR, based on the "policy" you configure will pick one of several methods to authenticate the user.  Could be the users file, MySQL, LDAP, ntlm_auth, etc.  Personally I use ntlm_auth because: 1.) I'm not very skilled in the details of LDAP and "thought" it would be more difficult to get up and running correctly. 2.) Like you my understanding was / is certain types of RADIUS auth requests (such as 802.1x type stuff) "needs" ntlm_auth as LDAP / AD typically doesn't store passwords in the proper format...  Which leads me to scenario 2.)

2.) ntlm_auth is "typically" required for 802.1x (*EAP) stuff as LDAP / AD doesn't typically store the passwords in a ... "compatible" format.  I too have read where you *can* use LDAP to authenticate *EAP IF you store the user passwords in a certain format.  BUT, getting AD admins to do that is not likely when a viable alternative exists; ie: ntlm_auth.


My suggestion - just to get things "working" so you can play with it and learn more by actually seeing valid request / reply convos:

1.) Use only ntlm_auth.  If necessary you can use "require-membership-of" (I forget exact syntax) to ensure only members of "Network Admins" can get a cli on your network gear.  It will also work for 802.1x

2.) If necessary set your default auth type to ntlm_auth.  This is discussed in docs and suggested only for testing.  As I've mentioned before I had to leave it in place as I probably don't have something configured "correctly", BUT, right now 100% of my auth uses ntlm_auth - so it works.


This has grown into quite a thread and it's spawned some VERY useful info from some of the FR veterans that has helped me a lot.  I have lost track of where you are / what probs you're still having...  I will have more time next week and will try to help you more if you still need it.

G


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Moe, John
Sent: Wednesday, July 20, 2011 6:07 PM
To: FreeRadius users mailing list
Subject: RE: Trying to wrap my head around FreeRadius config

> -----Original Message-----


>   So ask *specific* questions about what you expect, what's happening,
> and what you think is going wrong.

>   Ask small questions, instead of long ones.  It really makes a
> difference.

Well, ok, I'll start again, go as far as I can, and then ask questions about
what I'm seeing and what I don't understand.

>   Users don't log into switches.  Details matter.

They do if they need to configure the switch.  I meant admin users, not
general users, but it's still authenticating a user account using RADIUS.

>   In any case... just configure AD as an LDAP server.  Uncomment "ldap"
> in raddb/sites-enabled/default.  It *will* work.

Hang on, this works?  I thought I'd read online again and again that if
you're authenticating against Active Directory, you must use ntlm_auth,
because AD doesn't respond properly to the LDAP and KRB modules?  I'd
specifically tried to research this very question, and thought I'd come out
with the understanding ntlm_auth needed to be used?  Will LDAP work properly
against AD?

>   I have no idea why this is a problem.  Follow the guide on
> http://deployingradius.com.  It's detailed, and it works.

Which specific guide are you talking about?  Or are you talking about the
several individual guides I'd mentioned before?
 
>   Alan DeKok.


John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011



*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.? When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.? Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.? Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.? If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>