Re: design question
On Tue, Mar 5, 2013 at 9:17 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 5 Mar 2013, at 18:03, Matt Zagrabelny mzagr...@d.umn.edu wrote: On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as special devices? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the server field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) So long as you're using static devices in clients.conf you can use the xlat expansion %{client:config item}. I am using static devices, but I am using a nas table in a PG database. Does that affect the xlat expansion? I already had a 'shortname' (but not a group field) in the table schema and tried: authorize { update request { Client-Group := %{client:shortname} } sql } Here is a snippet of the 'freeradius -X' output: ++[files] returns noop expand: %{client:shortname} - ++[request] returns noop [sql] expand: %{Stripped-User-Name} - [sql] ... expanding second conditional You can see that the expand didn't work as expected. Data in the table looks like: atlas= SELECT * from radius_nas limit 1; id | nasname | shortname | type | secret | server +-+---+--+-+ 72 | ups| ups | | sUperS3cret | (1 row) And also the configuration in dialup.conf: nas_query = SELECT id, nasname, shortname, type, secret, server FROM ${nas_table} Any ideas? Thanks, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as special devices? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the server field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) Thanks for any help! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 5 Mar 2013, at 18:03, Matt Zagrabelny mzagr...@d.umn.edu wrote: On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as special devices? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the server field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) So long as you're using static devices in clients.conf you can use the xlat expansion %{client:config item}. Add an extra string attribute to raddb/dictionary, something like Client-Group, then populate it before calling the sql module. authorize { update request { Client-Group := %{client:group} } sql } Then add a 'group' config item in the client {} definition. You can then use Client-Group as a check item. -Arran Thanks for any help! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
design question
Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. My questions are these: Has anyone here setup a second instance of FR running on the same system as their primary instance, but with different configs? Do you have any suggestions for layout or keeping configs/logs straight? Or said another way, how much confusion will there be in /etc/freeradius (default Debian config dir) due to the second instance? Is it worth it, just to have a single system have all of your RADIUS servers or should I just stand up another virtual server and use that instead? Thanks for any help or hints! -matt zagrabelny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 21:56, Matt Zagrabelny wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. You can use the same listen ports, but group clients (which mean NAS) in two groups, and assign a specific virtual server for each groups, with different policy, database lookup and such. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. Beware that there are some known bugs in 2.1.10 as well as some security flaws. you should go with the latest 2.2.X git branch Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 22:17, Olivier Beytrison wrote: On 04.03.2013 21:56, Matt Zagrabelny wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. You can use the same listen ports, but group clients (which mean NAS) in two groups, and assign a specific virtual server for each groups, with different policy, database lookup and such. Just to add, I think you should define a virtual server with a default virtual_server in the listen {} section, then for your specific NAS that needs special policy/authn, simply specify a different virtual_server in the client {} section I also wanted to add that you'll find all the information you need here http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail client sent the mail instead of pasting the link) :) Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 3:27 PM, Olivier Beytrison oliv...@heliosnet.org wrote: On 04.03.2013 22:17, Olivier Beytrison wrote: On 04.03.2013 21:56, Matt Zagrabelny wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. You can use the same listen ports, but group clients (which mean NAS) in two groups, and assign a specific virtual server for each groups, with different policy, database lookup and such. Just to add, I think you should define a virtual server with a default virtual_server in the listen {} section, then for your specific NAS that needs special policy/authn, simply specify a different virtual_server in the client {} section I also wanted to add that you'll find all the information you need here http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail client sent the mail instead of pasting the link) :) Hi Olivier, Thanks for the replies. I'll start digesting that wiki page soon*. I'm not sure if Debian patched the 2.1.10 line to take care of any grievous bugs, but if we start hitting them, we may need to upgrade. FWIW, we were/are running 1.1.0 on Solaris, so we'll be excited to have the new bugs to deal with. :) Cheers, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 4 Mar 2013, at 15:56, Matt Zagrabelny mzagr...@d.umn.edu wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. Um, ok, why? You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Design question - proxying RADIUS auth request to a backend webservice
Hi, I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Walter Goulet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Walter Goulet wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. That works... provided that the backend is fast. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. That's the real test: it works. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? In git master there's an rlm_rest module. That *might* be higher performance. But if it works, don't touch it until there are issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Hi, The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Oh wow; that's even cooler! I'll give that module a shot. Thanks! On Sun, Feb 17, 2013 at 4:12 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet wgou...@gmail.com wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time. On Sun, Feb 17, 2013 at 5:35 PM, Alexandr Kovalenko alexandr.kovale...@gmail.com wrote: On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet wgou...@gmail.com wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
