Re: [Freeipa-users] FreeRadius and FreeIPA
Thank for such good explanation! that has pointed my search. I have succeed in integration freeradius with freeipa by help of William Brown and his blog. Thanks to Him :-) Links to related articles in his blog: first part: https://firstyear.id.au/entry/22 second part: https://firstyear.id.au/entry/45 with a little difference taken from this guide: http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 I additionally defined base_dn = server = parameters in /etc/raddb/mods-enabled/ldap file. everything works fine. now it would be fine to define different admin level for different users on different network devices. But anyway everything works!!! Thanks to all! 1 little question left: what does ipa radiusproxy-add command do? what is its purpose? why everything works without it? 14.12.2015 15:12, Alexander Bokovoy пишет: > On Wed, 09 Dec 2015, Randy Morgan wrote: >> Hello, >> >> We are setting up our wireless to authenticate against FreeRadius and >> FreeIPA. I am looking for any instructions on how to integrate >> radius with IPA. We can get them talking via kerberos, but when we >> have a wireless client attempt to authenticate against them, the >> password gets stripped out and only the username gets passed on, >> resulting in a failed logon attempt. >> >> As we have studied the problem we have identified the communication >> protocols used by wireless to pass on the user credentials to >> radius. Wireless uses EAP as it's primary protocol. We are running >> Xirrus wireless APs and from what we can learn, they act only as a >> pass through conduit for the client. Ideally we would like them to >> speak PEAP TTLS, this would allow kerberos to process from the client >> to the IPA server, we are still researching this. >> >> Are there any instructions on how to integrate FreeRadius 3.0.10 with >> FreeIPA 3.3.5? Any help would be appreciated. > We see this question asked periodically. What we ask always prior to > answering it is what it would be used for? What authentication > mechanisms RADIUS is supposed to provide to its clients? > > FreeRADIUS authenticating against IPA is easy. However, depending on > what authentication mechanisms are required it will be either not > possible to achieve or will definitely degrade security of the setup. > > A general approach is to use following setup to use PAP authentication: > 1. Installing the 'freeradius-ldap' rpm from yum > 2. chmod 775 /etc/raddb/certs (so radiusd can write cert files) > 3. Change your 'authorize' and 'authenticate' sections of > /etc/raddb/radiusd.conf to: > authorize { >ldap > } > authenticate { >Auth-Type LDAP { >ldap >} > } > > During PAP a plaintext password is passed to the RADIUS server > (encrypted with a weak MD5 shared secret). > > When the RADIUS server receives the users plaintext password in the > conventional configuration it simply compares the received password with > the stored password. The issue with IPA is there is no stored plaintext > password to compare to, therefore you cannot use conventional PAP with > IPA. > > But FreeRADIUS permits you to do other things with PAP besides just > comparing the received password against the stored password for the > user. You can instruct FreeRADIUS to use what they call an > "authentication oracle", or at the risk of loose terminology to "proxy" > the authentication to another authentication server (not to be confused > with radius proxy where the radius transaction is proxied to another > radius server). > > There are two authentication oracles FreeRADIUS can use > > * LDAP > * Kerberos > > In this scenario the plantext password received by the RADIUS server is > used to authenticate against the oracle. For LDAP it does a simple bind. > For Kerberos it does a kinit. If the authentication succeeds the RADIUS > server ACK's the PAP. The thing to note here is this is still occurring > with PAP but no password comparison is being performed. > > There is a third "oracle" FreeRADIUS can utilize, namely Active > Directory, but in this case the protocol is not PAP, the ntlm_auth > helper from Samba is used instead with the RADIUS server communicating > with ntlm_auth which communicates with AD. > > The suggestion of using strong passwords is always a good idea. The > password transmission between the client and the radius server only > enjoys weak protection so a strong password is especially important. > Communication between the RADIUS server and it's oracles can be quite > strong and is generally not a concern if things are configured properly. > > Now, there is an issue if you would want to authenticate Windows clients > using MS CHAPv2 because that implies that FreeRADIUS would want to fetch > a weak NTLM hash to do negotiation on its own side. > > To achieve that, one would need to give up the hashes to FreeRADIUS > instance. We consider them weak as they can
Re: [Freeipa-users] FreeRadius and FreeIPA
