Nethserver-freeradius integration module

Sorry for the late response :frowning:
Has anyone tried to install it on NethServer 7.4? @areguera @chandrao @robb

Hello Alefatorini,

Yes. i have installed Nethserver 7.4 sucessfully :slight_smile:

thanks for your prompt response.

1 Like

Can you paste here some errors? @chandrao confirms that it works correctly

Please accept sincere apology…

I have installed only Nethserver 7.4 without free-radius.

I have stucked in NS 7.3 with free-radius.

Regards,

I will give freeradius a go soon. Already have 7.4 installed. Will fire up some extra VM’ s to play with…

Hi,

the error message ist:

[root@ebb-s01 ~]# yum --enablerepo=nethforge-testing install nethserver-freeradius
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events
base | 3.6 kB 00:00:00
base-debuginfo | 2.5 kB 00:00:00
centos-sclo-rh | 2.9 kB 00:00:00
centos-sclo-rh-debuginfo | 2.9 kB 00:00:00
centos-sclo-sclo | 2.9 kB 00:00:00
centos-sclo-sclo-debuginfo | 2.9 kB 00:00:00
epel/x86_64/metalink | 25 kB 00:00:00
epel | 4.7 kB 00:00:00
epel-debuginfo/x86_64/metalink | 25 kB 00:00:00
epel-debuginfo | 3.0 kB 00:00:00
extras | 3.4 kB 00:00:00
nethforge | 4.0 kB 00:00:00
nethforge-testing | 2.9 kB 00:00:00
nethserver-base | 2.9 kB 00:00:00
nethserver-updates | 4.1 kB 00:00:00
stephdl | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/8): extras/7/x86_64/primary_db | 129 kB 00:00:00
(2/8): nethforge/7/x86_64/primary_db | 19 kB 00:00:00
(3/8): epel/x86_64/updateinfo | 845 kB 00:00:02
(4/8): nethserver-updates/7/x86_64/primary_db | 26 kB 00:00:00
(5/8): epel-debuginfo/x86_64/primary_db | 821 kB 00:00:02
(6/8): updates/7/x86_64/primary_db | 3.6 MB 00:00:00
(7/8): stephdl/7/primary_db | 104 kB 00:00:01
(8/8): epel/x86_64/primary_db | 6.1 MB 00:00:03
Determining fastest mirrors

I hope this helps.
Thorsten

Hi @thorsten,

same here. It’s still installable for NS6 but not available on NS7. Where is nethserver-freeradius for NS7? Tried to find it but no luck. Nethforge-testing for NS7 has no packages at the moment.

Bumping this great topic. It would be superb to have user auth working with this module.
@areguera, did you have any time available to update the module so user auth can be done?
Taking that a step further, I would love to see an option to create timestamps so users and/or groups can be granted access to the network. (IE: start and end time for network access)

1 Like

The merry month of May is here, so ihc pushes the topic again!

Is there a new situation that you can use FreeRadius with user identification?

Would namely like to change my accessppints that every registered user is a member of a particular group - wireless access, and the “stupid” static WPA password is a topic of the past.

Would be very happy if it would work :wink:

greetings
Gerald

2 Likes

Maybe we can ping @areguera again. He started work on this feature. Can you give us an update please?

1 Like

Hi,

1.: I like this module :slight_smile: however It would be great to authentificate / authorisate against AD groups (one group per client, please)
2.: I am still stuck on how to use WPA2 enterprise with MAC. Any manuals, screenshots etc on the server as well as on the client side (Win 7, IOS preferred) are welcome :slight_smile:
3.: Using the nethserver module to set paramters on my PC (Windows 7 / Firefox): I get an exit status (“error”) on saving any change of parameters - however it seems to work.
4.: I do not get any error on mobile devices (Iphone / Safari) for the same changes
5.: I substituted the server.pem certificate by the letsencrypt certificate (see here for basic idea: SSL certificates for Samba AD (NSDC host))
Steps:
I copied the certificate and the keyfile to /etc/raddb/certs/, see above
I changed the eap file in …/mods-available simply on lines in the “tls-config tls-common {” section:

private_key_file = ${certdir}/newkey.pem
certificate_file = ${certdir}/newcertificate.pem

Result: Clients show the correct letsencrypt certificate including the correct server name mynethservernamer.myname.tld, however it is considered as invalid. I think this is related to missing CA within the clients (Windows 7 / IOS). I hope this idea helps in further development.

