802.1X Extra Miles

3@D4rkn3ss DuMb 32d4rkn3ss at gmail.com
Thu May 5 06:47:37 CEST 2016


Thank you all,

I think it's time for me to give back to the community now ... I m planning
to add something on the how-to if the admins allow me to :)

Regards

On 5 May 2016 at 07:41, <freeradius-users-request at lists.freeradius.org>
wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. RE: LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN)
>    2. RE: LDAP CONFIGURATION IN FreeRadius (Alan Buxey)
>    3. Re: Problem with multiple LDAP servers (Alan Buxey)
>    4. RE: LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN)
>    5. Re: Problem with multiple LDAP servers (Arran Cudbard-Bell)
>    6. Re: 802.1X Extra Miles (Johnny R)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 May 2016 22:20:56 +0000
> From: "WINANT, KEVIN" <KW517G at att.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: RE: LDAP CONFIGURATION IN FreeRadius
> Message-ID:
>         <
> 751C2B6C8900694381C6D7090C243EA3216019E5 at MISOUT7MSGUSRCB.ITServices.sbc.com
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> Sorry am not trying to move/upgrade anything to v3 at this time.
> I am trying to see my LDAP configuration for our External LDAP server.
> I am trying to see which port LDAP is using.
> If port 389 I will have no issue when the EXTERNAL LDAP server begins
> using SHA256 certs.
> If configured to use 636, I then need to identify the ROOT CA and serial
> number being used by FreeRadius and verify it is the SAME Root CA and
> serial number the External LDAP server is using.
> Apologies for the original looooooooong sentence.
>
>
> > On 4 May 2016, at 12:43, WINANT, KEVIN <KW517G at att.com> wrote:
> >
> > Version is 2.1.1 which we found is EOL and looking to go to V3.
> > Did the debug and looks like it loads up   >   "including configuration
> file /etc/raddb/modules/ldap"
> > Looking in there do not find the hostname or IP of the external LDAP
> server in there.
>
> Uh nope, don't try and use your v2.x.x config with v3.0.x.  Just rebuild
> it using a stock v3.0.x config.
>
> > Reason trying to see LDAP settings is Company in installing SHA256 certs
> on the External LDAP server soon.
> > I am trying to determine if LDAP is configured to use port 389
> (unsecure) and there will be NO IMPACT to our servers communicating to
> External LDAP server or IF LDAP is  configured to use port 636 (secure)
> then I would then need to find out if ROOT CA freeradius is using is same
> ROOT CA External LDAP server is using along  with the same serial number.
>
> Wow it may be the altitude but that extremely long sentence made
> absolutely no sense to me.  Could you try rephrasing?
>
> -Arran
>
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 4 May 2016 23:43:01 +0100
> From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>, "WINANT, KEVIN"
>         <KW517G at att.com>
> Subject: RE: LDAP CONFIGURATION IN FreeRadius
> Message-ID: <13EA1E61-38A4-4E5B-82C4-DB4C8CD2077E at lboro.ac.uk>
> Content-Type: text/plain; charset="UTF-8"
>
> Ummmm. Surely you want to use protection if its out in the cloud anyway??
>
> You can view connecting to ldap using eg netstat and tcpdump
>
> However,  regarding the root CA for ldap. Its entirely different (or can
> be!) To that used by freeradius for clients (PEAP etc). So, grab the
> required root CA of the ldap server and is server cert and use those in
> your config.   PS ldap stuff is very much refreshed in v3 - many more
> options etc and a far better connection pool (could be ideal for WAN based
> ldap servers)
>
> alan
>
> ------------------------------
>
> Message: 3
> Date: Wed, 4 May 2016 23:50:04 +0100
> From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>, Arran Cudbard-Bell
>         <a.cudbardb at freeradius.org>
> Subject: Re: Problem with multiple LDAP servers
> Message-ID: <87238DE7-BEAA-4CD8-BB2F-E5016A86901F at lboro.ac.uk>
> Content-Type: text/plain; charset="UTF-8"
>
> Ah!
>