On Mon, 2016-01-18 at 22:01 +1000, William Brown wrote: > So as a result, they CAN do > vlan assignment based on tags in the access-accept packet, but it's a > hack. Sorry, I should say "They don't use the tags in the access-accept" they use an out-of-band mechanism to transmit the vlan id rather than the radius access-accept. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeRadius and FreeIPA
On Mon, 2016-01-18 at 16:22 +0500, Arthur Fayzullin wrote: > Thank for such good explanation! that has pointed my search. > I have succeed in integration freeradius with freeipa by help of > William Brown and his blog. Thanks to Him :-) > Links to related articles in his blog: > first part: https://firstyear.id.au/entry/22 > second part: https://firstyear.id.au/entry/45 > Sorry, my certs are based on my IPA domain. Try these links if you dont want to temporarily accept. http://firstyear.id.au/entry/22 http://firstyear.id.au/entry/45 > > everything works fine. now it would be fine to define different admin > level for different users on different network devices. > But anyway everything works!!! Thanks to all! With the setup that I have here you cannot do this. mschapv2 doesn't let you insert vlan tags to the NAS, so as a result you can't do this. The way that cisco access points and other vendors get around this, is that they generally have a wireless controller that does part of the hankshake seperately to the NAS itself. So as a result, they CAN do vlan assignment based on tags in the access-accept packet, but it's a hack. If you want to do vlan assignment without access to cisco specific hardware, you'll need to use something that isn't eap. However, most devices require customer profiles in this scenarios (Windows, ios, osx etc). TTLS for example, cannot be configured on windows out of box, and ios / osx require enterprise deployment profiles iirc. You could always setup multiple SSID's, have them each auth to a different radius service (default, inner-tunnel ... make a new set) Then you can have * wifi -> inner-tunnel * wifi-admin -> inner-tunnel-admin You can define different authentication rules then, because you can specify different requirements for group memberships at this point. Hope this helps, -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeRadius and FreeIPA
On Mon, 18 Jan 2016, Arthur Fayzullin wrote: Thank for such good explanation! that has pointed my search. I have succeed in integration freeradius with freeipa by help of William Brown and his blog. Thanks to Him :-) Links to related articles in his blog: first part: https://firstyear.id.au/entry/22 second part: https://firstyear.id.au/entry/45 with a little difference taken from this guide: http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 I additionally defined base_dn = server = parameters in /etc/raddb/mods-enabled/ldap file. everything works fine. now it would be fine to define different admin level for different users on different network devices. But anyway everything works!!! Thanks to all! 1 little question left: what does ipa radiusproxy-add command do? what is its purpose? why everything works without it? This is for the other direction -- when 2FA tokens are defined in an external daemon that provides RADIUS interface to check against them. You don't need this if you want your RADIUS server to perform 2FA checks against FreeIPA, you want to define it only if your FreeIPA server should perform Kerberos authentication against that external RADIUS server. 14.12.2015 15:12, Alexander Bokovoy пишет: On Wed, 09 Dec 2015, Randy Morgan wrote: Hello, We are setting up our wireless to authenticate against FreeRadius and FreeIPA. I am looking for any instructions on how to integrate radius with IPA. We can get them talking via kerberos, but when we have a wireless client attempt to authenticate against them, the password gets stripped out and only the username gets passed on, resulting in a failed logon attempt. As we have studied the problem we have identified the communication protocols used by wireless to pass on the user credentials to radius. Wireless uses EAP as it's primary protocol. We are running Xirrus wireless APs and from what we can learn, they act only as a pass through conduit for the client. Ideally we would like them to speak PEAP TTLS, this would allow kerberos to process from the client to the IPA server, we are still researching this. Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA 3.3.5? Any help would be appreciated. We see this question asked periodically. What we ask always prior to answering it is what it would be used for? What authentication mechanisms RADIUS is supposed to provide to its clients? FreeRADIUS authenticating against IPA is easy. However, depending on what authentication mechanisms are required it will be either not possible to achieve or will definitely degrade security of the setup. A general approach is to use following setup to use PAP authentication: 1. Installing the 'freeradius-ldap' rpm from yum 2. chmod 775 /etc/raddb/certs (so radiusd can write cert files) 3. Change your 'authorize' and 'authenticate' sections of /etc/raddb/radiusd.conf to: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } During PAP a plaintext password