Linux.com

nicetail

nicetail

  • Linux.com Member
  • Posts: 4
  • Member Since: 06 Aug 10
  • Last Logged In: 25 Nov 11

Latest Posts

Posted by
Topic
Post Preview
Posted
  • nicetail
    MAC authentication with Freeradius2 & Openldap
    Hello, I am trying to set up a mac authentication with freeradius2 and openldap. When host is conneceted on a Switch, the later ask the radius server whether host mac address is allowed to connect or not (the switch port must be defined too). Then, the radius server check the ldap database to see if the macddress is allowed to access the Network.. I found some docs about that. However, I have some troubleshootings since ldap module is not recognized by freeradius server. here is my [i]users[/i] file from freeeradius [code]DEFAULT NAS-Port-Type == "Ethernet", Auth-Type := LDAP Framed-Filter-Id = "Enterasys:version=1:policy=test", Fall-Through = No[/code] I configured the ldap module as follow in [i]raddb/modules/ldap[/i] : [code]ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=freeradius,ou=system,dc=radius,dc=com" password = secret basedn = "dc=radius,dc=com" filter = "(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))" #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # # ligne ci-dessous COMMENTEE # edir_account_policy_check = no # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. # # chase_referrals = yes # rebind = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 }[/code] I also uncomment ldap in [i]authentication[/i] and [i]authorize[/i] sections of [i]raddb/sites-enabled/default[/i] But [i]radiusd -X[/i] return those errors : [code] /etc/raddb/users[51]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules[/code] LDAP value for Auth-type in [i]users[/i] file is not recognized. I found that Auth-type possible values are listed in [i]/usr/share/freeradius/dictionary.freeradius.internal[/i] : [code]# # FreeRADIUS extensions (most originally from Cistron) # VALUE Auth-Type Accept 254 VALUE Auth-Type PAP 1024 VALUE Auth-Type CHAP 1025 # 1026 was LDAP, but we deleted it. Adding it back will break the # ldap module. VALUE Auth-Type PAM 1027 VALUE Auth-Type MS-CHAP 1028 VALUE Auth-Type MSCHAP 1028 VALUE Auth-Type Kerberos 1029 VALUE Auth-Type CRAM 1030 VALUE Auth-Type NS-MTA-MD5 1031 # 1032 is unused (was a duplicate of CRAM) VALUE Auth-Type[/code] By adding the following line, my error disapeared [code]#VALUE Auth-Type LDAP 1026[/code] But I doubt that it is the best way to process, since it is prevented to add it : "1026 was LDAP, but we deleted it. Adding it back will break the ldap module." Is there another way to configure a MAC authentication by using freeradius2 and openldap ? Regards,
    Link to this post 12 Jan 11

    Hello,

    I am trying to set up a mac authentication with freeradius2 and openldap.
    When host is conneceted on a Switch, the later ask the radius server whether host mac address is allowed to connect or not (the switch port must be defined too). Then, the radius server check the ldap database to see if the macddress is allowed to access the Network..

    I found some docs about that. However, I have some troubleshootings since ldap module is not recognized by freeradius server.

    here is my users file from freeeradius

    DEFAULT 	NAS-Port-Type == "Ethernet", Auth-Type := LDAP
    Framed-Filter-Id = "Enterasys:version=1:policy=test", Fall-Through = No

    I configured the ldap module as follow in raddb/modules/ldap :

    ldap {
    #
    # Note that this needs to match the name in the LDAP
    # server certificate, if you're using ldaps.
    server = "localhost"
    identity = "cn=freeradius,ou=system,dc=radius,dc=com"
    password = secret
    basedn = "dc=radius,dc=com"
    filter = "(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))"

    #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    #base_filter = "(objectclass=radiusprofile)"

    # How many connections to keep open to the LDAP server.
    # This saves time over opening a new LDAP socket for
    # every authentication request.
    ldap_connections_number = 5

    # seconds to wait for LDAP query to finish. default: 20
    timeout = 4

    # seconds LDAP server has to process the query (server-side
    # time limit). default: 20
    #
    # LDAP_OPT_TIMELIMIT is set to this value.
    timelimit = 3

    #
    # seconds to wait for response of the server. (network
    # failures) default: 10
    #
    # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
    net_timeout = 1

    #
    # This subsection configures the tls related items
    # that control how FreeRADIUS connects to an LDAP
    # server. It contains all of the "tls_*" configuration
    # entries used in older versions of FreeRADIUS. Those
    # configuration entries can still be used, but we recommend
    # using these.
    #
    tls {
    # Set this to 'yes' to use TLS encrypted connections
    # to the LDAP database by using the StartTLS extended
    # operation.
    #
    # The StartTLS operation is supposed to be
    # used with normal ldap connections instead of
    # using ldaps (port 689) connections
    start_tls = no

