Re: Different BaseDN for User/Group Objects in rlm_ldap
Hi Phil, we fixed the problem by using the radiusGroupName attribute in the user's object instead of posixGroup-Objects. Thanks for your help anyone! Am 2013-01-09 12:38, schrieb Phil Mayers: On 01/09/2013 08:29 AM, Rudolph Bott wrote: However, our groups are stored underneath "ou=groups,dc=example,dc=org" - so rlm_ldap is not able to find them with the basedn shown above. We Unsolicited advice: that's not a great schema, and you should look to move away from it. are also not able to change the basedn to something else, since there is a different user-tree underneath dc=example,dc=org which should not be taken into account by freeradius. Define a 2nd copy of the LDAP module with the base DN of the group area. Run the 1st LDAP module before doing any group checks so that "Ldap-UserDN" is populated. Check the per-instance Ldap-Group attribute of the 2nd instance. Like so: ldap { # base DN for users } ldap ldap2 { # base DN for groups } ... authorize { ... ldap if (ldap2-Ldap-Group == FOO) { # will search 2nd base DN using user DN of 1st module } ... } Alternatively, if your users are all in a flat hierarchy, you can hard-code Ldap-UserDN and skip calling the 1st module (unless you need data from there, of course) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different BaseDN for User/Group Objects in rlm_ldap
Am 2013-01-09 10:27, schrieb Tobias Hachmer: On Wednesday 09 January 2013 09:29:48 Rudolph Bott wrote: Is there is possibility to set a different basedn for group lookups OR another feasable solution (e.g. modify the filter...?). Filter and groupmembership_filter are currently set to: Create a new ldap module called e.g. ldap2 (just copy the existing ldap module and rename it to ldap2, also rename it in the module itself, otherwise FR tries to instantiate the ldap module twice), adjust there the new basedn and call it where you want in authorize section. I am not sure if that would work in this case (but maybe I just got the concept of the LDAP module wrong): * NAS XY connects to FR with an Access-Request * the huntgroup/users file tells FR to require the membership of an LDAP-Group named 'blah' * the LDAP module which does the authentication automatically checks if the current user (which it uses to bind to LDAP) is a member of that group How would I exactly fit in another copy of the LDAP module in this scenario? Wouldn't that mean that the second instance of that module would also have to bind to LDAP using the same settings? And how would I tell the second instance to check for the group required by the users file instead of the first module? For completeness, this is a sample line from the huntgroups file: HQ NAS-IP-Address == 1.2.3.4 And this the corresponding users file: DEFAULT Huntgroup-Name == HQ, Ldap-Group == SpecialUserGroup Reply-Message = "\n## Access granted by SpecialUserGroup \n", Fall-Through = no If there is a request from the NAS specified by that IP adress, the LDAP module will automatically check if the user is in the group SpecialUserGroup. Regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different BaseDN for User/Group Objects in rlm_ldap
Hi, thanks for the fast reply. Am 2013-01-09 09:43, schrieb Michael Schwartzkopff: Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott: Hi List, we are currently using rlm_ldap to check against a LDAP backend, which works fine so far. rlm_ldap is configured to use a BaseDN of "ou=poeple,dc=example,dc=org". We have also specified a group membership filter and are trying to enforce group memberships via the combination of huntgroups-file and Ldap-Group-Settings in the users file. According to debug output, this seems to work (since freeradius is trying to find the groups specified in the users file). However, our groups are stored underneath "ou=groups,dc=example,dc=org" - so rlm_ldap is not able to find them with the basedn shown above. We are also not able to change the basedn to something else, since there is a different user-tree underneath dc=example,dc=org which should not be taken into account by freeradius. Is there is possibility to set a different basedn for group lookups OR another feasable solution (e.g. modify the filter...?). Filter and groupmembership_filter are currently set to: filter = "(uid=%{Stripped-User-Name:-%{mschap:User-Name}})" groupname_attribute = cn groupmembership_filter = "(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name }})" Debug output states this: rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter (&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-US ER)) Change the baseDN in the ldap module configuration of FR to "dc=example,dc=org". As I said, that is not an option since there is another users tree underneath dc=example,dc=org (e.g. "ou=people2,dc=example,dc=org") which should not be considered/read by freeradius. The LDAP-structure is similar to this: org \- example |- people |- people2 \- groups - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different BaseDN for User/Group Objects in rlm_ldap