> Of course,  now I'm using multiple ldap configs I've now hit the too many
> files open issue.
>
> Which causes all sorts of interesting failure modes.  Obvious when sql
> connection can't work - the cause is printed out. ... but it was failing in
> reading the root cert used for ldap instance 5 and claimed it couldn't read
> the file,  x509 issue.  Given that using ulimit fixed this. ...... i guess
> if the failure is when spawning some Ssl stuff you can't do anything about
> it?
>
> I've updated /etc/security/limits.conf  - giving radius user more
> soft/hard files... but that didn't work .. even though the server is using
> radius/radius the limits seem to require root limits to be modified .
> Looking at adjusting the systemd script right now but it'll catch out any
> local admins trying to do eg radiusd -X ;)
>
>
> alan
>
> ------------------------------
>
> Message: 4
> Date: Wed, 4 May 2016 22:57:22 +0000
> From: "WINANT, KEVIN" <KW517G at att.com>
> To: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>, FreeRadius users mailing
>         list <freeradius-users at lists.freeradius.org>
> Subject: RE: LDAP CONFIGURATION IN FreeRadius
> Message-ID:
>         <
> 751C2B6C8900694381C6D7090C243EA321601A4C at MISOUT7MSGUSRCB.ITServices.sbc.com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Alan, This is all on the companies INTRANET.  No
> connectivity/access to Internet/Cloud.
> The LDAP config and Cert I am trying to verify is for the ssl connection
> between the FreeRadius servers and the LDAP server itself when queries sent
> to the LDAP server.
> Someplace in Free Radius I am thinking it would tell us which ROOT CA
> (Certificate Authority) cert and serial number it is using and via what
> port.  (although if using port 389 for LDAP,,I figure it is not using a
> cert at all) Once I can locate that info I can compare to the ROOT CA and
> serial  the LDAP server uses.  If the same we’re good to go when External
> LDAP server installs SHA256 certs shortly.
> Original FreeRadius SME is no longer with us, hence the queries.
>
>
> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> Sent: Wednesday, May 04, 2016 6:43 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>;
> WINANT, KEVIN <KW517G at att.com>
> Subject: RE: LDAP CONFIGURATION IN FreeRadius
>
> Ummmm. Surely you want to use protection if its out in the cloud anyway??
>
> You can view connecting to ldap using eg netstat and tcpdump
>
> However, regarding the root CA for ldap. Its entirely different (or can
> be!) To that used by freeradius for clients (PEAP etc). So, grab the
> required root CA of the ldap server and is server cert and use those in
> your config. PS ldap stuff is very much refreshed in v3 - many more options
> etc and a far better connection pool (could be ideal for WAN based ldap
> servers)
>
> alan
>
> ------------------------------
>
> Message: 5
> Date: Wed, 4 May 2016 18:08:14 -0600
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> Cc: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Problem with multiple LDAP servers
> Message-ID: <218D846B-D921-47AD-AD96-0D316D580E56 at freeradius.org>
> Content-Type: text/plain; charset="utf-8"
>
>
> > On 4 May 2016, at 15:50, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> >
> > Ah!
> >
> > Of course, now I'm using multiple ldap configs I've now hit the too many
> files open issue.
>
> You hit a file descriptor limit? How many connections are you opening? How
> many servers are you talking to?
>
> Unfortunately from a long term architecture point of view, having one
> connection per working thread is desirable, so there's not much we can do
> to fix that.
>
> > Which causes all sorts of interesting failure modes. Obvious when sql
> connection can't work - the cause is printed out. ... but it was failing in
> reading the root cert used for ldap instance 5 and claimed it couldn't read
> the file, x509 issue.
>
> Heh.  Yeah that's far outside of our control, deep inside whatever libldap
> happens to be using for TLS.