    # cacertfile = /path/to/cacert.pem
    # cacertdir = /path/to/ca/dir/
    # certfile = /path/to/radius.crt
    # keyfile = /path/to/radius.key
    # randfile = /path/to/rnd

    # Certificate Verification requirements. Can be:
    # "never" (don't even bother trying)
    # "allow" (try, but don't fail if the cerificate
    # can't be verified)
    # "demand" (fail if the certificate doesn't verify.)
    #
    # The default is "allow"
    # require_cert = "demand"
    }

    # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
    # profile_attribute = "radiusProfileDn"
    # access_attr = "dialupAccess"

    # Mapping of RADIUS dictionary attributes to LDAP
    # directory attributes.
    dictionary_mapping = ${raddbdir}/ldap.attrmap

    # Set password_attribute = nspmPassword to get the
    # user's password from a Novell eDirectory
    # backend. This will work ONLY IF FreeRADIUS has been
    # built with the --with-edir configure option.
    #
    # See also the following links:
    #
    # http://www.novell.com/coolsolutions/appnote/16745.html
    # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
    #
    # Novell may require TLS encrypted sessions before returning
    # the user's password.
    #
    # password_attribute = userPassword

    # Un-comment the following to disable Novell
    # eDirectory account policy check and intruder
    # detection. This will work *only if* FreeRADIUS is
    # configured to build with --with-edir option.
    #
    # ligne ci-dessous COMMENTEE
    # edir_account_policy_check = no

    #
    # Group membership checking. Disabled by default.
    #
    groupname_attribute = cn
    groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
    # groupmembership_attribute = radiusGroupName

    compare_check_items = yes
    # do_xlat = yes
    # access_attr_used_for_allow = yes

    #
    # The following two configuration items are for Active Directory
    # compatibility. If you see the helpful "operations error"
    # being returned to the LDAP module, uncomment the next
    # two lines.
    #
    # chase_referrals = yes
    # rebind = yes

    #
    # By default, if the packet contains a User-Password,
    # and no other module is configured to handle the
    # authentication, the LDAP module sets itself to do
    # LDAP bind for authentication.
    #
    # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
    #
    # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
    #
    # You can disable this behavior by setting the following
    # configuration entry to "no".
    #
    # allowed values: {no, yes}
    # set_auth_type = yes

    # ldap_debug: debug flag for LDAP SDK
    # (see OpenLDAP documentation). Set this to enable
    # huge amounts of LDAP debugging on the screen.
    # You should only use this if you are an LDAP expert.
    #
    # default: 0x0000 (no debugging messages)
    # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
    #ldap_debug = 0x0028
    }

    I also uncomment ldap in authentication and authorize sections of raddb/sites-enabled/default

    But radiusd -X return those errors :


    /etc/raddb/users[51]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type
    Errors reading /etc/raddb/users
    /etc/raddb/modules/files[7]: Instantiation failed for module "files"
    /etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files".
    /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
    }
    }
    Errors initializing modules

    LDAP value for Auth-type in users file is not recognized.

    I found that Auth-type possible values are listed in /usr/share/freeradius/dictionary.freeradius.internal :

    #
    # FreeRADIUS extensions (most originally from Cistron)
    #
    VALUE Auth-Type Accept 254

    VALUE Auth-Type PAP 1024
    VALUE Auth-Type CHAP 1025

    # 1026 was LDAP, but we deleted it. Adding it back will break the
    # ldap module.
    VALUE Auth-Type PAM 1027
    VALUE Auth-Type MS-CHAP 1028
    VALUE Auth-Type MSCHAP 1028
    VALUE Auth-Type Kerberos 1029
    VALUE Auth-Type CRAM 1030
    VALUE Auth-Type NS-MTA-MD5 1031
    # 1032 is unused (was a duplicate of CRAM)
    VALUE Auth-Type

    By adding the following line, my error disapeared

    #VALUE	Auth-Type			LDAP			1026


    But I doubt that it is the best way to process, since it is prevented to add it :
    "1026 was LDAP, but we deleted it. Adding it back will break the ldap module."

    Is there another way to configure a MAC authentication by using freeradius2 and openldap ?


    Regards,

  • nicetail
    RE: Defining new DHCP options
    hey, My client configuration file is [i]/etc/dhcp3/dhcliennt.conf[/i]. I am looking forward to hear about your tests.
    Link to this post 23 Aug 10

    hey,
    My client configuration file is /etc/dhcp3/dhcliennt.conf.
    I am looking forward to hear about your tests.

  • nicetail
    RE: Defining new DHCP options
    I installed dhcp3-server and i just have a directory in [i]/etc/dhcp3[/i] which contain [i] dhclient.conf dhclient-enter-hooks.d dhclient-exit-hooks.d dhcpd.conf [/i] I have no dhcpcd. What are you talking about ?
    Link to this post 11 Aug 10

    I installed dhcp3-server and i just have a directory in /etc/dhcp3 which contain
    dhclient.conf
    dhclient-enter-hooks.d
    dhclient-exit-hooks.d
    dhcpd.conf

    I have no dhcpcd. What are you talking about ?

