Active Directory authenticated VPN

Fri May 7 12:09:34 CEST 2021

Alan DeKok <aland at deployingradius.com> ezt írta (időpont: 2021. máj. 6.,
Cs, 13:39):

> On May 6, 2021, at 5:57 AM, Pisch Tamás <pischta at gmail.com> wrote:
> > Great, thanks. I feel myself lost in a jungle.
>
>   That's RADIUS.  :(
>
Yes, I understood that not freeradius is complex, but RADIUS itself.

>    You want to use RADIUS, but that really means using LDAP, Kerberos,
> SASL, and GSSAPI.  How do all those work together?  I don't know, I've got
> way too many other things to remember.
>
Maybe my situation is not so complex. I explained it to Michael.

>   But as we see with the complaint the other day, some people are
> enthusiastic about laying blame, but are horrified at the thought of
> contributing.

Yes, I see.

>   The documentation is full of concrete examples.  Sadly, not this one.
> So... if you figure out it, PLEASE tell us, so we can document it, and no
> one else has to go through this pain.
>
I found example for AD authentication. For authorization with group
filtering - I don't remember (maybe there is, just I don't remember for it).

>
> >> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
> >>
> > Ok, I did it. When I use kinit, I can see messages in the log. When I
> start
> > freeradius, nothing new appears in the log with
> > tls {
> > start_tls = no
> > }
> > sasl {
> > mech = 'GSSAPI'
> > realm = 'ad.ourdomain.hu'
> > }
> > I tried with start_tls again, with
> > require_cert<-->= 'allow'
> > But it didn't help. I still get "Strong(er) authentication required"
> > message.
>
>   So the issue is that your LDAP server doesn't do TLS, but something
> else.  And then there's the issue of chaining together a complex solution
> of FreeRADIUS to libldap to SASL GSSAP to Kerberos, and finally to LDAP.
>
Hope my situation isn't so complex, just the conversation went into the
jungle... :)
I got information privatelí about a samba setting:
ldap server require strong aut
It has options: yes/no/ allow_sasl_over_tls
Default is yes.
With 'no' the authentication and authorization works... with a little flaw:
it accepts users who is not in vpnusers group.
With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication
required".
My questions are:
-With this 'no' option is the ldap auth insecure?
-Why group filtering doesn't work?
With these settings in the ldap module:
ldap{
  server = 'localhost'
  identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
  password = '...'
  base_dn = 'dc=ad,dc=ourdomain,dc=hu'
  group {
    membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
  }
  tls {
    start_tls = yes
    require_cert    = 'allow'
  }
}
I tried to set up filtering according to
https://wiki.freeradius.org/modules/Rlm_ldap
Changes in ldap module:
ldap{
  groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
  membership_attribute = 'memberOf'
In default site:
authorize {
  ldap
}
post-auth {
  if (LDAP-Group == "CN=vpnusers") {
    noop
  }
  else {
    reject
  }
}

I tried the condition with
if (LDAP-Group == "CN=vpnusers,CN=Users,DC=ad,DC=ourdomain,DC=hu") {
but without success.
Debug output:
 mschap: Authenticated successfully
(0) mschap: adding MS-CHAPv1 MPPE keys
(0)     [mschap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     if (LDAP-Group == "CN=vpnusers") {
(0)     Searching for user in group "CN=vpnusers"
rlm_ldap (ldap): Reserved connection (1)
(0)     EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0)        --> (uid=vpn)
(0)     Performing search in "dc=ad,dc=ourdomain,dc=hu" with filter
"(uid=vpn)", scope "sub"
(0)     Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ad.ourdomain.hu/CN=Configuration,DC=ad,DC=ourdomain,DC=hu
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     Search returned no results
I checked with ldapsearch:
ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D
"cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
"(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
It gives the vpnusers object as a result.

Thanks,

Tamás.