Best regards
Thorsten

WPA2-Enterprise in combination with RADIUS authentication is what we use in our company all the time. So I just had to get freeradius to authenticate against NSDC AD users. What I did:

Well I installed freeradius, freeradius-ldap and freeradius-utils for testing, did some initial configuration and configured the ldap module, and PAP simple authentication works just fine there.
To use MSCHAPv2, unfortunately you have to enable ntlm auth in NSDC samba configuration (there stands a security risk). Then it is necessary to configure the radius mschap module to execute the ntlm_auth command from the NSDC container and get the NT_KEY in return.

I just finished testing and fiddling with it and it seems to work fine so far. I took a look at Zentyal and it has the same implementation for their RADIUS module.

I will post the configuration files and some steps when I’m finished testing everyting.

12 Likes

Thank you @kellerman for your effort. I am realy curious to the technical implementation and looking forward to the howto!

Nothing complicated really… @robb
To begin:
yum install freeradius freeradius-ldap freeradius-utils
Be sure that nethserver-freeradius module isn’t installed, just pure freeradius, so we can edit files at /etc/raddb directly and they are not getting overwritten. I switched to NethServer recently and am not very familiar with developing NethServer modules yet.

Initial configuration files will be created at /etc/raddb and ldap module at /etc/raddb/modules-available
Then you need to modify the radiusd.conf file in the security section
user = root
group = root

We have to run radiusd as root instead of default radiusd user, because accessing systemd container is otherwise not possible.
In log section I set it to log failed and successful login attempts to radius.log file. By default nothing like that is logged.

#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
auth = yes
#  Log passwords with the authentication requests.
#  auth_badpass  - logs password if it's rejected
#  auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes

At clients.conf file, just add your clients, IPs and shared secrets to the bottom. For example:

client testpc {
 ipaddr = 10.43.0.6
 secret = 123
}
client cap {
 ipaddr = 10.30.0.50
 secret = secret
}

Then move to the modules, module ldap should be symlinked from mods-available to mods-enabled using ln -s command (if it isn’t already). After it’s done, here is my modified ldap file
https://pastebin.com/CZH2QM8S
There isn’t really much modified, just set the server IP, identity, password from NethServer GUI->Configuration->Accounts Provider. Also set base_dn from NethServer GUI->Domain Accounts.

Then follows mschap module for NTLM MSCHAP authentication.
First edit /var/lib/machines/nsdc/etc/samba/samba.conf and add ntml auth = mschapv2-and-ntlmv2-only to the global section, so it looks something like this:

# Global parameters
[global]
        dns forwarder = 127.0.0.1
        netbios name = NSDC-SERVER
        realm = AD.TESTSERVER.LOCAL
        server role = active directory domain controller
        workgroup = TESTSERVER
        include = /etc/samba/smb.conf.include
        ntlm auth = mschapv2-and-ntlmv2-only
[netlogon]
        path = /var/lib/samba/sysvol/ad.testserver.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Execute
systemctl restart nsdc
to apply changes.

