Nethserver-freeradius integration module

robb · June 29, 2017, 6:45pm

That would be so AWESOME! What about it Alain? Would there be any chance of seeing you in Italy last weekend of september? I would love to hear a presentation about your module developer experience so far. You already have a very nice track record with the NethServer-Moodle module and now the NethServer-FreeRadius module.

areguera · July 1, 2017, 1:43am

Wow! … That would be a great experience to me. But landing the idea to my reality, it is something I can’t afford right now. I hope to be on better conditions for the next one. I appreciate very much your interest guys. It makes my faith stronger.

areguera · July 4, 2017, 3:16am

Work is in progress for IEEE 802.1X integration. The integration follows documentation published here.

The following sketch is been used as guide for the web interface layout:

NethServer can operate either as directory or dc, so a simple mechanism must be found to access the users as transparent as possible. I like the idea of using PAM although it is not recommended in FreeRADIUS configuration file (see /etc/raddb/mods-available/pam). What do you think? How FreeRADIUS should authenticate users internally in NethServer?

alefattorini · July 4, 2017, 9:54am

I will figure out what I or the community can do about this. Stay tuned Don’t lose your faith

chandrao · July 4, 2017, 12:35pm

Hello Team, i have installed nethserver-freeradius module using following commands
yum install freeradius freeradius-utils

here i am stucked!! could you please help further for complete configuration of nethserver-freeradius

areguera · July 4, 2017, 9:12pm

@chandrao thanks very much for taking the time.

Your command installs freeradius and freeradius-utils packages. However, it doesn’t install nethserver-freeradius package, the one holding freeradius integration module. The correct command is described in the following thread:

Testing results should also be posted there.

thorsten · October 31, 2017, 10:14am

Hi,

can anybody help, please: Installation seems not to be possible within 7.4 - or at least the installation command does not work for 7.4. (previous version was perfect

Thank you and best regards
Thorsten

alefattorini · November 6, 2017, 2:31pm

Sorry for the late response
Has anyone tried to install it on NethServer 7.4? @areguera @chandrao @robb

chandrao · November 6, 2017, 2:53pm

Hello Alefatorini,

Yes. i have installed Nethserver 7.4 sucessfully

thanks for your prompt response.

alefattorini · November 6, 2017, 3:03pm

Can you paste here some errors? @chandrao confirms that it works correctly

chandrao · November 6, 2017, 4:35pm

Please accept sincere apology…

I have installed only Nethserver 7.4 without free-radius.

I have stucked in NS 7.3 with free-radius.

Regards,

robb · November 6, 2017, 6:47pm

I will give freeradius a go soon. Already have 7.4 installed. Will fire up some extra VM’ s to play with…

thorsten · November 9, 2017, 10:25am

Hi,

the error message ist:

[root@ebb-s01 ~]# yum --enablerepo=nethforge-testing install nethserver-freeradius
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events
base | 3.6 kB 00:00:00
base-debuginfo | 2.5 kB 00:00:00
centos-sclo-rh | 2.9 kB 00:00:00
centos-sclo-rh-debuginfo | 2.9 kB 00:00:00
centos-sclo-sclo | 2.9 kB 00:00:00
centos-sclo-sclo-debuginfo | 2.9 kB 00:00:00
epel/x86_64/metalink | 25 kB 00:00:00
epel | 4.7 kB 00:00:00
epel-debuginfo/x86_64/metalink | 25 kB 00:00:00
epel-debuginfo | 3.0 kB 00:00:00
extras | 3.4 kB 00:00:00
nethforge | 4.0 kB 00:00:00
nethforge-testing | 2.9 kB 00:00:00
nethserver-base | 2.9 kB 00:00:00
nethserver-updates | 4.1 kB 00:00:00
stephdl | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/8): extras/7/x86_64/primary_db | 129 kB 00:00:00
(2/8): nethforge/7/x86_64/primary_db | 19 kB 00:00:00
(3/8): epel/x86_64/updateinfo | 845 kB 00:00:02
(4/8): nethserver-updates/7/x86_64/primary_db | 26 kB 00:00:00
(5/8): epel-debuginfo/x86_64/primary_db | 821 kB 00:00:02
(6/8): updates/7/x86_64/primary_db | 3.6 MB 00:00:00
(7/8): stephdl/7/primary_db | 104 kB 00:00:01
(8/8): epel/x86_64/primary_db | 6.1 MB 00:00:03
Determining fastest mirrors