is passed to the RADIUS server (encrypted with a weak MD5 shared secret). When the RADIUS server receives the users plaintext password in the conventional configuration it simply compares the received password with the stored password. The issue with IPA is there is no stored plaintext password to compare to, therefore you cannot use conventional PAP with IPA. But FreeRADIUS permits you to do other things with PAP besides just comparing the received password against the stored password for the user. You can instruct FreeRADIUS to use what they call an "authentication oracle", or at the risk of loose terminology to "proxy" the authentication to another authentication server (not to be confused with radius proxy where the radius transaction is proxied to another radius server). There are two authentication oracles FreeRADIUS can use * LDAP * Kerberos In this scenario the plantext password received by the RADIUS server is used to authenticate against the oracle. For LDAP it does a simple bind. For Kerberos it does a kinit. If the authentication succeeds the RADIUS server ACK's the PAP. The thing to note here is this is still occurring with PAP but no password comparison is being performed. There is a third "oracle" FreeRADIUS can utilize, namely Active Directory, but in this case the protocol is not PAP, the ntlm_auth helper from Samba is used instead with the RADIUS server communicating with ntlm_auth which communicates with AD. The suggestion of using strong passwords is always a good idea. The password transmission between the client and the radius server only enjoys weak protection so a strong password is especially important. Communication between the RADIUS server and it's oracles can be quite strong and is generally not a concern if things are configured properly. Now, there is an issue if you would want to authenticate Windows clients using
Re: [Freeipa-users] FreeRadius and FreeIPA
On Wed, 09 Dec 2015, Randy Morgan wrote: Hello, We are setting up our wireless to authenticate against FreeRadius and FreeIPA. I am looking for any instructions on how to integrate radius with IPA. We can get them talking via kerberos, but when we have a wireless client attempt to authenticate against them, the password gets stripped out and only the username gets passed on, resulting in a failed logon attempt. As we have studied the problem we have identified the communication protocols used by wireless to pass on the user credentials to radius. Wireless uses EAP as it's primary protocol. We are running Xirrus wireless APs and from what we can learn, they act only as a pass through conduit for the client. Ideally we would like them to speak PEAP TTLS, this would allow kerberos to process from the client to the IPA server, we are still researching this. Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA 3.3.5? Any help would be appreciated. We see this question asked periodically. What we ask always prior to answering it is what it would be used for? What authentication mechanisms RADIUS is supposed to provide to its clients? FreeRADIUS authenticating against IPA is easy. However, depending on what authentication mechanisms are required it will be either not possible to achieve or will definitely degrade security of the setup. A general approach is to use following setup to use PAP authentication: 1. Installing the 'freeradius-ldap' rpm from yum 2. chmod 775 /etc/raddb/certs (so radiusd can write cert files) 3. Change your 'authorize' and 'authenticate' sections of /etc/raddb/radiusd.conf to: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } During PAP a plaintext password is passed to the RADIUS server (encrypted with a weak MD5 shared secret). When the RADIUS server receives the users plaintext password in the conventional configuration it simply compares the received password with the stored password. The issue with IPA is there is no stored plaintext password to compare to, therefore you cannot use conventional PAP with IPA. But FreeRADIUS permits you to do other things with PAP besides just comparing the received password against the stored password for the user. You can instruct FreeRADIUS to use what they call an "authentication oracle", or at the risk of loose terminology to "proxy" the authentication to another authentication server (not to be confused with radius proxy where the radius transaction is proxied to another radius server). There are two authentication oracles FreeRADIUS can use * LDAP * Kerberos In this scenario the plantext password received by the RADIUS server is used to authenticate against the oracle. For LDAP it does a simple bind. For Kerberos it does a kinit. If the authentication succeeds the RADIUS server ACK's the PAP. The thing to note here is this is still occurring with PAP but no password comparison is being performed. There is a third "oracle" FreeRADIUS can utilize, namely Active Directory, but in this case the protocol is not PAP, the ntlm_auth helper from Samba is used instead with the RADIUS server communicating with ntlm_auth which communicates with AD. The suggestion of using