Hi List, we are currently using rlm_ldap to check against a LDAP backend, which works fine so far. rlm_ldap is configured to use a BaseDN of "ou=poeple,dc=example,dc=org". We have also specified a group membership filter and are trying to enforce group memberships via the combination of huntgroups-file and Ldap-Group-Settings in the users file. According to debug output, this seems to work (since freeradius is trying to find the groups specified in the users file). However, our groups are stored underneath "ou=groups,dc=example,dc=org" - so rlm_ldap is not able to find them with the basedn shown above. We are also not able to change the basedn to something else, since there is a different user-tree underneath dc=example,dc=org which should not be taken into account by freeradius. Is there is possibility to set a different basedn for group lookups OR another feasable solution (e.g. modify the filter...?). Filter and groupmembership_filter are currently set to: filter = "(uid=%{Stripped-User-Name:-%{mschap:User-Name}})" groupname_attribute = cn groupmembership_filter = "(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name}})" Debug output states this: rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter (&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-USER)) Thanks in advance for your help! -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cert issues
Am 13.02.2012 10:32, schrieb Alan DeKok: Please respond to the original email, not a digest, and use a good subject line. It helps other people track the conversation. Gilmour, Scott wrote: Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones. That's fine. If you use a MS CA please be aware that by default 2k8 CAs create certificates signed with SHA-256bit - many systems (including XP and Win 2003 without a patch) are NOT able to deal with those certificates, as they only support SHA1. Once the CA has been setup, there is no easy way to change this. Also, usually MS CAs include some mandatory extensions in their CRLs which OpenSSL can not read as well. You need to remove these extensions in the CRL configuration. You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration? The file raddb/certs/Makefile creates good certificates. The *cnf files in the same directory create good certificates. I don't know what you're doing different, and it isn't really useful to look. Grab the certificate creation commands from the Makefile, and use those. Modify them to point to your files. It *will* work. There's a lot of magic in creating good certs. That magic is embedded in the existing Makefile and config files. Use them, they will make your life easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GUID based Authentication on FreeRadius
We have two different SSIDs - one with EAP-TLS for company-owned mobile devices (which will automatically receive a machine certificate to validate that) and a second one with PEAP and local users stored in a radius userfile. Both SSIDs correspond to separate VLANs on the wireless controllers - would that be a solution for your scenario? The second SSID/VLAN offers only limited access to company ressources. I guess it would be no great deal to switch the PEAP authentication backend from the local userfile to LDAP/Active Directory, if that is required. Am 28.12.2011 16:13, schrieb McSparin, Joe: Well that answers that then. My goal is, I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their home laptops even though they use their Ntdomain user name and password which the radius server will accept I want to restrict them to a public vlan. If they connect using a hospital device then I want it to assign them to a vlan based on their NTDomain User Group. Since this is a hospital I have to have pretty strict security regulations with users. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 8:25 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: Anyone know if this is possible. I have found information on MAC Based Authentication but nothing on GUID. What does that mean? The GUID isn't sent in a RADIUS packet. So doing GUID authentication makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / With kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status of 2.1.11/OSCP Implementation
Hi Alan, On 08.03.2011 18:13, Alan DeKok wrote: Rudolph Bott wrote: Do you already have an estimated release date (besides "when it's done") for 2.1.11? I would love to test out that feature! See http://git.freeradius.org, v2.1.x branch. You can test it now. Thanks - I will try it out during the next days. But let me rephrase my initial question: Would you consider this feature stable? Alan DeKok. -- Mit freundlichen Grüßen / With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status of 2.1.11/OSCP Implementation