On 17 Feb 2013, at 18:38, Walter Goulet wgou...@gmail.com wrote: Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time. The only way rlm_rest gets out development is if people test it and contribute to it. I'm willing to put the effort in to extend it and fix any issues if people are willing to test it and make suggestions. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
On 02/03/2012 12:27 AM, Dan Letkeman wrote: This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? Use the Microsoft CA, and use machine auto-enrollment. It's the only sensible way, if you want to use certs. Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Hi, Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth. this is what we do for machine authentication (wired/wireless) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab. I think that would make more sense. Dan. On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth. this is what we do for machine authentication (wired/wireless) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
On 02/03/2012 02:08 PM, Dan Letkeman wrote: Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why Ah. This has come up on the list before. I seem to recall you are correct, and that it's hard to make this work. having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab. I think that would make more sense. Well, it's not very secure, but if that's your only option... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
When private key corresponding to digital certificate is stored on computer's hard disk it is not stored securely. The only way to store private key securely is using smart card. Private key is stored on smart card in a way that it cannot be read. Computer send data to the smart card and smart card will perform cryptography with stored private key and send result to the computer. So the private key is never transported outside smart card. You can connect a smart card to each computer. There are USB smart card readers. To avoid smart card theft you can connect reader to mother board internal usb header and mount smart card reader inside the computer case. You also need to protect each computer case with electromechanical (solenoid) lock. There are motherboards with integrated cryptographic processor (so named trusted platform module). I think TPM should provide features similar to smart card. But I don't have one and I'm not sure. -- Iliya Peregoudov Dan Letkeman wrote: Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab. I think that would make more sense. Dan. On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth. this is what we do for machine authentication (wired/wireless) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Thank you for the quick reply. Would you recommend doing anything differently? Perhaps a different EAP type? If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available? Thanks, Dan. On Thu, Feb 2, 2012 at 1:16 AM, Alan DeKok al...@deployingradius.com wrote: Dan Letkeman wrote: From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. Yes. Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network. No... you need to configure the switches to use 802.1X authentication. They will then automatically allow traffic for authenticated devices. My questions are as follows: Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? That will work. I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? That will work. Do I need a signed third party certificate or can I use a self signed one? You can use a self-signed certificate. See the Wiki for an EAP-TLS howto. Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? There is nothing to prevent the user from exporting the certificate. Is there anything else I am missing? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Hi, On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote: We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates. In Windows, using the built-in supplicant, you have the following choices: PEAP/MS-CHAPv2 - user EAP-TLS - certificate (user or computer) PEAP/EAP-TLS - certificate, again user or computer. Windows barfs if you ask PEAP to supply a client certificate, so you can't do certificate auth AND user/password at the same time. If you install a third-party supplicant then it will likely have many different EAP methods, read up on what you're getting first. In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up. There are few reasons why you'd want to go to the extra config of PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer auth (certificate in the computer 'personal' store, not in the user 'personal' store), the network will come up soon after the machine boots, before the GINA login (for wireless, assuming it's set to automatically connect). This sounds like what you want. From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? See above. Built-in supplicant with EAP-TLS is probably your easiest route. I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? That's one way to do it - you need WPA2 enterprise (the enterprise bit being the important word). Computer auth only set means it won't go looking for certs in users personal certificate store, which is probably what you want. Do I need a signed third party certificate or can I use a self signed one? Best practise is to create your own CA sign using that. You really must use your own CA for client cert validation with EAP-TLS unless you want to allow anyone on. Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? [certificate and key] Yes. Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? You can generally set keys as 'non-exportable'. Of couse, that's just a flag, and doesn't actually mean that there isn't a way to get the key out. Google will give you an answer for extracting Windows keys after a quick search (I haven't tried it). Just remember, the cert is on the device that the user is holding. If you detect that a certificate has been compromised (heuristics such as checking certificate always comes from same MAC address might help) then you revoke the cert (CRL / OCSP) and haul the user in... Is there anything else I am missing? Coffee. Drink lots of coffee. On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote: If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available? Yes. Your NAS should rotate round the available RADIUS servers if one stops responding. Cheers, Matthew [0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, and a mini how-to at http://q.asd.me.uk/pet -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton m...