Nethserver-freeradius package available for testing

Hi,

We have nethserver-freeradius package available in nethforge-testing repository for both NethServer 7 and 6. It would be great if you could test it and report issues about it. Please note that to test this package you must have the appropriate infrastructure in-place. The module’s help describes such infrastructure. In case this documentation isn’t clear, please report an issue about it as well.

To install this package you can run the following command:

yum --enablerepo=nethforge-testing install nethserver-freeradius

Thanks.

3 Likes

Come on @quality_team, let’s try to find some bug! :smiley:

@tacioandrade @fausp @robb @jelle it is your time :smiley:

@quality_team, @robb, and anyone interested: a new version (0.0.4-1) of the package nethserver-freeradius was uploaded to nethforge-testing repository. It is very basic. Some of the changes include the following:

  • Add new tab dedicated to authentication server
  • Add new tab dedicated to supplicants
  • Update radiusd configuration based on supplicants database
  • Update authorized_macs based on supplicants database instead of hosts database
  • Update online documentation
  • Update configuration file permissions
  • Update header using lower-case words
  • Update server authentication to use both MAC address and IEEE802.1X
  • Use Authenticators tab name instead of just NAS

The web user interface looks like the following illustration:

Could you give it a try? :grin:

4 Likes

@areguerayou deserve a medal… great work. I will update the packa
gbe later today op e

Here is the configuration for NanoStation (airOS) devices.

MAC address only

When the authentication server is configured to accept network access based on MAC address only, the security configuration in the authenticator (access point) is the following:

and the security configuration in the supplicant is the following:

IEEE802.1X

When the authentication server is configured to accept network access based on username and password only, the security configuration in the authenticator (access point) is the following:

and the security configuration in the supplicant is the following:

Remember to update the fields with the correct information that fit your network infrastructure (e.g., setting the correct username and passwords, authentication server IP address, etc.).

MAC address and IEEE802.1X combined

The security configuration in the airOS authenticator (access point) can be either MAC based or IEEE802.1X but not both at the same time. So, when the authentication server is configured to accept network access based on both MAC address and IEEE802.1X, the infrastructure can hold authenticators with different wireless security. For example, one authenticator configured to accept network access based on supplicant’s MAC addresses and other authenticator configured to accept network access based on supplicant’s username and password.

When the authentication server is configured to accept network access based on both MAC address and IEEE802.1X and both authenticator and supplicant are configured to authenticate using IEEE802.1X, the supplicant also sends the MAC address of the supplicant device to the authentication server, so the authentication server tells authenticator to accept network access based on the MAC address, username and pasword triplet.

3 Likes

Great work I am trying it now.

1 Like

Great! Let let us know the results please … :beetle: :bug: :ant:

Here is the RADIUS infrastructure layout:

This might be helpful when testing FreeRADIUS integration module.

3 Likes

Hi

Thanks for the Nethserver-freeradius package.
I am testing this on NethServer release 6.9 (Final) Kernel release 2.6.32-696.6.3.el6.x86_64.

I have added the nethforge-testing repository and have the first version (0.0.5-1). This version has just a single tab “NAS”. When trying to get the latest version with multiple tabs, I am unable to install it, any advice ?

I will do further testing on this module when the last items for my new server has arrived. Hopefully later this week.
Thanks again for your work @areguera

@areguera, did you try to use system user from ldap or samba ad? I spent some time trying to authenticate through pam, but I never succeeded.

Ehi man, I’m late for the party :slight_smile: great updates anyway! Hope people will give you a good feedback on your work.

Yes. This is because such version of the package is a few commits old. I must fix this soon, once I finish to migrate my development environment to the new location.

I tried only PAM, no LDAP, nor SAMBA AD.

When the NAS is configured to use EAP-TTLS + MSCHAP2, the user back-end needs to be in clear-text, so no PAM (and probably no other back-end storing encrypted credentials). However, based on this thread, when the NAS is configured to use EAP-TTLS + PAP it seems possible to use PAM in the server. I haven’t tried this last one because the NAS I am using doesn’t support such a PAP method.

Thanks, I will wait for your update.

@a4rgl, the updates of nethserver-freeradius module for ns6 will be rolling this weekend at ns6-next branch … and the related package will be published (I expect) on Monday, so you can install it using yum.

A new version of nethserver-freeradius module for ns7 will be also released with some corrections.

1 Like

@a4rgl, the updates of nethserver-freeradius for ns6 should be already available in nethforge-testing repository. It is an adaption of changes in nethserver-freeradius for ns7.

The packages uploaded were:

  • nethserver-freeradius-0.0.7-1.ns6.noarch.rpm
  • nethserver-freeradius-0.0.6-1.ns7.noarch.rpm
1 Like

Hello,

Thank you for creating the freeradius package for the Nethserver.

Is there the prospect that the identification is made by means of the user database from Samba AD, or does one have to say goodbye?

Currently the release is based on the basic MAC address.

greetings
Gerald