Hello Alan/Hello List, on Nov 19, 2010 you wrote: Alex Bergmann wrote: Back in 2004 I've finished my diploma thesis covering OCSP integration in the EAP/TLS module of freeRADIUS. Unfortunately I never posted the patch. To get this burden off me, I've dug through the code again, did some final adjustment and just finished the patch for the v2.1.x branch. This is very useful! I've added a new subsection inside the eap/tls configuration that makes it able to set the following settings. (A detailed description can be found in the patch.) I'll take a look, and make sure it goes in for 2.1.11. I'm aware that the EAP/TLS module was extended with a verify section that states OCSP explicitly. Nevertheless I would like to see this functionality implemented directly into the rlm_eap_tls module. Yes, this is a good option to have. Alan DeKok. Do you already have an estimated release date (besides "when it's done") for 2.1.11? I would love to test out that feature! -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with Windows CA and CRL for Wireless Auth
Hi Phil, openssl is able to read the crl, output als follows (I changed the URL/LDAP information): Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /DC=tld/DC=domain/CN=test Last Update: Mar 5 14:08:35 2011 GMT Next Update: Mar 13 02:28:35 2011 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:37:F6:0A:2D:71:71:DF:5B:F5:DB:90:FF:E4:4B:82:78:89:CB:E4:70 1.3.6.1.4.1.311.21.1: ... X509v3 CRL Number: 20 1.3.6.1.4.1.311.21.4: 110312141835Z . 2.5.29.46: 0..0...ldap:///blah,blah,blah 1.3.6.1.4.1.311.21.14: 0..0...ldap:///blah,blah,blah X509v3 Issuing Distrubution Point: critical 0-.+.).'http://domain.test/CA.crl Revoked Certificates: Serial Number: 3459AE33001D Revocation Date: Mar 5 14:18:00 2011 GMT Serial Number: 33C46D660014 Revocation Date: Mar 5 13:57:00 2011 GMT Serial Number: 131C35870008 Revocation Date: Feb 16 07:24:00 2011 GMT Serial Number: 130CDC920006 Revocation Date: Feb 16 07:24:00 2011 GMT Signature Algorithm: sha256WithRSAEncryption 5f:b6:ab:6e:30:cd:47:c2:97:e5:e9:3b:bc:c9:8e:76:22:74: ee:95:c5:1e:54:ed:a6:67:c7:a5:e1:90:d5... At least this seems to work... I forgot one thing: I think it *worked* during my first try. The error started when I downloaded the CRL for a second (third, fourth) time. Am 08.03.2011 14:06, schrieb Phil Mayers: On 08/03/11 13:01, Rudolph Bott wrote: Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension This comes out of OpenSSL. OpenSSL can't parse your CRL. You may need a newer version of OpenSSL; what does: openssl crl -text -noout -in -inform pem ...say? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS with Windows CA and CRL for Wireless Auth
Hi List, I've successfully setup the following scenario: - Windows CA (Root-CA and Sub-CA) - Cisco WLAN Controller + APs - Windows 7 Domain Clients (+ Computer Certificates) - EAP-TLS Auth with certificates I created a small script to fetch the CRL from the CA and have it converted to PEM format: -- snip -- #!/bin/bash ID=$$ wget http://ca.host.name/CA.crl -O /tmp/CA.$ID.crl -q if [ $? -eq 0 ] then openssl crl -in /tmp/CA.$ID.crl -inform DER -out /etc/raddb/certs/crl.pem -outform PEM rm /tmp/CA.$ID.crl c_rehash /etc/raddb/certs/ > /dev/null fi -- snip -- c_reheash seems to work since I have the Symlinks in /etc/raddb/certs/. The relevant parameters in eap.conf are set: check_crl = yes CA_path = ${certdir}/ However, as long as check_crl is set to 'yes', the following happens when a client tries to connect: Tue Mar 8 13:09:48 2011 : Info: Found Auth-Type = EAP Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group authenticate {...} Tue Mar 8 13:09:48 2011 : Info: [eap] Request found, released from the list Tue Mar 8 13:09:48 2011 : Info: [eap] EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] processing type tls Tue Mar 8 13:09:48 2011 : Info: [tls] Authenticate Tue Mar 8 13:09:48 2011 : Info: [tls] processing EAP-TLS Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_verify returned 7 Tue Mar 8 13:09:48 2011 : Info: [tls] Done initial handshake Tue Mar 8 13:09:48 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 0a35], Certificate Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension Tue Mar 8 13:09:48 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown Tue Mar 8 13:09:48 2011 : Error: TLS Alert write:fatal:certificate unknown Tue Mar 8 13:09:48 2011 : Error: TLS_accept: error in SSLv3 read client certificate B Tue Mar 8 13:09:48 2011 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Tue Mar 8 13:09:48 2011 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Mar 8 13:09:48 2011 : Debug: TLS receive handshake failed during operation Tue Mar 8 13:09:48 2011 : Info: [tls] eaptls_process returned 4 Tue Mar 8 13:09:48 2011 : Info: [eap] Handler failed in EAP/tls Tue Mar 8 13:09:48 2011 : Info: [eap] Failed in EAP select Tue Mar 8 13:09:48 2011 : Info: ++[eap] returns invalid Tue Mar 8 13:09:48 2011 : Info: Failed to authenticate the user. Tue Mar 8 13:09:48 2011 : Auth: Login incorrect (unhandled critical CRL extension): [host/CLIENT123.domain/] (from client WLAN-TEST port 1 cli 00-24-d7-8a-53-cc) Tue Mar 8 13:09:48 2011 : Info: Using Post-Auth-Type Reject Tue Mar 8 13:09:48 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Tue Mar 8 13:09:48 2011 : Info: +- entering group REJECT {...