Nethserver-freeradius package available for testing

@areguera do you have any news for @gerald_FS ?

Hi @gerald_FS and @alefattorini,

There are three main challenges here to face:

  1. The user database we use in Nethserver (either SAMBA or LDAP) stores passwords encrypted. In order for RADIUS server to perform any validation against an encrypted database the credentials must come to it in clear-text (e.g., the RADIUS clients must provide a method to send credentials in clear text, over an encrypted channel of course). In order to see some advance in this direction it is necessary to simulate an infrastructure with RADIUS clients supporting such methods (e.g., EAP-TTSL + PAP) also considering doing the validation against a common authentication layer like PAM instead of SAMBA or LDAP independently. Nanostation, the devices I used in the tests, don’t support PAP.

  2. Another issue related to user database integration is the relation between MAC addresses and users in it. There is no way to establish such relation if we use the user database and the host MAC address reservation features separately one another. It would be necessary to redesign the plugin interface entirely to provide such relation. That really would be version 1.0 of the nethserver-freeradius plugin. Such integration was my first attempt but was frustrated because the lack of a RADIUS client with such ability of sending clear text passwords (through an encrypted channel). So the plugin is in the way it is now.

  3. Appropriate conditions to carry on the effort. Presently I am in the process of settle down in a new country and this process is demanding most of my energies.

Saying goodbye to this effort? Of course not. It is a good one :slight_smile:

2 Likes

Hi

Late to this party too, but great work!

Wishing a good settling down in your new country / home !

Best Regards from Switzerland!

Andy

Hello,

a year later 
 are there any new possibilities?

that the radius server can / may access the backend of Samba4 or LDAP?

greetings
Gerald

sadly the answer is no, the creator of the rpm @areguera is not so much active yet

Looks like Alan was here just a few days ago.
I guess no time after is the last trip in Uruguay :-8

Hello experts and fellow campaigners!

After yes with the topic somehow nothing goes I have browsed something in the net and found the following post:

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

Would that be an approach that connects FreeRadius to SAMBA on the way?
This is only a luxury problem for me, but it would be nice :slight_smile:

Many greetings
Gerald

1 Like

A new package will be welcome ^^

Hello anything New about free radius ?

Current version is from 2017:

It is like me, a littel bit Old :frowning:

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-freeradius/nethserver-freeradius-0.0.7-1.1.g29c2100.ns7.noarch.rpm

I cloned the repository of @areguera and corrected two bugs I saw during the template expansion, I have not tested more than the installation.

For those who need/want to play and report what it could be done with it

Only NS7

5 Likes

Nice!
If it was in a community organization, better to update it :wink:

Speaking only for me, I am not interested to push rpm/code outside of my repository

Hi - ist the modul still available for Nethserver? Would be good to have Freeradius on my Nethserver. Thx.

The module still is in the @stephdl repo, but hasn’t been touched for 1,5 years. I guess it could use an update


thanks. Is there any other recommended way or package to install Freeradius on Nethserver with AD/ ldap connection?

The module initially only supported device based authentication. IFAIK account based authentication (Samba 4 / LDAP) was never added to the module.
I think it would be best to start with an installation howto with account based authentication enabled.
If you are willing to try installing it (on a test machine) and document the process, I am sure the rest of the community will chip in with testing and fine tuning the install howto.
When we have a fool-proof install howto, we can try creating a complete module / rpm for easy install.
Here is a more indept post about our community ‘new-feature’ process:

@gmue, What do you think?

Hi @robb

AFAIK or recall, one of the major issues for a usable FreeRadius implementation - WLan comes to mind - is the issue with the outdated PEAP-MSCHAP2 protocoll. This could be considered as the logical bridge, spanning the gap between AD and Radius


In times of SME-Server / WinXP it worked well on Macs and Windows notebooks, also Linux.

I think it doesn’t even work on Win10 out of the box anymore, but I’m not sure about this.

It would be great if this could work, I’ll be glad to test, having some current Wlan hardware lying around unused
 :slight_smile:

My 2 cents
Andy