Hello Alefatorini,
Yes. i have installed Nethserver 7.4 sucessfully
thanks for your prompt response.
Hello Alefatorini,
Yes. i have installed Nethserver 7.4 sucessfully
thanks for your prompt response.
Can you paste here some errors? @chandrao confirms that it works correctly
Please accept sincere apologyâŠ
I have installed only Nethserver 7.4 without free-radius.
I have stucked in NS 7.3 with free-radius.
Regards,
I will give freeradius a go soon. Already have 7.4 installed. Will fire up some extra VMâ s to play withâŠ
Hi,
the error message ist:
[root@ebb-s01 ~]# yum --enablerepo=nethforge-testing install nethserver-freeradius
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events
base | 3.6 kB 00:00:00
base-debuginfo | 2.5 kB 00:00:00
centos-sclo-rh | 2.9 kB 00:00:00
centos-sclo-rh-debuginfo | 2.9 kB 00:00:00
centos-sclo-sclo | 2.9 kB 00:00:00
centos-sclo-sclo-debuginfo | 2.9 kB 00:00:00
epel/x86_64/metalink | 25 kB 00:00:00
epel | 4.7 kB 00:00:00
epel-debuginfo/x86_64/metalink | 25 kB 00:00:00
epel-debuginfo | 3.0 kB 00:00:00
extras | 3.4 kB 00:00:00
nethforge | 4.0 kB 00:00:00
nethforge-testing | 2.9 kB 00:00:00
nethserver-base | 2.9 kB 00:00:00
nethserver-updates | 4.1 kB 00:00:00
stephdl | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/8): extras/7/x86_64/primary_db | 129 kB 00:00:00
(2/8): nethforge/7/x86_64/primary_db | 19 kB 00:00:00
(3/8): epel/x86_64/updateinfo | 845 kB 00:00:02
(4/8): nethserver-updates/7/x86_64/primary_db | 26 kB 00:00:00
(5/8): epel-debuginfo/x86_64/primary_db | 821 kB 00:00:02
(6/8): updates/7/x86_64/primary_db | 3.6 MB 00:00:00
(7/8): stephdl/7/primary_db | 104 kB 00:00:01
(8/8): epel/x86_64/primary_db | 6.1 MB 00:00:03
Determining fastest mirrors
- base: mirror.spreitzer.ch
- epel: mirror.daniel-jost.net
- epel-debuginfo: mirror.daniel-jost.net
- extras: mirror.spreitzer.ch
- nethforge: markusneuberger.at
- nethserver-base: markusneuberger.at
- nethserver-updates: markusneuberger.at
- updates: mirror.spreitzer.ch
No package nethserver-freeradius available.
Error: Nothing to do
I hope this helps.
Thorsten
Hi @thorsten,
same here. Itâs still installable for NS6 but not available on NS7. Where is nethserver-freeradius for NS7? Tried to find it but no luck. Nethforge-testing for NS7 has no packages at the moment.
Bumping this great topic. It would be superb to have user auth working with this module.
@areguera, did you have any time available to update the module so user auth can be done?
Taking that a step further, I would love to see an option to create timestamps so users and/or groups can be granted access to the network. (IE: start and end time for network access)
The merry month of May is here, so ihc pushes the topic again!
Is there a new situation that you can use FreeRadius with user identification?
Would namely like to change my accessppints that every registered user is a member of a particular group - wireless access, and the âstupidâ static WPA password is a topic of the past.
Would be very happy if it would work
greetings
Gerald
Maybe we can ping @areguera again. He started work on this feature. Can you give us an update please?
Hi,
1.: I like this module however It would be great to authentificate / authorisate against AD groups (one group per client, please)
2.: I am still stuck on how to use WPA2 enterprise with MAC. Any manuals, screenshots etc on the server as well as on the client side (Win 7, IOS preferred) are welcome
3.: Using the nethserver module to set paramters on my PC (Windows 7 / Firefox): I get an exit status (âerrorâ) on saving any change of parameters - however it seems to work.