strong passwords is always a good idea. The password transmission between the client and the radius server only enjoys weak protection so a strong password is especially important. Communication between the RADIUS server and it's oracles can be quite strong and is generally not a concern if things are configured properly. Now, there is an issue if you would want to authenticate Windows clients using MS CHAPv2 because that implies that FreeRADIUS would want to fetch a weak NTLM hash to do negotiation on its own side. To achieve that, one would need to give up the hashes to FreeRADIUS instance. We consider them weak as they can be used to brute force decryption of the passwords (trivially these days!) so a certain care should be done to limit who can access them. We strongly not recommending use of this but sometimes you are forced to provide authentication for WiFi networks to Windows clients that only support 0. Run ipa-adtrust-install to configure IPA to generate NTLM hashes. Make sure you'll run the task to generate SIDs, ipa-adtrust-install will ask about it. 1. You need to create a system account for FreeRADIUS to acces the LDAP server. Let's say, it is uid=freeradius,cn=sysaccounts,cn=etc,dc=example,dc=com 2. Make the DN above a member of cn=adtrust agents,cn=sysaccounts,dc=example,dc=com Use the DN as in FreeRADIUS configuration. 3. For each user that needs to get NTLM hashes, a password change is required to regenerate all hashes. We currently have no means to generate them otherwise. If you use ldap auth I'd suggest the connection either be SSL or on the loopback to prevent snooping. Missing from instructions above is the
Re: [Freeipa-users] FreeRadius and FreeIPA
Thanks Alexander, that was an excellent explanation with some very helpful information. We will look over our configs and see if we can work this out. Randy Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 On 12/14/2015 3:12 AM, Alexander Bokovoy wrote: On Wed, 09 Dec 2015, Randy Morgan wrote: Hello, We are setting up our wireless to authenticate against FreeRadius and FreeIPA. I am looking for any instructions on how to integrate radius with IPA. We can get them talking via kerberos, but when we have a wireless client attempt to authenticate against them, the password gets stripped out and only the username gets passed on, resulting in a failed logon attempt. As we have studied the problem we have identified the communication protocols used by wireless to pass on the user credentials to radius. Wireless uses EAP as it's primary protocol. We are running Xirrus wireless APs and from what we can learn, they act only as a pass through conduit for the client. Ideally we would like them to speak PEAP TTLS, this would allow kerberos to process from the client to the IPA server, we are still researching this. Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA 3.3.5? Any help would be appreciated. We see this question asked periodically. What we ask always prior to answering it is what it would be used for? What authentication mechanisms RADIUS is supposed to provide to its clients? FreeRADIUS authenticating against IPA is easy. However, depending on what authentication mechanisms are required it will be either not possible to achieve or will definitely degrade security of the setup. A general approach is to use following setup to use PAP authentication: 1. Installing the 'freeradius-ldap' rpm from yum 2. chmod 775 /etc/raddb/certs (so radiusd can write cert files) 3. Change your 'authorize' and 'authenticate' sections of /etc/raddb/radiusd.conf to: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } During PAP a plaintext password is passed to the RADIUS server (encrypted with a weak MD5 shared secret). When the RADIUS server receives the users plaintext password in the conventional configuration it simply compares the received password with the stored password. The issue with IPA is there is no stored plaintext password to compare to, therefore you cannot use conventional PAP with IPA. But FreeRADIUS permits you to do other things with PAP besides just comparing the received password against the stored password for the user. You can instruct FreeRADIUS to use what they call an "authentication oracle", or at the risk of loose terminology to "proxy" the authentication to another authentication server (not to be confused with radius proxy where the radius transaction is proxied to another radius server). There are two authentication oracles FreeRADIUS can use * LDAP * Kerberos In this scenario the plantext password received by the RADIUS server is used to authenticate against the oracle. For LDAP it does a simple bind. For Kerberos it does a kinit. If the authentication succeeds the RADIUS server ACK's the PAP. The thing to note here is this is still occurring with PAP but no password comparison is being performed. There is a third "oracle" FreeRADIUS can utilize, namely Active Directory, but in this case the protocol is not PAP, the ntlm_auth helper from Samba is used instead with the RADIUS server communicating with ntlm_auth which