>
> >  Given that using ulimit fixed this. ...... i guess if the failure is
> when spawning some Ssl stuff you can't do anything about it?
>
> It failed when instantiating the module, right? Not when opening a
> connection?
>
> That'll be when it creates the new SSL_CTX.
>
> > I've updated /etc/security/limits.conf - giving radius user more
> soft/hard files... but that didn't work .. even though the server is using
> radius/radius the limits seem to require root limits to be modified .
> Looking at adjusting the systemd script right now but it'll catch out any
> local admins trying to do eg radiusd -X ;)
>
> If you do sudo radiusd -X it'll change to the correct user IIRC.
>
> Only when you run it with usual user privs, will it stick to that user.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 872 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160504/d7556d34/attachment-0001.sig
> >
>
> ------------------------------
>
> Message: 6
> Date: Thu, 5 May 2016 07:41:07 +0300
> From: Johnny R <vasiana09 at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: 802.1X Extra Miles
> Message-ID:
>         <CAF=
> akFT85MU8gQruAYw-Kt6BacLH2XRydUFane1QQSnXi_fb_A at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> # Arran: Totally right !
>
>
> v4s[at]#unrelated | "sh3ll is just the beginning"
>
>                                  .__
> _____ _______  ____  ___________  |__| ____ _____
> \__  \\_  __ \/  _ \/  ___/\__  \ |  |/    \\__  \
>  / __ \|  | \(  <_> )___ \  / __ \|  |   |  \/ __ \_
> (____  /__|   \____/____  >(____  /__|___|  (____  /
>      \/                 \/      \/        \/     \/
>
>
>
>
> On Wed, May 4, 2016 at 10:26 PM, Arran Cudbard-Bell <
> a.cudbardb at freeradius.org> wrote:
>
> >
> >
> > > On 4 May 2016, at 11:07, Johnny R <vasiana09 at gmail.com> wrote:
> > >
> > > I m  wondering if there is another 'obvious' way to handle non-802.1X
> > > capable equipment apart from checking their MAC :(. OS fingerprinting,
> > > seems a little bit ... more than an extra mile :)
> > >
> >
> > Device fingerprinting, web-auth, those are pretty much the only options.
> >
> > Better to use a switch that can perform ip filtering with dynamic rules
> > from RADIUS to restrict incoming and outgoing connections.
> >
> > -Arran
> >
> > >
> > > v4s[at]#unrelated | "sh3ll is just the beginning"
> > >
> > >                                 .__
> > > _____ _______  ____  ___________  |__| ____ _____
> > > \__  \\_  __ \/  _ \/  ___/\__  \ |  |/    \\__  \
> > > / __ \|  | \(  <_> )___ \  / __ \|  |   |  \/ __ \_
> > > (____  /__|   \____/____  >(____  /__|___|  (____  /
> > >     \/                 \/      \/        \/     \/
> > >
> > >
> > >
> > >
> > >> On Wed, May 4, 2016 at 8:49 PM, Igor Novgorodov <igor at novg.net>
> wrote:
> > >>
> > >> Nope, it has complicated logic based on Calling-Station-Id,
> > NAS-IP-Address
> > >> & multiple SQL queries.
> > >> With EAP it would, of course, use more CPU (if over TLS - even worse).
> > >> We currently have about 150% of a Xeon E5-2630 core used at peak
> times.
> > >>
> > >>
> > >>> On 04/05/16 19:52, Arran Cudbard-Bell wrote:
> > >>>
> > >>>> On 4 May 2016, at 09:33, Igor Novgorodov <igor at novg.net> wrote:
> > >>>>
> > >>>> We're running FreeRADIUS that authenticates 5-6 *million* users per
> > day
> > >>>> (with peaks about 1000 requests per second) on a small VM with 4
> vCPU.
> > >>> That's with EAP?
> > >>>
> > >>> -Arran
> > >>>
> > >>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > >>> FreeRADIUS Development Team
> > >>>
> > >>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> > >>>
> > >>>
> > >>>
> > >>> -
> > >>> List info/subscribe/unsubscribe? See
> > >>> http://www.freeradius.org/list/users.html
> > >>
> > >> -
> > >> List info/subscribe/unsubscribe? See
> > >> http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 133, Issue 11
> *************************************************
>


More information about the Freeradius-Users mailing list