Nethserver-freeradius integration module

areguera · June 17, 2017, 9:40pm

Hi,

This package provides integration for FreeRADIUS in NethServer. It turns your server into a centralized network authentication server, so you can easily control what devices can access the network. The authentication server is prepared to control network access using MAC address, IEEE802.1X or both.

The authentication server provided by this package is only one component of the three elements a RADIUS infrastructure is made of. The other two elements (the authenticator and the supplicant) are not configured by this package. That is something you must do first, before you can enjoy a successful RADIUS infrastructure.

Web Integration

Development

Installation

To install nethserver-freeradius package, run the following command (as the root user):

yum --enablerepo=nethforge-testing install nethserver-freeradius

After installation look for “FreeRADIUS” panel in the “Configuration” section of NethServer web interface. It should provide three tabs named “Authentication Server”, “Authenticators”, and “Supplicants”.

Configuration

In normal operation, the system administrator does the following:

Use the authentication server tab in FreeRADIUS panel to configure how authenticators will allow supplicants to access the network. Possible options include MAC address, IEEE802.1X or a combination of them both. See /etc/raddb/sites-available/default file.
Use the authenticator tab in FreeRADIUS panel to define what authenticator devices (e.g., access points, smart switches) can send access requests to the authentication server. See /etc/raddb/clients.conf file.
Use the supplicants tab in FreeRADIUS panel to define the MAC address and credentials (i.e., username and password) final users must set in their devices (e.g., wireless stations) to access the network. See /etc/raddb/authorized_macs and /etc/raddb/users files.

In addition to these basic steps, the system administrator might also do the following:

Configure authenticator devices (e.g., access points, smart switches) as authenticator of the authentication server (i.e., to accept authentication requests from supplicants and request access to the centralized authentication server based on them).
Configure supplicant devices (e.g., wireless stations) to send authentication requests to authenticator devices.
Communicate final users (e.g., using a sealed letter) the credentials they must use in order to access the network.

The configuration of authenticator and supplicant devices is specific to each of them. Here is how to configure specific authenticator and supplicant devices to work with nethserver-freeradius integration module:

Ubiquiti NanoStation (airOS)

Use Case

This package might be useful for system administrators needing to control the network access of its users as well as provide mobility to them. For example, consider local wireless communities made of NanoStation devices in which one line of these devices is configured as access points and the rest of them as client stations. The access points, here, are configured as authenticators of a central authentication server (running nethserver-freeradius). The client stations (supplicants) are configured to send access requests to the authenticators using IEEE802.1X.

In this infrastructure:

The supplicant sends an Access-Request to the authenticator it connects to, using IEEE802.1X (e.g., EAP-MD5 or EAP-TTLS). The Access-Request includes the supplicant’s MAC address as well as the “User-Name” and “User-Password” attributes.
The authenticator sends the Access-Request to the centralized authentication server.
The authentication server decides whether or not to accept the supplicant Access-Request and responds to the authenticator accordingly.
The authenticator enforces the authentication server decision to supplicant.

Cheers,

giacomo · June 19, 2017, 12:04pm

Impressive work, thank you for sharing!

Kudos!

alefattorini · June 19, 2017, 1:12pm

Man, where are you been hiding all this time? Impressive job!

Are you using it somewhere? I want to involve here someone who’s very interested in that: @tacioandrade @fausp @robb @jelle

robb · June 19, 2017, 3:04pm

Alain: YOU ROCK man. This was something I really wanted to see implemented in NethServer!!! Thanks a lot! Now creating a guest network will be a breeze!

areguera · June 24, 2017, 3:46am

Thank you all folks for your comments and likes. It is very nice to share with you all. This community feels special.

Yes. In a local wireless community here at town.

alefattorini · June 24, 2017, 6:17am

Yeah! Thanks for your words man. We just great achievements!

robb · June 27, 2017, 11:52am

Hi Alain,
I installed the radius module on my homeserver yesterday and tried to configure my accesspoints to use WPA-enterprise. I was able to set the psk for the communication beteween AP and radius module.
I also got a prompt to log in when connecting to the wireless network/SSSID on my (linux)client. However, that log in failed. I tried both user@domain.tld and DOMAIN\user to log in.
Any pointers on how to configure the radius module on the AP? I have 2 Unifi AC-AP’s running the latest frimware
Here is a screenshot of the configuration of an AP radius profile:

What IP address should be filled in for RAS? Is that NS or NSDC?
What IP address should be filled in for accounting server? Also: NS or NSDC? Is this one optional or mandatory?

areguera · June 28, 2017, 1:55am

Hi @robb,

WPA-enterprise isn’t implemented, yet. Only RADIUS MAC-based authentication is implemented after installing the module. There isn’t accounting either. The following (NanoStation M2) configuration illustrates a basic NAS configuration:

This is good. However, as previously said, user-based authentication isn’t configured in the module yet, so the fail you received. By now, it would be good to know that only the devices with reserved MAC addresses in the DHCP module have access to your wireless network. After that, once RADIUS MAC-based authentication be tested, user-based authentication could be the next step to go. For that point, what do you think of a selector in the web ui for the kind of RADIUS authentication to use (e.g., MAC based, user-based, or a combination of these two)?