@leicester.ac.uk wrote: Hi, On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote: We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates. In Windows, using the built-in supplicant, you have the following choices: PEAP/MS-CHAPv2 - user EAP-TLS - certificate (user or computer) PEAP/EAP-TLS - certificate, again user or computer. Windows barfs if you ask PEAP to supply a client certificate, so you can't do certificate auth AND user/password at the same time. If you install a third-party supplicant then it will likely have many different EAP methods, read up on what you're getting first. In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up. There are few reasons why you'd want to go to the extra config of PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer auth (certificate in the computer 'personal' store, not in the user 'personal' store), the network will come up soon after the machine boots, before the GINA login (for wireless, assuming it's set to automatically connect). This sounds like what you want. From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? See above. Built-in supplicant with EAP-TLS is probably your easiest route. I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? That's one way to do it - you need WPA2 enterprise (the enterprise bit being the important word). Computer auth only set means it won't go looking for certs in users personal certificate store, which is probably what you want. Do I need a signed third party certificate or can I use a self signed one? Best practise is to create your own CA sign using that. You really must use your own CA for client cert validation with EAP-TLS unless you want to allow anyone on. Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? [certificate and key] Yes. Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? You can generally set keys as 'non-exportable'. Of couse, that's just a flag, and doesn't actually mean that there isn't a way to get the key out. Google will give you an answer for extracting Windows keys after a quick search (I haven't tried it). Just remember, the cert is on the device that the user is holding. If you detect that a certificate has been compromised (heuristics such as checking certificate always comes from same MAC address might help) then you revoke the cert (CRL / OCSP) and haul the user in... Is there anything else I am missing? Coffee. Drink lots of coffee. On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote: If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available? Yes. Your NAS should rotate round the available RADIUS servers if one stops responding. Cheers, Matthew [0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, and a mini how-to at http://q.asd.me.uk/pet Very nice. This will be helpful. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
On Thu, Feb 02, 2012 at 06:27:31PM -0600, Dan Letkeman wrote: On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton m...@leicester.ac.uk wrote: That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? This is probably the main argument people have against EAP-TLS - managing certificates. Yes, you _could_ put the same private key and certificate on one device, but then when that key gets copied/compromised, when one laptop gets stolen and you want it off your network, what do you do? You've now got to update ALL your clients with a new key/cert, rather than just revoke the key of the one that got compromised. ...and you probably have no clue where the key was copied from, so which user to blame. Looking at it the other way, would you let all your users log in with the same username and password? In short, don't. If you've got a Windows domain you should be able to use Microsoft Certificate Services to do it for you. At least, I think that's what the guys here do. All clients automatically get a certificate (I assume as part of the domain join procedure associated policy, but I'm not knowledgeable enough in that area to be sure). I don't know if you can use that when not in a domain. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Il 03/02/2012 01:27, Dan Letkeman ha scritto: That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? The other method is worse, as Matthew said :) Just email every user the cert to install together with the instructions to do so. Or you could evaluate joining machines to AD, then perform just machine authentication or choose to do both machine auth and user auth so you could place machines with no domain user logged in on a VLAN and machines with specific domain users on another. This way local users can only have minimal network access, while authenticated users can access reserved portions of your network. And you can remotely manage machines as soon as they're connected. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Design question
Hello, I'm new to using radius servers and I have a few questions on best practices and design. We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates. In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up. From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network. As far as the switches goes I don't have any questions, its fairly straight forward. My questions are as follows: Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? Do I need a signed third party certificate or can I use a self signed one? Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? Is there anything else I am missing? Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Dan Letkeman wrote: From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. Yes. Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network. No... you need to configure the switches to use 802.1X authentication. They will then automatically allow traffic for authenticated devices. My questions are as follows: Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? That will work. I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? That will work. Do I need a signed third party certificate or can I use a self signed one? You can use a self-signed certificate. See the Wiki for an EAP-TLS howto. Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? There is nothing to prevent the user from exporting the certificate. Is there anything else I am missing? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Design question considering 802.1x + edirectory + Active Directory
Alan DeKok wrote: - Is there any downloadable Freeradius + LDAP virtual machine for testing ?? No. Download a virtual machine, and install FreeRADIUS on it. Actually; there is: http://www.vmware.com/appliances/directory/69328 Having said that; I haven't tested it myself, I don't know which version of FreeRadius is installed, I can't see much in the way of documentation, etc. So, if you test this be aware that there are limitations and all things considered it may be better to start with a clean virtual machine and install the latest version of FreeRadius on it as suggested. Regards, J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question considering 802.1x + edirectory + Active Directory
