Nethserver-freeradius package available for testing

areguera (Alain Reguera Delgado) 2017-06-24 03:10:14 UTC #1

Hi,

We have nethserver-freeradius package available in nethforge-testing repository for both NethServer 7 and 6. It would be great if you could test it and report issues about it. Please note that to test this package you must have the appropriate infrastructure in-place. The module’s help describes such infrastructure. In case this documentation isn’t clear, please report an issue about it as well.

To install this package you can run the following command:

yum --enablerepo=nethforge-testing install nethserver-freeradius

Thanks.

Nethserver-freeradius integration module

giacomo (Giacomo Sanchietti) 2017-06-25 20:08:41 UTC #2

Come on @quality_team, let’s try to find some bug!

alefattorini (Alessio Fattorini) 2017-06-26 10:31:47 UTC #3

@tacioandrade @fausp @robb @jelle it is your time

alefattorini (Alessio Fattorini) 2017-06-27 11:04:01 UTC #4

areguera (Alain Reguera Delgado) 2017-07-09 21:41:03 UTC #5

@quality_team, @robb, and anyone interested: a new version (0.0.4-1) of the package nethserver-freeradius was uploaded to nethforge-testing repository. It is very basic. Some of the changes include the following:

Add new tab dedicated to authentication server
Add new tab dedicated to supplicants
Update radiusd configuration based on supplicants database
Update authorized_macs based on supplicants database instead of hosts database
Update online documentation
Update configuration file permissions
Update header using lower-case words
Update server authentication to use both MAC address and IEEE802.1X
Use Authenticators tab name instead of just NAS

The web user interface looks like the following illustration:

Could you give it a try?

robb (Rob Bosch) 2017-07-10 07:53:18 UTC #6

@areguerayou deserve a medal… great work. I will update the packa
gbe later today op e

areguera (Alain Reguera Delgado) 2017-07-11 22:23:18 UTC #7

Here is the configuration for NanoStation (airOS) devices.

MAC address only

When the authentication server is configured to accept network access based on MAC address only, the security configuration in the authenticator (access point) is the following:

and the security configuration in the supplicant is the following:

IEEE802.1X

When the authentication server is configured to accept network access based on username and password only, the security configuration in the authenticator (access point) is the following:

and the security configuration in the supplicant is the following:

Remember to update the fields with the correct information that fit your network infrastructure (e.g., setting the correct username and passwords, authentication server IP address, etc.).

MAC address and IEEE802.1X combined

The security configuration in the airOS authenticator (access point) can be either MAC based or IEEE802.1X but not both at the same time. So, when the authentication server is configured to accept network access based on both MAC address and IEEE802.1X, the infrastructure can hold authenticators with different wireless security. For example, one authenticator configured to accept network access based on supplicant’s MAC addresses and other authenticator configured to accept network access based on supplicant’s username and password.

When the authentication server is configured to accept network access based on both MAC address and IEEE802.1X and both authenticator and supplicant are configured to authenticate using IEEE802.1X, the supplicant also sends the MAC address of the supplicant device to the authentication server, so the authentication server tells authenticator to accept network access based on the MAC address, username and pasword triplet.

Nethserver-freeradius integration module

ghost (other names Tedd77/Giorgio09) 2017-07-11 22:59:07 UTC #8

Great work I am trying it now.

areguera (Alain Reguera Delgado) 2017-07-11 23:15:10 UTC #9

Great! Let let us know the results please …

areguera (Alain Reguera Delgado) 2017-07-12 21:05:14 UTC #10

Here is the RADIUS infrastructure layout:

This might be helpful when testing FreeRADIUS integration module.

a4rgl (Rich Lawrence) 2017-07-17 11:16:38 UTC #11

Thanks for the Nethserver-freeradius package.
I am testing this on NethServer release 6.9 (Final) Kernel release 2.6.32-696.6.3.el6.x86_64.

I have added the nethforge-testing repository and have the first version (0.0.5-1). This version has just a single tab “NAS”. When trying to get the latest version with multiple tabs, I am unable to install it, any advice ?

robb (Rob Bosch) 2017-07-17 16:30:23 UTC #12

I will do further testing on this module when the last items for my new server has arrived. Hopefully later this week.
Thanks again for your work @areguera

filippo_carletti (Filippo Carletti) 2017-07-18 08:22:26 UTC #13

@areguera, did you try to use system user from ldap or samba ad? I spent some time trying to authenticate through pam, but I never succeeded.

alefattorini (Alessio Fattorini) 2017-07-18 10:15:17 UTC #14

Ehi man, I’m late for the party great updates anyway! Hope people will give you a good feedback on your work.

areguera (Alain Reguera Delgado) 2017-07-19 03:09:08 UTC #15

Yes. This is because such version of the package is a few commits old. I must fix this soon, once I finish to migrate my development environment to the new location.

areguera (Alain Reguera Delgado) 2017-07-19 03:24:54 UTC #16

I tried only PAM, no LDAP, nor SAMBA AD.

When the NAS is configured to use EAP-TTLS + MSCHAP2, the user back-end needs to be in clear-text, so no PAM (and probably no other back-end storing encrypted credentials). However, based on this thread, when the NAS is configured to use EAP-TTLS + PAP it seems possible to use PAM in the server. I haven’t tried this last one because the NAS I am using doesn’t support such a PAP method.

a4rgl (Rich Lawrence) 2017-07-19 08:49:56 UTC #17

Thanks, I will wait for your update.

areguera (Alain Reguera Delgado) 2017-07-22 15:52:47 UTC #18

@a4rgl, the updates of nethserver-freeradius module for ns6 will be rolling this weekend at ns6-next branch … and the related package will be published (I expect) on Monday, so you can install it using yum.

A new version of nethserver-freeradius module for ns7 will be also released with some corrections.

areguera (Alain Reguera Delgado) 2017-07-23 02:26:37 UTC #19

@a4rgl, the updates of nethserver-freeradius for ns6 should be already available in nethforge-testing repository. It is an adaption of changes in nethserver-freeradius for ns7.

The packages uploaded were:

nethserver-freeradius-0.0.7-1.ns6.noarch.rpm
nethserver-freeradius-0.0.6-1.ns7.noarch.rpm

gerald_FS (Gerald) 2017-07-23 17:57:55 UTC #20

Hello,

Thank you for creating the freeradius package for the Nethserver.

Is there the prospect that the identification is made by means of the user database from Samba AD, or does one have to say goodbye?

Currently the release is based on the basic MAC address.

greetings
Gerald