I haven’t explored user-based authentication in the RADIUS side yet, but it has several modules available we could explore for this matter (e.g., ldap, smbpass and pam).

The IP address for the RAS should always be that of NethServer, the computer where you installed the nethserver-freeradius module.

Accounting isn’t configured by the module, yet. So you can left it blank.

Thanks.

robb · June 28, 2017, 8:00am

Hi Alain,
Thnx for the explanation. Clear that my attempt had to fail since user based authentication isn’t implemented (yet). However, it would be great to have this available!
Would it even be possible, when user based authentication is available, that user based rules can be applied for access to the network? For example, a timeframe where they are allowed to access the network? It would be even better if that would be a group policy so you can manage groups for access through wifi.

I will have a look later today at my AP’s software if I can manage to connect through mac-based authentication.

Thanks so far, radius authentication will bring NethServer a lot closer to Enterprise level services!

areguera · June 29, 2017, 12:18am

RFC 2865 tells about a Session-Timeout attribute that sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This might be a start point for investigation.

Users’ configuration (at least /etc/raddb/users) could be arranged in a way that users can access the network or not. No more than that (afaik). Note that there is no such idea of “group of users” here, just configuration sections that will grant access and configuration sections that won’t. In fact, there is only configuration sections that will grant access based on certain criteria (e.g., correct username and password). However, on a higher level like NethServer web UI, it might be possible to set the idea of two groups of users (i.e., accepted users and rejected users). So, in a way that some configuration sections can be commented/removed (when related users are administratively rejected network access) or uncommented/created (when related users are administratively accepted network access). In this case, accepted users, will always need to validate their credentials correctly in order to get network access, otherwise they should also be rejected.

@robb your comments look like good candidates for opening new issues with them.

It would be good to know about devices that do support RADIUS MAC authentication and those that don’t. Thinking on including them in the module’s documentation.

Let’s go for it everyone is more than welcome to join the effort.

alefattorini · June 29, 2017, 2:55pm

Is there any possibility to have you at our conference by chance?

robb · June 29, 2017, 6:45pm

That would be so AWESOME! What about it Alain? Would there be any chance of seeing you in Italy last weekend of september? I would love to hear a presentation about your module developer experience so far. You already have a very nice track record with the NethServer-Moodle module and now the NethServer-FreeRadius module.

areguera · July 1, 2017, 1:43am

Wow! … That would be a great experience to me. But landing the idea to my reality, it is something I can’t afford right now. I hope to be on better conditions for the next one. I appreciate very much your interest guys. It makes my faith stronger.

areguera · July 4, 2017, 3:16am

Work is in progress for IEEE 802.1X integration. The integration follows documentation published here.

The following sketch is been used as guide for the web interface layout:

NethServer can operate either as directory or dc, so a simple mechanism must be found to access the users as transparent as possible. I like the idea of using PAM although it is not recommended in FreeRADIUS configuration file (see /etc/raddb/mods-available/pam). What do you think? How FreeRADIUS should authenticate users internally in NethServer?

alefattorini · July 4, 2017, 9:54am

I will figure out what I or the community can do about this. Stay tuned Don’t lose your faith

chandrao · July 4, 2017, 12:35pm

Hello Team, i have installed nethserver-freeradius module using following commands
yum install freeradius freeradius-utils

here i am stucked!! could you please help further for complete configuration of nethserver-freeradius

areguera · July 4, 2017, 9:12pm

@chandrao thanks very much for taking the time.

Your command installs freeradius and freeradius-utils packages. However, it doesn’t install nethserver-freeradius package, the one holding freeradius integration module. The correct command is described in the following thread:

Testing results should also be posted there.

thorsten · October 31, 2017, 10:14am

Hi,

can anybody help, please: Installation seems not to be possible within 7.4 - or at least the installation command does not work for 7.4. (previous version was perfect

Thank you and best regards
Thorsten

alefattorini · November 6, 2017, 2:31pm

Sorry for the late response
Has anyone tried to install it on NethServer 7.4? @areguera @chandrao @robb