Authenticate to AD but only allow certain group
Brian C. Huffman
bhuffman at etinternational.com
Wed Oct 29 19:00:03 CET 2014
All,
So I finally got time to get back to this and it works! Now the only
question is whether or not I'm allowing anything that I shouldn't. I'm
using the freeradius rpm that came from the centos repo (CentOS 6).
It seems like there are quite a few options that are enabled by
default. I'm attaching the critical files (sites-enabled/default,
sites-enabled/inner-tunnel, eap.conf).
Is there anything I should disable to improve security?
Thanks!
Brian
On 05/14/2014 02:24 PM, Alan DeKok wrote:
> Brian C. Huffman wrote:
>> Are there always two levels of EAP in WPA (or WPA2) Enterprise?
> For TTLS and PEAP, yes. They set up a TLS tunnel between the
> supplicant and the server. They then send additional data inside of the
> tunnel.
>
>> Where do the "outerID" credentials come from? Is that the wireless
>> station (laptop, phone, etc.) or the access point?
> It's always the supplicant (laptop, phone, etc.)
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
if (!( LDAP-Group == "Wireless-Internal")) {
reject
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
-------------- next part --------------
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
-------------- next part --------------
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
CA_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
More information about the Freeradius-Users
mailing list