} Tue Mar 8 13:09:48 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> host/CLIENT123.domain Tue Mar 8 13:09:48 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Mar 8 13:09:48 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Mar 8 13:09:48 2011 : Info: Delaying reject of request 15 for 1 seconds Tue Mar 8 13:09:48 2011 : Debug: Going to the next request Tue Mar 8 13:09:48 2011 : Debug: Waking up in 0.9 seconds. Tue Mar 8 13:09:49 2011 : Info: Sending delayed reject for request 15 Sending Access-Reject of id 228 to 10.70.11.15 port 32768 EAP-Message = 0x04090004 Message-Authenticator = 0x When I disable CRL checks, everything works fine again. Does anybody have any experience with implementing Windows based CRLs in Freeradius? Radius Version is: radiusd: FreeRADIUS Version 2.1.10, for host i686-suse-linux-gnu, built on Mar 5 2011 at 17:06:42 running on SLES 11 (compiled from source as RPM package) Any kind of advice would be appreciated! -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating MACs and users
Hey Alan, On 20.11.2010 11:26, Rudolph Bott wrote: Hi Alan, ok I'll try to be more specific: I have all the mac addresses (including the vlan attribute) in my users file. Can I just put in some user accounts as well and configure my switches to use the radius server for user authentication? How do I separate the management-users from my 'fake' mac-address-users? I don't wont anyone to login to my switches with his mac address :/ OK forget about that part - I totally forgot about the 'Service-Type' attribute, sorry! But that actually leads to my next question: is there a way to avoid having cleartext passwords for my switch-users in the users file? However, there's still need for clarification on the following: On top of that, I might also need a Radius server to authenticate wireless users against Active Directory but I'll probably use IAS here (unless its easy to add this feature to the existing freeradius setup as well). Basically my question is: how can I separate user requests for different backends (mac-address-users-file, switch-users-file, active directory backend) on my radius server. Simply running 3 instances with different ports/configurations on the same server is probably not the way to go (is it?) On 19.11.2010 20:42, Alan DeKok wrote: Rudolph Bott wrote: Ah yes, thanks - any hints on how to achieve this? Maybe I'm just using the wrong keywords for searching. (a) configure user authentication (b) configure MAC authentication There is no real difference between the two, other than the format of the User-Name attribute. If your question was more specific, my answers could be more detailed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating MACs and users
Hi Alan, ok I'll try to be more specific: I have all the mac addresses (including the vlan attribute) in my users file. Can I just put in some user accounts as well and configure my switches to use the radius server for user authentication? How do I separate the management-users from my 'fake' mac-address-users? I don't wont anyone to login to my switches with his mac address :/ On top of that, I might also need a Radius server to authenticate wireless users against Active Directory but I'll probably use IAS here (unless its easy to add this feature to the existing freeradius setup as well). Basically my question is: how can I separate user requests for different backends (mac-address-users-file, switch-users-file, active directory backend) on my radius server. Simply running 3 instances with different ports/configurations on the same server is probably not the way to go (is it?) On 19.11.2010 20:42, Alan DeKok wrote: Rudolph Bott wrote: Ah yes, thanks - any hints on how to achieve this? Maybe I'm just using the wrong keywords for searching. (a) configure user authentication (b) configure MAC authentication There is no real difference between the two, other than the format of the User-Name attribute. If your question was more specific, my answers could be more detailed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating MACs and users
Am 19.11.2010 17:01, schrieb Alan DeKok: Rudolph Bott wrote: But I would also like to centralize my user accounts for switches and routers - am I able to do this with the same radius setup? Yes. Ah yes, thanks - any hints on how to achieve this? Maybe I'm just using the wrong keywords for searching. Alan DeKok. -- Mit freundlichen Grüßen/With kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating MACs and users
Hey List, I was just wondering - I have setup a freeradius server (stock packages on SLES 11, I don't have the exact version athand since I don't have access to the server right now) which is used for mac-based authentication with cisco switches - including vlan assignment. This works as intended. But I would also like to centralize my user accounts for switches and routers - am I able to do this with the same radius setup? Or do I have to setup another radius server? I am currently using flatfiles for the mac authentication. I already checked the list archive and the wiki but couldn't find anything helpful - maybe I looked for the wrong keywords ;) Any help would be appreciated! -- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html