Nethserver-freeradius integration module

Yeah! Thanks for your words man. We just :heart: great achievements!

Hi Alain,
I installed the radius module on my homeserver yesterday and tried to configure my accesspoints to use WPA-enterprise. I was able to set the psk for the communication beteween AP and radius module.
I also got a prompt to log in when connecting to the wireless network/SSSID on my (linux)client. However, that log in failed. I tried both user@domain.tld and DOMAIN\user to log in.
Any pointers on how to configure the radius module on the AP? I have 2 Unifi AC-AP’s running the latest frimware
Here is a screenshot of the configuration of an AP radius profile:


What IP address should be filled in for RAS? Is that NS or NSDC?
What IP address should be filled in for accounting server? Also: NS or NSDC? Is this one optional or mandatory?

Hi @robb,

WPA-enterprise isn’t implemented, yet. Only RADIUS MAC-based authentication is implemented after installing the module. There isn’t accounting either. The following (NanoStation M2) configuration illustrates a basic NAS configuration:

This is good. However, as previously said, user-based authentication isn’t configured in the module yet, so the fail you received. By now, it would be good to know that only the devices with reserved MAC addresses in the DHCP module have access to your wireless network. After that, once RADIUS MAC-based authentication be tested, user-based authentication could be the next step to go. For that point, what do you think of a selector in the web ui for the kind of RADIUS authentication to use (e.g., MAC based, user-based, or a combination of these two)?

I haven’t explored user-based authentication in the RADIUS side yet, but it has several modules available we could explore for this matter (e.g., ldap, smbpass and pam).

The IP address for the RAS should always be that of NethServer, the computer where you installed the nethserver-freeradius module.

Accounting isn’t configured by the module, yet. So you can left it blank.

Thanks.

Hi Alain,
Thnx for the explanation. Clear that my attempt had to fail since user based authentication isn’t implemented (yet). However, it would be great to have this available!
Would it even be possible, when user based authentication is available, that user based rules can be applied for access to the network? For example, a timeframe where they are allowed to access the network? It would be even better if that would be a group policy so you can manage groups for access through wifi.

I will have a look later today at my AP’s software if I can manage to connect through mac-based authentication.

Thanks so far, radius authentication will bring NethServer a lot closer to Enterprise level services!

RFC 2865 tells about a Session-Timeout attribute that sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This might be a start point for investigation.

Users’ configuration (at least /etc/raddb/users) could be arranged in a way that users can access the network or not. No more than that (afaik). Note that there is no such idea of “group of users” here, just configuration sections that will grant access and configuration sections that won’t. In fact, there is only configuration sections that will grant access based on certain criteria (e.g., correct username and password). However, on a higher level like NethServer web UI, it might be possible to set the idea of two groups of users (i.e., accepted users and rejected users). So, in a way that some configuration sections can be commented/removed (when related users are administratively rejected network access) or uncommented/created (when related users are administratively accepted network access). In this case, accepted users, will always need to validate their credentials correctly in order to get network access, otherwise they should also be rejected.

@robb your comments look like good candidates for opening new issues with them.

It would be good to know about devices that do support RADIUS MAC authentication and those that don’t. Thinking on including them in the module’s documentation.

Let’s go for it :muscle: :slight_smile: :mega: everyone is more than welcome to join the effort.

3 Likes

Is there any possibility to have you at our conference by chance? :slight_smile:

2 Likes

That would be so AWESOME! What about it Alain? Would there be any chance of seeing you in Italy last weekend of september? I would love to hear a presentation about your module developer experience so far. You already have a very nice track record with the NethServer-Moodle module and now the NethServer-FreeRadius module.

Wow! … That would be a great experience to me. But landing the idea to my reality, it is something I can’t afford right now. I hope to be on better conditions for the next one. I appreciate very much your interest guys. It makes my faith stronger.

2 Likes

Work is in progress for IEEE 802.1X integration. The integration follows documentation published here.

The following sketch is been used as guide for the web interface layout:

NethServer can operate either as directory or dc, so a simple mechanism must be found to access the users as transparent as possible. I like the idea of using PAM although it is not recommended in FreeRADIUS configuration file (see /etc/raddb/mods-available/pam). What do you think? How FreeRADIUS should authenticate users internally in NethServer?

3 Likes

I will figure out what I or the community can do about this. Stay tuned :slight_smile: Don’t lose your faith

Hello Team, i have installed nethserver-freeradius module using following commands
yum install freeradius freeradius-utils

here i am stucked!! could you please help further for complete configuration of nethserver-freeradius

@chandrao thanks very much for taking the time.

Your command installs freeradius and freeradius-utils packages. However, it doesn’t install nethserver-freeradius package, the one holding freeradius integration module. The correct command is described in the following thread:

Testing results should also be posted there.

2 Likes

Hi,

can anybody help, please: Installation seems not to be possible within 7.4 - or at least the installation command does not work for 7.4. (previous version was perfect :slight_smile:

Thank you and best regards
Thorsten

Sorry for the late response :frowning:
Has anyone tried to install it on NethServer 7.4? @areguera @chandrao @robb

Hello Alefatorini,

Yes. i have installed Nethserver 7.4 sucessfully :slight_smile:

thanks for your prompt response.

1 Like

Can you paste here some errors? @chandrao confirms that it works correctly

Please accept sincere apology…

I have installed only Nethserver 7.4 without free-radius.

I have stucked in NS 7.3 with free-radius.

Regards,

I will give freeradius a go soon. Already have 7.4 installed. Will fire up some extra VM’ s to play with…

Hi,

the error message ist:

[root@ebb-s01 ~]# yum --enablerepo=nethforge-testing install nethserver-freeradius
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events
base | 3.6 kB 00:00:00
base-debuginfo | 2.5 kB 00:00:00
centos-sclo-rh | 2.9 kB 00:00:00
centos-sclo-rh-debuginfo | 2.9 kB 00:00:00
centos-sclo-sclo | 2.9 kB 00:00:00
centos-sclo-sclo-debuginfo | 2.9 kB 00:00:00
epel/x86_64/metalink | 25 kB 00:00:00
epel | 4.7 kB 00:00:00
epel-debuginfo/x86_64/metalink | 25 kB 00:00:00
epel-debuginfo | 3.0 kB 00:00:00
extras | 3.4 kB 00:00:00
nethforge | 4.0 kB 00:00:00
nethforge-testing | 2.9 kB 00:00:00
nethserver-base | 2.9 kB 00:00:00
nethserver-updates | 4.1 kB 00:00:00
stephdl | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/8): extras/7/x86_64/primary_db | 129 kB 00:00:00
(2/8): nethforge/7/x86_64/primary_db | 19 kB 00:00:00
(3/8): epel/x86_64/updateinfo | 845 kB 00:00:02
(4/8): nethserver-updates/7/x86_64/primary_db | 26 kB 00:00:00
(5/8): epel-debuginfo/x86_64/primary_db | 821 kB 00:00:02
(6/8): updates/7/x86_64/primary_db | 3.6 MB 00:00:00
(7/8): stephdl/7/primary_db | 104 kB 00:00:01
(8/8): epel/x86_64/primary_db | 6.1 MB 00:00:03
Determining fastest mirrors

I hope this helps.
Thorsten

Hi @thorsten,

same here. It’s still installable for NS6 but not available on NS7. Where is nethserver-freeradius for NS7? Tried to find it but no luck. Nethforge-testing for NS7 has no packages at the moment.