Thanks. If I follow the Samba, Kerberos route do you know which ports I will have to open to my DC. Ideally going to position the packetfence server in a DMZ and was only expecting to expose LDAPS if I could get away with it. The krb5.conf files suggests this may just be 88 and 749 for Kerberos traffic but wondering how much of a risk this authentication traffic will cause.
Thanks Jon -----Original Message----- From: Fabrice Durand [mailto:[email protected]] Sent: 28 November 2014 15:18 To: [email protected] Subject: Re: [PacketFence-users] EAP over AD/LDAP Just an alternative of installing Samba, kerberos .... https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute Fabrice Le Vendredi 28 Novembre 2014 10:08 EST, Louis Munro <[email protected]> a écrit: > > > On 2014-11-28, at 9:55 , "Gair, Jon" <[email protected]> wrote: > > > I am trying to determine the best way of authenticating users for a secure > > SSID against an Active Directory source. My AD source is working fine for > > a captive portal to sponsor and approve roles for MAC based authentication > > but wondering if any of this config can relate to EAP authentication. > > > > From reviewing the forums and manuals there does not appear to be a clear > > way forward on this. Is the best way to follow page 28 of the admin manual > > that describes installing samba, joining the server to the domain and > > editing various files in the RADIUS and Kerberos directories. Would > > setting this up as an LDAP source rather than AD local source make the > > process any easier ? Do the roles I have configured via the GUI for the > > portal get used by RADIUS for role/VLAN assignment for EAP ? > > Hi John, > > If what you want is to authenticate your users with PEAP using 802.1x, LDAP > will not work. > Protocol limitations inherent to PEAP mean that no LDAP query of any kind can > get this to work with an Active Directory because you cannot get the NT > hashed passwords out of it using LDAP. > See here for a protocol compatibility matrix: > http://deployingradius.com/documents/protocols/compatibility.html > > So pretty much your only way forward is to use winbind and join the machine > to the domain. > The current PacketFence version comes preconfigured for NTLM authentication > but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to > match your local configuration. > > Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for > authentication (checking passwords) and the rules you configure in > PacketFence are used for authorization (setting which role/VLAN is returned). > The two complement each other. > > Hopefully that makes sense and gets you a bit further along. > > Regards, > -- > Louis Munro > [email protected] :: www.inverse.ca > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users The information contained in this e-mail may be subject to public disclosure under the NHS Code of Openness or the Freedom of Information Act 2000. Unless the information is legally exempt, the confidentiality of this e-mail and your reply cannot be guaranteed. Unless expressly stated otherwise, the information contained in this e-mail is intended for the named recipient(s) only. If you are not the intended recipient you must not copy, distribute, or take any action or reliance upon it. If you have received this e-mail in error, please notify the sender. Any unauthorised disclosure of the information contained in this e-mail is strictly prohibited. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