communicates with AD. The suggestion of using strong passwords is always a good idea. The password transmission between the client and the radius server only enjoys weak protection so a strong password is especially important. Communication between the RADIUS server and it's oracles can be quite strong and is generally not a concern if things are configured properly. Now, there is an issue if you would want to authenticate Windows clients using MS CHAPv2 because that implies that FreeRADIUS would want to fetch a weak NTLM hash to do negotiation on its own side. To achieve that, one would need to give up the hashes to FreeRADIUS instance. We consider them weak as they can be used to brute force decryption of the passwords (trivially these days!) so a certain care should be done to limit who can access them. We strongly not recommending use of this but sometimes you are forced to provide authentication for WiFi networks to Windows clients that only support 0. Run ipa-adtrust-install to configure IPA to generate NTLM hashes. Make sure you'll run the task to generate SIDs, ipa-adtrust-install will ask about it. 1. You need to create a system account for FreeRADIUS to acces the LDAP server. Let's say, it is uid=freeradius,cn=sysaccounts,cn=etc,dc=example,dc=com 2. Make the DN above a member of cn=adtrust agents,cn=sysaccounts,dc=example,dc=com Use the DN as in FreeRADIUS configuration. 3. For
Re: [Freeipa-users] FreeRadius and FreeIPA
On 12/09/2015 03:52 PM, Randy Morgan wrote: > Hello, > > We are setting up our wireless to authenticate against FreeRadius and > FreeIPA. > I am looking for any instructions on how to integrate radius with IPA. We can > get them talking via kerberos, but when we have a wireless client attempt to > authenticate against them, the password gets stripped out and only the > username > gets passed on, resulting in a failed logon attempt. > > As we have studied the problem we have identified the communication protocols > used by wireless to pass on the user credentials to radius. Wireless uses EAP > as it's primary protocol. We are running Xirrus wireless APs and from what we > can learn, they act only as a pass through conduit for the client. Ideally we > would like them to speak PEAP TTLS, this would allow kerberos to process from > the client to the IPA server, we are still researching this. > > Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA > 3.3.5? Any help would be appreciated. > > Randy Hi, What articles did you test so far? I did not try it myself, but google gives out some idea: http://readlist.com/lists/lists.freeradius.org/freeradius-users/13/69142.html http://consultancy.edvoncken.net/index.php/HOWTO_Configure_Radius_with_an_IPA_Server https://plus.google.com/104747154449640814740/posts/SxU8to5J2r6 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeRadius and FreeIPA
I think these are the good points to start: https://www.eduroam.us/node/90 http://wiki.freeradius.org/modules/Rlm_krb5 I You'll be succeeded how-to will be awesome ;-) 09.12.2015 19:52, Randy Morgan пишет: > Hello, > > We are setting up our wireless to authenticate against FreeRadius and > FreeIPA. I am looking for any instructions on how to integrate radius > with IPA. We can get them talking via kerberos, but when we have a > wireless client attempt to authenticate against them, the password > gets stripped out and only the username gets passed on, resulting in a > failed logon attempt. > > As we have studied the problem we have identified the communication > protocols used by wireless to pass on the user credentials to radius. > Wireless uses EAP as it's primary protocol. We are running Xirrus > wireless APs and from what we can learn, they act only as a pass > through conduit for the client. Ideally we would like them to speak > PEAP TTLS, this would allow kerberos to process from the client to the > IPA server, we are still researching this. > > Are there any instructions on how to integrate FreeRadius 3.0.10 with > FreeIPA 3.3.5? Any help would be appreciated. > > Randy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeRadius and FreeIPA
Hello, We are setting up our wireless to authenticate against FreeRadius and FreeIPA. I am looking for any instructions on how to integrate radius with IPA. We can get them talking via kerberos, but when we have a wireless client attempt to authenticate against them, the password gets stripped out and only the username gets passed on, resulting in a failed logon attempt. As we have studied the problem we have identified the communication protocols used by wireless to pass on the user credentials to radius. Wireless uses EAP as it's primary protocol. We are running Xirrus wireless APs and from what we can learn, they act only as a pass through conduit for the client. Ideally we would like them to speak PEAP TTLS, this would allow kerberos to process from the client to the IPA server, we are still researching this. Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA 3.3.5? Any help would be appreciated. Randy -- Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project