Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Thanks for the reply. I am new to FreeRadius and doing analysis on how to remove The identity and password attributes of LDAP module in radiusd.config and still be able to authenticate and authorize LDAP users. Is there any other option/configuration to avoid usernames and plain text passwords in the module ldap of radiusd.conf for authenticating and authorizing users of LDAP database ? I tried EAP-TLS method but didn't get proper result,can I use LDAP as database for EAP-TLS method,as one of forum answers is no http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045 I would like to use a certificate (admin) to bind to the LDAP database using FreeRadius because admin has the authority to traverse the LDAP tree. After binding using certificate i would like to Authenticate different users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing1 if as per replies only LDAP simpile bind is possible ,how to compile OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other option please advice me I am wrong. Waiting for your inputs. Regards, Pramod On Wed, Apr 10, 2013 at 8:34 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. No it wasn't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 19.04.2013 10:35, pramod kulkarni wrote: Thanks for the reply. I am new to FreeRadius and doing analysis on how to remove The identity and password attributes of LDAP module in radiusd.config and still be able to authenticate and authorize LDAP users. Is that really an issue for you ? set restrictive permission on the file so that only root and freeradius can read the admin credentials for the ldap server. And do not let people log as root. Everyone do that. It works fine. Is there any other option/configuration to avoid usernames and plain text passwords in the module ldap of radiusd.conf for authenticating and authorizing users of LDAP database ? Afaik no I tried EAP-TLS method but didn't get proper result,can I use LDAP as database for EAP-TLS method,as one of forum answers is no http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045 That's something else. EAP-TLS is how the user authenticate to the radius server. Not how the radius server bind to the ldap server. BUT you could do EAP-TLS without user/password (for the user) and check the validity of the certificate against an LDAP server that allows to retrieve those information anonymously (removing the need to have credentials written in the ldap module). But then it's your ldap server who can leak informations. I would like to use a certificate (admin) to bind to the LDAP database using FreeRadius because admin has the authority to traverse the LDAP tree. Not supported at the moment. After binding using certificate i would like to Authenticate different users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing1 This will work with radclient which do PAP. This won't work with wireless client who does EAP. if as per replies only LDAP simpile bind is possible ,how to compile OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other option If you do PAP and want to authenticate against your ldap, the only option is simple-bind at the moment. As usual, Patches Welcome. As for compiling on cygwin, I can't tell you if that's supported nor working. On a final note, people have been using ldap with credentials in a file for ages. It's down to the security of the server and the filesystem permission to ensure that only authorized users can access this file. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/10/2013 12:03 AM, pramod kulkarni wrote: Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore. This is a nonsensical question, EAP-TLS uses certificates. You do not yet understand some of the basics. You need to invest some time in learning the what the authentication mechanisms are and how they operate, this is a good starting place. http://deployingradius.com/documents/protocols/ Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently . What the configuration block in modules/ldap is setting up is how the radius server can communicate with the LDAP server in a peer-to-peer relationship. The LDAP server has to know who the radius server is and if it has permission to access other users passwords and password hashes. Therefore radiusd must authenticate to LDAP. This process is completely *independent* of any of the authentication protocols, it's merely establishing if radius can view certain data. The way rlm_ldap is currently coded only simple binds (i.e. password based) are supported, therefore you must store a password in raddb. You are correct this is a security issue, however only root and the radius process should be able to read the file. On our systems we make sure the permissions and identities the processes run under assure this, if you've installed via some other mechanism it behooves you to assure the radius user and group are properly configured as well as the file permissions on the config files. Any by the way no I won't tell you how to do this, it's system admin 101. I'm pretty sure the defaults assure this as well, but I haven't verified. There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. Oh, and by the way just in case you're confused as to the TLS parameters in the ldap config, they have nothing to do with binding (i.e. authenticating radiusd to LDAP), their purpose is to establish a secure tunnel between radiusd and LDAP. You can request the tunnel only be established if certificate based authentication succeeds but a simple bind will still be performed inside the tunnel. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. No it wasn't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP. But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards, Pramod - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/09/2013 03:44 AM, pramod kulkarni wrote: Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP. There is a difference between using LDAP as a backend datastore (lookup passwords and password hashes after binding as a service) and using LDAP as a authentication oracle (binding as the user to determine if the user is authenticated depending on the bind result). From above it sounds like you've configured LDAP as a backend datastore. But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards, You can't with the current rlm_ldap module bind to the LDAP server with anything other than a (username, password) pair, either for lookups or for authentication testing (only ldap_connect and ldap_simple_bind are supported). However, rlm_ldap does support SSL/TLS connections to the LDAP server and you can specify that you want the LDAP server to request a client cert when establishing the connection. But ultimately you're still doing a simple bind albeit in a secure tunnel. If you specify you want the LDAP server to require a client cert then you effectively have two simultaneous authtication mechanisms in play (TLS for the tunnel and simple auth inside the tunnel). Setting up TLS auth is straight forward (see the options in raddb/modules/ldap) *except* for the fact the ldap library routines to set the require cert option are buggy (rlm_ldap uses the wrong entry point which may not be supported and the openldap library also has bugs, I think we've now got all these fixed and patches sent upstream to openldap, but you should be aware there is an reasonable chance it won't work on your distribution unless you've got patched libraries). Even if SASL binds were supported you wouldn't want to use SASL binds for user authentication (if that was what you were asking, it's not clear from your original post). For user authentication based on certificates you would use EAP-TLS. A long time ago I had a patch for using SASL binds, but it was against the old 1.1.7 version of rlm_ldap and it only supported GSSAPI. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore. Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently . ldap { server = localhost # identity = cn=admin,o=My Org,c=UA identity = uid=admin,ou=CamUsers,dc=vmbox,dc=int password = admin basedn = ou=CamUsers,dc=vmbox,dc=int filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes # tls_cacertfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/cacert.pem # tls_cacertdir = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts # tls_certfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem # tls_keyfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem # tls_randfile = /path/to/rnd tls_require_cert = allow Waiting for your inputs Thanks and Regards, Pramod - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html