4.: I do not get any error on mobile devices (Iphone / Safari) for the same changes
5.: I substituted the server.pem certificate by the letsencrypt certificate (see here for basic idea: SSL certificates for Samba AD (NSDC host))
Steps:
I copied the certificate and the keyfile to /etc/raddb/certs/, see above
I changed the eap file in âŠ/mods-available simply on lines in the âtls-config tls-common {â section:
private_key_file = ${certdir}/newkey.pem
certificate_file = ${certdir}/newcertificate.pem
Result: Clients show the correct letsencrypt certificate including the correct server name mynethservernamer.myname.tld, however it is considered as invalid. I think this is related to missing CA within the clients (Windows 7 / IOS). I hope this idea helps in further development.
Best regards
Thorsten
WPA2-Enterprise in combination with RADIUS authentication is what we use in our company all the time. So I just had to get freeradius to authenticate against NSDC AD users. What I did:
Well I installed freeradius, freeradius-ldap and freeradius-utils for testing, did some initial configuration and configured the ldap module, and PAP simple authentication works just fine there.
To use MSCHAPv2, unfortunately you have to enable ntlm auth in NSDC samba configuration (there stands a security risk). Then it is necessary to configure the radius mschap module to execute the ntlm_auth command from the NSDC container and get the NT_KEY in return.
I just finished testing and fiddling with it and it seems to work fine so far. I took a look at Zentyal and it has the same implementation for their RADIUS module.
I will post the configuration files and some steps when Iâm finished testing everyting.
Thank you @kellerman for your effort. I am realy curious to the technical implementation and looking forward to the howto!
Nothing complicated really⊠@robb
To begin:
yum install freeradius freeradius-ldap freeradius-utils
Be sure that nethserver-freeradius module isnât installed, just pure freeradius, so we can edit files at /etc/raddb directly and they are not getting overwritten. I switched to NethServer recently and am not very familiar with developing NethServer modules yet.
Initial configuration files will be created at /etc/raddb and ldap module at /etc/raddb/modules-available
Then you need to modify the radiusd.conf file in the security section
user = root
group = root
We have to run radiusd as root instead of default radiusd user, because accessing systemd container is otherwise not possible.
In log section I set it to log failed and successful login attempts to radius.log file. By default nothing like that is logged.
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
At clients.conf file, just add your clients, IPs and shared secrets to the bottom. For example:
client testpc {
ipaddr = 10.43.0.6
secret = 123
}
client cap {
ipaddr = 10.30.0.50
secret = secret
}
Then move to the modules, module ldap should be symlinked from mods-available to mods-enabled using ln -s command (if it isnât already). After itâs done, here is my modified ldap file
https://pastebin.com/CZH2QM8S
There isnât really much modified, just set the server IP, identity, password from NethServer GUI->Configuration->Accounts Provider. Also set base_dn from NethServer GUI->Domain Accounts.
Then follows mschap module for NTLM MSCHAP authentication.
First edit /var/lib/machines/nsdc/etc/samba/samba.conf and add ntml auth = mschapv2-and-ntlmv2-only to the global section, so it looks something like this:
# Global parameters
[global]
dns forwarder = 127.0.0.1
netbios name = NSDC-SERVER
realm = AD.TESTSERVER.LOCAL
server role = active directory domain controller
workgroup = TESTSERVER
include = /etc/samba/smb.conf.include
ntlm auth = mschapv2-and-ntlmv2-only
[netlogon]
path = /var/lib/samba/sysvol/ad.testserver.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Execute
systemctl restart nsdc
to apply changes.
