Tim, Louis and Fletcher -
Thanks greatly for your notes back regarding my endeavor. It's folks like
yourselves that make our Open Source community awesome.
Your comments make total sense to me, and I get it. I really like the idea
of a virtual server, and will look into making that happen. Thanks for the
write-up!
-
Pete Hoffswell - Network Manager
[email protected]
http://www.davenport.edu
On Thu, Jun 5, 2014 at 5:12 PM, Fletcher Haynes <[email protected]>
wrote:
> Hopefully this will get you started...please do not try this on a
> production server without first testing it. This config may or may not
> work, and hasn't been checked for proper syntax. =)
> Create a file in /usr/local/pf/raddb/sites-available called whatever you
> want (mine is just ciscosw). It should contain something like this:
>
> server ciscosw {
> listen {
> ipaddr = * # listen on all IP addrs
> port = 1921 # Or whatever port you want that PacketFence ISN'T
> using
> type = auth
> }
>
> client 192.168.1.1 { #Replace with the IP of a switch you want to auth
> against FreeRADIUS
> shortname = swtich-short-name
> secret = supersecretsharedsecret # You'll need to configure
> this secret on your switch too
> }
>
> authorize {
> suffix
> expiration
> logintime
> if(!control:Auth-Type) {
> update control {
> Auth-Type = "ntlm_auth" # Going to use the ntlm_auth module
> for AD authentication
> }
> }
> myldap # This will need to be defined in the ldap module in
> /usr/local/pf/raddb/modules/ldap
> }
>
> post-auth {
> # If you want to base access on an AD security group...yes it says
> LDAP, but AD is really LDAP
> if (LDAP-Group == "AD Group Name") {
> update reply {
> Service-Type = NAS-Prompt-User
> # This is the special Cisco info that the switches look for
> cisco-avpair += "shell:priv-lvl=15"
> }
> }
> else {
> reject
> }
> }
> }
>
> In /usr/local/pf/raddb/modules/ntlm_auth it should look like:
>
> exec ntlm_auth {
>
> wait = yes
>
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
>
> }
> Replace MYDOMAIN with your domain name
>
> In /usr/local/pf/raddb/modules/ldap, add something like:
>
> ldap myldap {
> server = "domaincontroller.whatever.edu"
> identity = "DN of a user with the permissions to search AD"
> password = password for that user
> basedn = "dc=whatever,dc=edu" # Or something like that, whatever you
> want your base search DN to be
> filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> tls {
> start_tls = no
> }
> dictionary_mapping = ${confdir}/ldap.attrmap
> groupmembership_filter =
> "(&(objectClass=group)(member=%{check:Ldap-UserDn}))"
> }
>
> Finally, create a symlink for your virtual server file in sites-enabled to
> enable it and restart radiusd. I strongly suggest you read these links:
> http://freeradius.org/features/virtual_servers.html
>
> And finally, you'll need to configure the switch, with something like this:
> conf t
> aaa new-model
> aaa group server radius SOMENAME
> # Note that we didn't configure an accounting server in our virtual
> server, so this port may not be in your free radius config
> server-private <ip of pf server> auth-port <port from config>
> acct-port <1 up from auth port usually> key <key from client section>
> aaa authentication login default group SOMENAME local
> aaa authentication enable default enable
> aaa authorization exec default group radius local
>
> So, anyone you put in that AD security group from above will have enable
> privs on the switch when they login. Any local accounts on the switch *will
> not work* unless the PF server does not respond, in which case the switch
> will revert to the local account db.
>
> When testing this, I highly recommend you keep an enable shell open on the
> switch and not logout, and test logging in from another terminal window. If
> you lock yourself out, you have to disable the virtual server to force the
> switch back to a local account in order to login again.
>
> Good luck!
>
>
>
> On Thu, Jun 5, 2014 at 1:34 PM, Louis Munro <[email protected]> wrote:
>
>> Hi Pete,
>>
>> It is certainly possible to reuse the version of FreeRADIUS coming with
>> PacketFence for other RADIUS needs.
>>
>> You will need some knowledge of the way FreeRADIUS is configured though.
>> The difference between a default FreeRADIUS server and PacketFence is
>> that PF's default FreeRADIUS config is set to send the requests to a custom
>> module in the post-auth step.
>>
>> There is nothing preventing you from configuring an additional virtual
>> server that would authenticate requests differently.
>> That's one way to do it, but not the only one.
>>
>> It all depends on how confident you are at modifying the FreeRADIUS
>> configuration.
>> There is no magic there but you may be in for reading the fine manual.
>>
>> Regards,
>> --
>> Louis Munro
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 *125 :: +1 (866) 353-6153
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On 2014-06-05, at 16:03 , Pete Hoffswell <[email protected]>
>> wrote:
>>
>> Pardon my ignorance. I'm new to PacketFence.
>>
>> I was hoping to keep everything within the PF structure, and tweak
>> FreeRadius configs as they like within it. One stop shopping for all our
>> freeradius needs... But I'm a bit of a neophyte. in this area. But,
>> maybe, as often I do in Linux, I'm barking up the wrong tree...
>>
>> -
>> Pete Hoffswell - Network Manager
>> [email protected]
>> http://www.davenport.edu
>>
>>
>>
>> On Thu, Jun 5, 2014 at 3:42 PM, Tim DeNike <[email protected]> wrote:
>>
>>> Just use freeradius standalone. It's easy.
>>>
>>> Sent from my iPhone
>>>
>>> On Jun 5, 2014, at 3:41 PM, Pete Hoffswell <[email protected]>
>>> wrote:
>>>
>>> Hi.
>>>
>>> Has anyone successfully used the freeradius installation within
>>> packetfence for cisco device access (telnet and ssh)?
>>>
>>> Consider:
>>>
>>>
>>> http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html
>>>
>>> https://supportforums.cisco.com/document/139161/cisco-ios-integration-freeradius-administrator-access
>>>
>>> I have been trying to get this working on our new PF installation, with
>>> no success yet. I'm wondering if anyone's blazed this trail already, and
>>> might have some words of wisdom, or configs to share.
>>>
>>> More specifically, I have our installation joined to active directory as
>>> well, and hope to pass auth from that system, through radius.
>>>
>>> Thanks for any hints!
>>>
>>> -
>>> Pete Hoffswell - Network Manager
>>> [email protected]
>>> http://www.davenport.edu
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Fletcher Haynes <[email protected]>
> Systems Administrator/Network Services Consultant
> Willamette Integrated Technology Services
> Willamette University, Salem, OR
> Phone: 503.370.6016
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