  • nicetail
    Defining new DHCP options
    Hello, I am trying to send out some created DHCP options. I set up a dhcp3-server on an ubuntu 10.04. I did what is written in [i]man dhcp-options[/i]. Namely, i tried to add following lines in dhcpd.conf : [i]option myoption code 194 = text; option myoption "helloworld";[/i] I obviously use some casual values for the test. Then, i edited /etc/dhcp3/dhclient.conf on the client side so that the latter be able to receive the defined option. My client ask for that option (194) as we can see on the following screenshot : http://img138.imageshack.us/img138/5197/listeoptions.png Then, the server send that option : http://img265.imageshack.us/img265/5784/definedoption.png However, i don't manage to use the content in a shell script, i think i should do it since I looked at /etc/dhcp3/dhclient-exit-hooks.d/debug As it's written in this script, by setting a value on 'yes' we can see different variable used in /sbin/dhcp-script. but my defined option didnt appeared. Indeed, the variable should be[i] $new_myoption[/i] (but it doesn't work in /sbin/dhcp-script), i got following lines : [quote]Mon Jun 28 22:42:47 CEST 2010: entering dhclient-enter-hooks.d, dumping variables. reason='REBOOT' interface='eth0' medium='' alias_ip_address='' new_ip_address='192.168.2.60' new_subnet_mask='255.255.255.0' new_domain_name='test.org' new_domain_search='' new_domain_name_servers='' new_routers='192.168.2.254' new_static_routes='' old_ip_address='' old_subnet_mask='' old_domain_name='' old_domain_search='' old_domain_name_servers='' old_routers='' old_static_routes='' -------------------------- Mon Jun 28 22:42:47 CEST 2010: entering dhclient-exit-hooks.d, dumping variables. reason='REBOOT' interface='eth0' medium='' alias_ip_address='' new_ip_address='192.168.2.60' new_subnet_mask='255.255.255.0' new_domain_name='test.org' new_domain_search='' new_domain_name_servers='' new_routers='192.168.2.254' new_static_routes='' old_ip_address='' old_subnet_mask='' old_domain_name='' old_domain_search='' old_domain_name_servers='' old_routers='' old_static_routes='' ------------------------- [/quote] So how could i get access to my defined option ? Thanks Regards
    Link to this post 07 Aug 10

    Hello,

    I am trying to send out some created DHCP options.
    I set up a dhcp3-server on an ubuntu 10.04. I did what is written in man dhcp-options. Namely, i tried to add following lines in dhcpd.conf :

    option myoption code 194 = text;
    option myoption "helloworld";

    I obviously use some casual values for the test.

    Then, i edited /etc/dhcp3/dhclient.conf on the client side so that the latter be able to receive the defined option.

    My client ask for that option (194) as we can see on the following screenshot :
    http://img138.imageshack.us/img138/5197/listeoptions.png

    Then, the server send that option :
    http://img265.imageshack.us/img265/5784/definedoption.png

    However, i don't manage to use the content in a shell script, i think i should do it since

    I looked at /etc/dhcp3/dhclient-exit-hooks.d/debug
    As it's written in this script, by setting a value on 'yes' we can see different variable used in /sbin/dhcp-script. but my defined option didnt appeared. Indeed, the variable should be $new_myoption (but it doesn't work in /sbin/dhcp-script), i got following lines :

    Mon Jun 28 22:42:47 CEST 2010: entering dhclient-enter-hooks.d, dumping variables.
    reason='REBOOT'
    interface='eth0'
    medium=''
    alias_ip_address=''
    new_ip_address='192.168.2.60'
    new_subnet_mask='255.255.255.0'
    new_domain_name='test.org'
    new_domain_search=''
    new_domain_name_servers=''
    new_routers='192.168.2.254'
    new_static_routes=''
    old_ip_address=''
    old_subnet_mask=''
    old_domain_name=''
    old_domain_search=''
    old_domain_name_servers=''
    old_routers=''
    old_static_routes=''
    --------------------------
    Mon Jun 28 22:42:47 CEST 2010: entering dhclient-exit-hooks.d, dumping variables.
    reason='REBOOT'
    interface='eth0'
    medium=''
    alias_ip_address=''
    new_ip_address='192.168.2.60'
    new_subnet_mask='255.255.255.0'
    new_domain_name='test.org'
    new_domain_search=''
    new_domain_name_servers=''
    new_routers='192.168.2.254'
    new_static_routes=''
    old_ip_address=''
    old_subnet_mask=''
    old_domain_name=''
    old_domain_search=''
    old_domain_name_servers=''
    old_routers=''
    old_static_routes=''
    -------------------------

    So how could i get access to my defined option ?

    Thanks
    Regards

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board