Ramm-Ericson, Johannes wrote: Having said that; I haven't tested it myself, I don't know which version of FreeRadius is installed, I can't see much in the way of documentation, etc. So, if you test this be aware that there are limitations and all things considered it may be better to start with a clean virtual machine and install the latest version of FreeRadius on it as suggested. Hmm... the rating various comments don't look promising. I hope to have something more official to announce this year. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question considering 802.1x + edirectory + Active Directory
Ric2009 wrote: Requirements : - 802.1x Authentication for wired and wireless clients ( Windows XP with Novell Client ) FreeRADIUS does that... - Single sign on login to Novell eDirectory and Active Directory That isn't a RADIUS thing. - Radius Authentication should run over FreeRadius or IAS but not both, if it's possible. Yes. - High Availability is required for Radius service Sure... configure it. - Virtualization of the Radius servers is recommended Sure. - I have been looking at multi-platform 802.1x clients like Juniper Networks Odyssey Access Client ( OAC ) for multiplaform 802.1x login. But I don't know if it's possible to do the same without it. No client will give you everything you want. - Is there any downloadable Freeradius + LDAP virtual machine for testing ?? No. Download a virtual machine, and install FreeRADIUS on it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Design question considering 802.1x + edirectory + Active Directory
Hello, I would like to know if anyone could help me with the design of this implementation : Requirements : - 802.1x Authentication for wired and wireless clients ( Windows XP with Novell Client ) - Single sign on login to Novell eDirectory and Active Directory - Radius Authentication should run over FreeRadius or IAS but not both, if it's possible. - High Availability is required for Radius service - Virtualization of the Radius servers is recommended Questions : - I have been looking at multi-platform 802.1x clients like Juniper Networks Odyssey Access Client ( OAC ) for multiplaform 802.1x login. But I don't know if it's possible to do the same without it. - Is there any downloadable Freeradius + LDAP virtual machine for testing ?? Thanks a lot ! Ric2009 -- View this message in context: http://old.nabble.com/Design-question-considering-802.1x-%2B-edirectory-%2B-Active-Directory-tp26200517p26200517.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Design question
Hi We have a very simple freeradius setup today. We use freeradius 1.0.5 with PEAP/MS-CHAPv2 and users file. My boss has asked be about making this configuration a bit more flexible and easier to admin. He also wants some new features. The keywords are hotspot, web-frontend and possibly billing and smartcards. Basically what he wants is for external consultant to be able to bring their laptops and just connect to a hotspot webserver and from there on authorize on to the WiFi. He also wants the possibility of billing. I want to know what kind of design you guys would recommend here. I'm thinking freeradius (1.1.3 now) with a mysql db and some web-frontend for adding users (what?). Then Chillipot on a new server for hotspot access. How does that sound? Will Chillipot be able to authorize users based on PEAP/MS-CHAPv2 ? How would you be able to do billing with this setup? And lastly is the situation with smartcards. My boss was thinking about some cards or something that the consultant can pick up in the reception that will give them access to the WiFi for a certain amount of time. At the end of the day they have to deliver it again. There is also a possibility of doing billing from that. Will this kind of configuration require some commercial software or is freeradius able to do that? The last thing is not THAT important, but I want to know if anyone has a setup like this. I hope someone got some recommentations. Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Perhaps a simpler method of doing 'smartcards' like you're referring to is to make single-use username/passwords printed on small cards (which can be done within chillispot I believe), which the consultants just pick up from reception, enter in the details, and get a prepaid hour or whatever. This would also save the expense if a consultant happens to wander off with a smartcard... All of this can certainly be done with freeradius, but you might need to look around for a billing solution that'll work in collaboration with chillispot, and making single-use vouchers etc... if at all possible, I'd encourage the use of physical login cards, that can be exchanged for cash... it all gets a bit messy (and expensive) when you throw billing in there too. Especially post-pay. Sorry I can't offer any exact advice on how to do this - I got to the point of putting together a rough proposal, but no further. Hope this helps, Regards, Jan Mulders On 03/10/06, Torkel Mathisen [EMAIL PROTECTED] wrote: Hi We have a very simple freeradius setup today. We use freeradius 1.0.5 with PEAP/MS-CHAPv2 and users file. My boss has asked be about making this configuration a bit more flexible and easier to admin. He also wants some new features. The keywords are hotspot, web-frontend and possibly billing and smartcards. Basically what he wants is for external consultant to be able to bring their laptops and just connect to a hotspot webserver and from there on authorize on to the WiFi. He also wants the possibility of billing. I want to know what kind of design you guys would recommend here. I'm thinking freeradius (1.1.3 now) with a mysql db and some web-frontend for adding users (what?). Then Chillipot on a new server for hotspot access. How does that sound? Will Chillipot be able to authorize users based on PEAP/MS-CHAPv2 ? How would you be able to do billing with this setup? And lastly is the situation with smartcards. My boss was thinking about some cards or something that the consultant can pick up in the reception that will give them access to the WiFi for a certain amount of time. At the end of the day they have to deliver it again. There is also a possibility of doing billing from that. Will this kind of configuration require some commercial software or is freeradius able to do that? The last thing is not THAT important, but I want to know if anyone has a setup like this. I hope someone got some recommentations. Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html