base: mirror.spreitzer.ch

epel: mirror.daniel-jost.net

epel-debuginfo: mirror.daniel-jost.net

extras: mirror.spreitzer.ch

nethforge: markusneuberger.at

nethserver-base: markusneuberger.at

nethserver-updates: markusneuberger.at

updates: mirror.spreitzer.ch
No package nethserver-freeradius available.
Error: Nothing to do

I hope this helps.
Thorsten

mrmarkuz · November 9, 2017, 10:52pm

Hi @thorsten,

same here. It’s still installable for NS6 but not available on NS7. Where is nethserver-freeradius for NS7? Tried to find it but no luck. Nethforge-testing for NS7 has no packages at the moment.

robb · February 2, 2018, 2:50pm

Bumping this great topic. It would be superb to have user auth working with this module.
@areguera, did you have any time available to update the module so user auth can be done?
Taking that a step further, I would love to see an option to create timestamps so users and/or groups can be granted access to the network. (IE: start and end time for network access)

gerald_FS · May 9, 2018, 7:10am

The merry month of May is here, so ihc pushes the topic again!

Is there a new situation that you can use FreeRadius with user identification?

Would namely like to change my accessppints that every registered user is a member of a particular group - wireless access, and the “stupid” static WPA password is a topic of the past.

Would be very happy if it would work

greetings
Gerald

robb · May 18, 2018, 7:21am

Maybe we can ping @areguera again. He started work on this feature. Can you give us an update please?

thorsten · September 17, 2018, 6:08am

Hi,

1.: I like this module however It would be great to authentificate / authorisate against AD groups (one group per client, please)
2.: I am still stuck on how to use WPA2 enterprise with MAC. Any manuals, screenshots etc on the server as well as on the client side (Win 7, IOS preferred) are welcome
3.: Using the nethserver module to set paramters on my PC (Windows 7 / Firefox): I get an exit status (“error”) on saving any change of parameters - however it seems to work.
4.: I do not get any error on mobile devices (Iphone / Safari) for the same changes
5.: I substituted the server.pem certificate by the letsencrypt certificate (see here for basic idea: SSL certificates for Samba AD (NSDC host))
Steps:
I copied the certificate and the keyfile to /etc/raddb/certs/, see above
I changed the eap file in …/mods-available simply on lines in the “tls-config tls-common {” section:

private_key_file = ${certdir}/newkey.pem
certificate_file = ${certdir}/newcertificate.pem

Result: Clients show the correct letsencrypt certificate including the correct server name mynethservernamer.myname.tld, however it is considered as invalid. I think this is related to missing CA within the clients (Windows 7 / IOS). I hope this idea helps in further development.

Best regards
Thorsten

kellerman · August 8, 2019, 10:16pm

WPA2-Enterprise in combination with RADIUS authentication is what we use in our company all the time. So I just had to get freeradius to authenticate against NSDC AD users. What I did:

Well I installed freeradius, freeradius-ldap and freeradius-utils for testing, did some initial configuration and configured the ldap module, and PAP simple authentication works just fine there.
To use MSCHAPv2, unfortunately you have to enable ntlm auth in NSDC samba configuration (there stands a security risk). Then it is necessary to configure the radius mschap module to execute the ntlm_auth command from the NSDC container and get the NT_KEY in return.

I just finished testing and fiddling with it and it seems to work fine so far. I took a look at Zentyal and it has the same implementation for their RADIUS module.

I will post the configuration files and some steps when I’m finished testing everyting.

robb · August 9, 2019, 9:20am

Thank you @kellerman for your effort. I am realy curious to the technical implementation and looking forward to the howto!