Working with LDAP, radius clients, users, etc

Wed Aug 21 18:28:35 CEST 2019

On Aug 21, 2019, at 10:52 AM, Paul Pathiakis via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> What would be the correct configuration for something like this:
> 
> I'd like all the clients in domain example.com to authenticate using the same 'secret' - foobar
> 
> If the address space for example.com is 192.168.0.0/22, does my client entry look like this in clients.conf:
> 
> client example.com {
>         ipaddr    = 192.168.0.0/22        secret    = foobar}?
> 
> Is my understanding correct that any and all clients that are configured in the 192.168.0.1 - 192.168.3.254 range can be authenticated via freeradius at that point, using just the secret 'foobar'?

  Yes.

> ### OK, I'm a little confused about the attribute block above.### In my openldap configuration,

  That is only for clients.  If you keep clients in "clients.conf", then ignore that part of the LDAP module configuration.

> I have put the schema files include     /etc/openldap/schema/freeradius.schema
> include     /etc/openldap/schema/freeradius-clients.schema
> 
> in the location above and those are the schema files I got from downloading the FreeRADIUS source 
> in the <path>/doc/schemas/ldap/openldap/ location and I copied them into correct location.
> 
> I know this isn't an LDAP list, however with regards to the schemas and attribute block, is thischecking to see if those entries exist (radiusClientIndentifier, radiusClientSecret) in the user entry in ldap?That is, is this using those schema entries to authenticate the user for access to the client?

  No.

> I'm starting to see that FreeRADIUS will authenticate all the units on a network from the first two points and then check the existence of the user from LDAP.  However, if I'm trying to be very secure, wouldn't I want to limit the scope of the machines?

  Maybe.  But for what purpose?

> For example, say I have a smallish network that grows/contracts with the number of hosts on the desktop and it has as few as a 100 and almost 250.  So, I have 192.168.1.0/24 as my CIDR network.  I can use DHCP and Dynamic Updating of DNS, to track everything at the IP level but I don't want to have hosts that are in an 'unknown' state on my network.  For arguments sake, I have someone that plugs into my network and knows the address space that is used.  They are not a 'sanctioned user' for that network space but due to the scope of what RADIUS allows in my above network range of 192.168.0.0/22, the machine gets authenticated.

  I think that you're missing something critical here.

  The clients in clients.conf are *only* for systems which send RADIUS packets to the RADIUS server.  i.e. the switch,  NAS, WiFi access point, etc.

  The clients have *nothing to do* with end-user systems.

  Those end-user systems may do 802.1X / EAP in order to authenticate.  But the packets come from the RADIUS client.  From the point of view of the RADIUS server, those end-user systems are just different *users* who get authenticated.

>  It seems that it would be beneficial to have an entry for all the machines in my LDAP to allow authentication for that client.

  How are those systems authenticating?  Do you have WiFi?  Are the systems doing EAP, PEAP, etc?

> Is this possible?
> I'm thinking it would be a good thing to be able to have entry upon entry of clients and users on a case-by-case basis added and removed to LDAP with a flag in the record to allow authentication.

  Once users are in LDAP, you can just add / delete them in LDAP.  And once they're deleted from LDAP, they won't be able to authenticate any more.

> Do people do this?  Am I going in the wrong direction?  If so, which way?  If not, how would this be addressed?

  I think you have serious misconceptions about how RADIUS works.  Those need to be addressed first.

  Alan DeKok.