Contemplating change to FreeRadius configuration....

Alan DeKok aland at deployingradius.com
Mon Jan 21 21:33:15 CET 2019 

On Jan 21, 2019, at 3:17 PM, Mark J. Bobak <mark at bobak.net> wrote:
> But, I wanted to run a thought by folks here, before I spend too much time
> on the effort.

  That's the best approach.

> Currently, I'm running Freeradius 3.0.13 (which I think was current when we
> installed) on RedHat Enterprise Linux 7 (7.6).

  Hmm... I guess.

> I have a very simple implementation, using FreeRadius, Google
> Authenticator, and Linux.  I create an account in Linux, and each Linux
> account has a Google Authenticator component, and I use FreeRadius as the
> backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
> 
> All this works with no issue.  (The main reason I've been so quiet on this
> list. ;-))

  Sounds good.

> Users come in from VPN, supply username, password, and Google auth OTP, and
> FreeRadius authenticates them.  The users are defined in Linux, on the
> FreeRadius server itself.
> 
> Since I first set this up a couple of years ago, we have made some changes,
> including moving to a Samba backend to do Active Directory authentication
> for Windows logins.

  That's a common config.

> So, my question is, instead of maintaining a separate database for VPN, is
> it possible (and how hard) to make my Samba server be the backend?  So,
> when we add a user to the Samba AD server, they will gain VPN login access,
> in addition to the Windows domain for Windows login access.

  That's pretty simple.  VPNs usually send User-Password.  So all of the normal MS-CHAP nonsense doesn't apply.  And, you can largely treat AD as just another LDAP server.

> If I go that way, would the Google Auth stuff have to move over to the
> Samba server?

  I don't see why.  FreeRADIUS can do all that.

>  Would two-factor auth apply to Windows domain login as well
> as VPN access?  (That may be a Samba question, sorry.)

  Nope.  AD / Samba are just databases.  FreeRADIUS is the one with the weird authentication logic.

>  Would the
> FreeRadius server need to move to the Samba server?

  No.

> Has anyone dome something like this?  Was it difficult?

  Yes, and it's not difficult.

> I'm a little bit loathe to change a configuration that has been working so
> well for so long....but as we grow, I'm willing to bet it will pay for
> itself in time saved.

  Exactly.

> Any helpful hints?  Pointers to docs?

  If the VPNs send User-Password, then the LDAP documentation should work.  Configure that, and make sure to set "Auth-Type := ldap", which isn't the default.  But it is needed for AD.

  My only $0.02 is to read raddb/sites-available/README.  See section 5.  You can set up a different virtual server for VPN access.  That way you're *guaranteed* it doesn't affect other users.  And, the VPN virtual server will likely be ~30 lines long.  Which makes it *very* easy to debug and/or modify.

  Alan DeKok.

More information about the Freeradius-Users mailing list