Here is my modified mschap module file
https://pastebin.com/ukmRq7wP
Again not much modified, only the ntlm_auth line to
ntlm_auth = "/usr/bin/nsdc-run -e /usr/bin/ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"
Then create a bash script at /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc. Remember to chmod -x /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc
#!/bin/bash
OUTPUT=$(/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=$1 --challenge=$2 --nt-response=$3);
DATETIME=`date "+%Y%m%d-%H:%M:%S"`
echo $DATETIME $1 $OUTPUT >> /var/log/ntlm_auth_nsdc;
echo $OUTPUT;
if [[ ${OUTPUT:0:6} == "NT_KEY" ]] ; then exit 0; else exit 1; fi;
fi
A little trick which executes the ntml_auth command under nsdc container machine and helps to pass logon information and the exit code of the command, as well as doing some logfiles at/var/log/ntlm_auth_nsdc
. You can then ln -s /var/lib/machines/nsdc/var/log/ntlm_auth_nsdc /var/log/ntlm_auth_nsdc
For testing purposes you can run radiusd with -X parameter to get full debug output.
If you need to give radius access to a specific group, you need to edit /etc/raddb/mods-config/files/authorize and add the following lines to the beginning of the file:
DEFAULT LDAP-Group !="radius_group", Auth-Type := Reject
Service-Type := Login-User
Both pap and mschap requests will be filtered
I made this writeup quickly, so if there are any questions feel free to ask.
For testing there is radtest utility included in freeradius-utils package.
radtest -t pap username password server:port 1 testing123
radtest -t mschap username password server:port 1 testing123
In the clients.conf file a test client on localhost with secret âtesting123â is enabled by default, so you can send radius auth requests from the servers shell. Both upper mentioned commands should authenticate fine.
The ldap and mschap module files are taken from working environment. So far it all works, only issue I faced is that after a reboot, the radiusd starts before nsdc, so it fails to connect to ldap server, after systemctl radiusd restart itâs fine. Have to fix that.
edit:
modify /etc/raddb/mods-available/ldap
edit
pools{
start = 0
...
Now radiusd will start even with no LDAP available at startup
Feel free to point to any of my mistakes. Enabling ntlm_auth unfortunately is a must have in WPA2-Enterprise application.
Now I found out that accessing the container with systemd-run isnt a good solution, because it tends to fail randomly with a âFailed to get machine PTYâ error. Even when running with --send-sighup. I am now testing accessing the container with nsdc-run -e. Seems that it accesses the container using a unix socket. The thing is you cant use nsdc-run -e ântlm-authâ directly, because it doesnt produce any output. Instead I created a script inside the container, which can be run using nsdc-run and both output and exit code can be gathered.
If it works fine after a bit of testing I will post an update.
edit:
I corrected the main post a bit, I now execute ntlm_auth using nsdc-run instead of systemd-run approach. And there is a script under/var/lib/machines/nsdc/usr/bin/ntlm_auth_nsdc
which works fine with nsdc-run, because as I mentioned earlier nsdc-run -e /usr/bin/ntlm_auth gives no output to tty.
I also added eap_tls module support to my radius installation, which works fine as well.
Not really related, We try to keep track about useful command, this how we browse the samba ad, maybe it could help
https://wiki.nethserver.org/doku.php?id=howto:useful_commands#browse_samba_ad_field_without_password
Since this configuration introduces a weak and old authentication mechanism, Iâd prefer to not support it.
But I back an howto here or the wiki.
If many people will ask for it, maybe we can arrange something with some big security warning
Thank your @kellerman for the detailed steps!
No problem guys!
If you dont use MSCHAP for your radius server, then it is totally fine, otherwise using NTLM protocol is indeed a security risk. I have tested the setup in my writeup for a week and it all runs perfectly.
You can modify this line:
echo $DATETIME $1 $OUTPUT >> /var/log/ntlm_auth_nsdc;
to for example to
echo $DATETIME $1 ${OUTPUT:0:6} >> /var/log/ntlm_auth_nsdc;
to not log the full NTLM key, when you have confirmed everything working
Hello, now quite naively asked, can not put the protocol on a secure variant?
If I understand correctly, the key is written to the log file and transmitted in plain text?
What is the current safest standard and why does not that work?
Greetings, Gerald