Hopefully this will get you started...please do not try this on a
production server without first testing it. This config may or may not
work, and hasn't been checked for proper syntax. =)
Create a file in /usr/local/pf/raddb/sites-available called whatever you
want (mine is just ciscosw). It should contain something like this:
server ciscosw {
listen {
ipaddr = * # listen on all IP addrs
port = 1921 # Or whatever port you want that PacketFence ISN'T using
type = auth
}
client 192.168.1.1 { #Replace with the IP of a switch you want to auth
against FreeRADIUS
shortname = swtich-short-name
secret = supersecretsharedsecret # You'll need to configure
this secret on your switch too
}
authorize {
suffix
expiration
logintime
if(!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth" # Going to use the ntlm_auth module
for AD authentication
}
}
myldap # This will need to be defined in the ldap module in
/usr/local/pf/raddb/modules/ldap
}
post-auth {
# If you want to base access on an AD security group...yes it says
LDAP, but AD is really LDAP
if (LDAP-Group == "AD Group Name") {
update reply {
Service-Type = NAS-Prompt-User
# This is the special Cisco info that the switches look for
cisco-avpair += "shell:priv-lvl=15"
}
}
else {
reject
}
}
}
In /usr/local/pf/raddb/modules/ntlm_auth it should look like:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
}
Replace MYDOMAIN with your domain name
In /usr/local/pf/raddb/modules/ldap, add something like:
ldap myldap {
server = "domaincontroller.whatever.edu"
identity = "DN of a user with the permissions to search AD"
password = password for that user
basedn = "dc=whatever,dc=edu" # Or something like that, whatever you
want your base search DN to be
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
groupmembership_filter =
"(&(objectClass=group)(member=%{check:Ldap-UserDn}))"
}
Finally, create a symlink for your virtual server file in sites-enabled to
enable it and restart radiusd. I strongly suggest you read these links:
http://freeradius.org/features/virtual_servers.html
And finally, you'll need to configure the switch, with something like this:
conf t
aaa new-model
aaa group server radius SOMENAME
# Note that we didn't configure an accounting server in our virtual
server, so this port may not be in your free radius config
server-private <ip of pf server> auth-port <port from config> acct-port
<1 up from auth port usually> key <key from client section>
aaa authentication login default group SOMENAME local
aaa authentication enable default enable
aaa authorization exec default group radius local
So, anyone you put in that AD security group from above will have enable
privs on the switch when they login. Any local accounts on the switch *will
not work* unless the PF server does not respond, in which case the switch
will revert to the local account db.
When testing this, I highly recommend you keep an enable shell open on the
switch and not logout, and test logging in from another terminal window. If
you lock yourself out, you have to disable the virtual server to force the
switch back to a local account in order to login again.
Good luck!
On Thu, Jun 5, 2014 at 1:34 PM, Louis Munro <[email protected]> wrote:
> Hi Pete,
>
> It is certainly possible to reuse the version of FreeRADIUS coming with
> PacketFence for other RADIUS needs.
>
> You will need some knowledge of the way FreeRADIUS is configured though.
> The difference between a default FreeRADIUS server and PacketFence is that
> PF's default FreeRADIUS config is set to send the requests to a custom
> module in the post-auth step.
>
> There is nothing preventing you from configuring an additional virtual
> server that would authenticate requests differently.
> That's one way to do it, but not the only one.
>
> It all depends on how confident you are at modifying the FreeRADIUS
> configuration.
> There is no magic there but you may be in for reading the fine manual.
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On 2014-06-05, at 16:03 , Pete Hoffswell <[email protected]>
> wrote:
>
> Pardon my ignorance. I'm new to PacketFence.
>
> I was hoping to keep everything within the PF structure, and tweak
> FreeRadius configs as they like within it. One stop shopping for all our
> freeradius needs... But I'm a bit of a neophyte. in this area. But,
> maybe, as often I do in Linux, I'm barking up the wrong tree...
>
> -
> Pete Hoffswell - Network Manager
> [email protected]
> http://www.davenport.edu
>
>
>
> On Thu, Jun 5, 2014 at 3:42 PM, Tim DeNike <[email protected]> wrote:
>
>> Just use freeradius standalone. It's easy.
>>
>> Sent from my iPhone
>>
>> On Jun 5, 2014, at 3:41 PM, Pete Hoffswell <[email protected]>
>> wrote:
>>
>> Hi.
>>
>> Has anyone successfully used the freeradius installation within
>> packetfence for cisco device access (telnet and ssh)?
>>
>> Consider:
>>
>>
>> http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html
>>
>> https://supportforums.cisco.com/document/139161/cisco-ios-integration-freeradius-administrator-access
>>
>> I have been trying to get this working on our new PF installation, with
>> no success yet. I'm wondering if anyone's blazed this trail already, and
>> might have some words of wisdom, or configs to share.
>>
>> More specifically, I have our installation joined to active directory as
>> well, and hope to pass auth from that system, through radius.
>>
>> Thanks for any hints!
>>
>> -
>> Pete Hoffswell - Network Manager
>> [email protected]
>> http://www.davenport.edu
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Fletcher Haynes <[email protected]>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