Here is my modified mschap module file
https://pastebin.com/ukmRq7wP
Again not much modified, only the ntlm_auth line to
ntlm_auth = "/usr/bin/nsdc-run -e /usr/bin/ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"

Then create a bash script at /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc. Remember to chmod -x /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc

#!/bin/bash
OUTPUT=$(/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=$1 --challenge=$2 --nt-response=$3);
DATETIME=`date "+%Y%m%d-%H:%M:%S"`
echo $DATETIME $1 $OUTPUT >> /var/log/ntlm_auth_nsdc;
echo $OUTPUT;
if [[ ${OUTPUT:0:6} == "NT_KEY" ]] ; then exit 0; else exit 1; fi;
fi

A little trick which executes the ntml_auth command under nsdc container machine and helps to pass logon information and the exit code of the command, as well as doing some logfiles at/var/log/ntlm_auth_nsdc. You can then ln -s /var/lib/machines/nsdc/var/log/ntlm_auth_nsdc /var/log/ntlm_auth_nsdc
For testing purposes you can run radiusd with -X parameter to get full debug output.

If you need to give radius access to a specific group, you need to edit /etc/raddb/mods-config/files/authorize and add the following lines to the beginning of the file:

DEFAULT LDAP-Group !="radius_group", Auth-Type := Reject
	Service-Type := Login-User

Both pap and mschap requests will be filtered

I made this writeup quickly, so if there are any questions feel free to ask.
For testing there is radtest utility included in freeradius-utils package.

radtest -t pap username password server:port 1 testing123
radtest -t mschap username password server:port 1 testing123

In the clients.conf file a test client on localhost with secret “testing123” is enabled by default, so you can send radius auth requests from the servers shell. Both upper mentioned commands should authenticate fine.

The ldap and mschap module files are taken from working environment. So far it all works, only issue I faced is that after a reboot, the radiusd starts before nsdc, so it fails to connect to ldap server, after systemctl radiusd restart it’s fine. Have to fix that.

edit:
modify /etc/raddb/mods-available/ldap
edit

pools{
start = 0
 ...

Now radiusd will start even with no LDAP available at startup

10 Likes

I know @davidep and @giacomo are drinking margarita, but I would like to know their hints

1 Like

Feel free to point to any of my mistakes. Enabling ntlm_auth unfortunately is a must have in WPA2-Enterprise application.
Now I found out that accessing the container with systemd-run isnt a good solution, because it tends to fail randomly with a ‘Failed to get machine PTY’ error. Even when running with --send-sighup. I am now testing accessing the container with nsdc-run -e. Seems that it accesses the container using a unix socket. The thing is you cant use nsdc-run -e “ntlm-auth” directly, because it doesnt produce any output. Instead I created a script inside the container, which can be run using nsdc-run and both output and exit code can be gathered.
If it works fine after a bit of testing I will post an update.
edit:
I corrected the main post a bit, I now execute ntlm_auth using nsdc-run instead of systemd-run approach. And there is a script under/var/lib/machines/nsdc/usr/bin/ntlm_auth_nsdc which works fine with nsdc-run, because as I mentioned earlier nsdc-run -e /usr/bin/ntlm_auth gives no output to tty.

I also added eap_tls module support to my radius installation, which works fine as well.

2 Likes

Not really related, We try to keep track about useful command, this how we browse the samba ad, maybe it could help

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#browse_samba_ad_field_without_password

Since this configuration introduces a weak and old authentication mechanism, I’d prefer to not support it.

But I back an howto here or the wiki.
If many people will ask for it, maybe we can arrange something with some big security warning :smiley:

Thank your @kellerman for the detailed steps!

Actually @davidep is at work and I hope @giacomo is drinking a lot of beer

No problem guys!
If you dont use MSCHAP for your radius server, then it is totally fine, otherwise using NTLM protocol is indeed a security risk. I have tested the setup in my writeup for a week and it all runs perfectly.
You can modify this line:

echo $DATETIME $1 $OUTPUT >> /var/log/ntlm_auth_nsdc;

to for example to

echo $DATETIME $1 ${OUTPUT:0:6} >> /var/log/ntlm_auth_nsdc;

to not log the full NTLM key, when you have confirmed everything working

1 Like