Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: lelik on May 27, 2010, 06:42:32 pm
-
Trying to setup RADIUS. Followed eBox 1.4 for Network Administrators manual.
Configured:
- radius server module with ebox
- ap /wireless router with WPA2/radius
- windows client.
When windows client is trying to connect radius server logs:
Cat /var/log/freeradius/radius.log
Thu May 27 12:07:06 2010 : Error: TLS_accept:failed in SSLv3 read client certificate A
Thu May 27 12:07:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Thu May 27 12:07:06 2010 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Do I have to install any of the certificates that could be found in /etc/freeradius/certs in windows client?
Do I have generate /re-generate any certificates or they are generated by enabling ebox radius module?
Do I have to change any configs in /etc/freeradius/ directory?
Any specific steps when setting up windows client?
-
Radius server seems to be configured preperly.
I tested it with radtest and got
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=45, length=20
-
Remember you have to use TTLS PAP. Windows doesn't include native support for that and you have to install SecuWare or Xsupplicant third party apps.
-
Thanks.
I am going to try it.
Oh, wait...
Development on SecureW2’s Personal Client 2.X version was ceased in mid-2009.
Xsupplicant supports only Windows XP, and Linux, and compatible with Vista & Win7.
Do you happen to know any Win7 clients with TTLS PAP support?
On another subject.
The freeradius server can authenticate users via PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest, and all common EAP methods.
The ability to use a particular authentication protocol (PAP, CHAP, types of EAP) is completely under the control of the administrator.
Could I re-configure ebox (manually trough config files) to support MS-CHAPv2?
-
For more supplicants, check http://en.wikipedia.org/wiki/Supplicant_(computer)
http://www.securew2.com/node/16
Q: Is it legal for me to distribute SecureW2 2.0.X Clients and Mobile/CE 2.0.X Clients without a license?
A: It is illegal to distribute any 2.0.X versions without a license, this is stipulated in Section 3.1 in the license terms & conditions. Only 1.X versions and legacy TTLS 3.3.X versions are legal to distribute without license.
Q: Can my IT department continue using the old clients?
A: You can continue to use 1.X versions of the client.
There you go: http://www.ebox-technologies.com/~bencer/mhgh0ox3280p.zip
We didn't have the time to implement MSChap on FreeRADIUS, but I you get with a working configuration, I will be pleased to merge it to ebox-radius.
-
Thanks.
I get kind of working using suggested SecureW2 with EAP TTLS PAP.
I had to create all certificates manually using freeradius README.
Also modified /etc/freeradius/eap.conf to put corresponding private_key_password.
It would be nice if radius module would me similarly integrated as openvpn module, so one can use gui to create all certificates and write modifications to eap.conf. Also there are two files required by windows clients which are not produced by current implementation of ebox certificate module: client.p12 and ca.der
Also I had to instruct SecureW2 not to send the domain name, only username + password.
If domain name is sent, it fails as it does not know how to strip @domain from the user name.
From what I read, DAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against
an LDAP server". But you CAN have FreeRADIUS read the clear-text password
from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication.
I did not get a working configuration for built-in Microsoft EAP PEAP mSCHAP v2 though.
I manage to strip down domain name DOMAIN\ using filter in ldap module:
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
you have:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Still getting error messages:
[mschap] FAILED: MS-CHAP2-Response is incorrect
Question: The only way to get EAP-MSCHAPv2 working is to use ntlm_auth. ntlm_auth is part of winbind package which is not implemented in ebox. Why?
-
We will try to integrate ebox-radius with the Certification Authority for 2.0, and I'll test the domain strip you propose and if it doesn't break anything will be included too, thanks !!
If you are using TTLS PAP the only thing you need to import in the clients is the CA certificate/public key, or the server one, which I suppose is that server.der file. But what's on that client.p12 ?
About MS-CHAPv2 wasn't included because we didn't have time for that. If you contribute a working configuration I will be easy to implement it. Yes, probably we will need winbind, but also check these other hashes available for the samba LDAP auth: eboxLmPassword and eboxNtPassword, maybe they are useful.
-
ca.der -> Der format of ca.pem.
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
To import Root CA certificate, copy ca.der to the Windows client desktop and double click it.
This will allow the Validate Server Certificate option to be checked in the 802.1X supplicant ( both SecureW2/PAP or MS built-in MS-CHAPv2).
.p12 is X.509 private private keys and certificates in a single encrypted file using PKCS#12.
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
To install the client certificates, the client's client.p12 file to the Windows host and double-click it.
I checked /etc/freeradius/ldap.attrmap and it's already has lines
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
As sambaLmPassword = eboxLmPassword and sambaNTPassword =eboxNtPassword,
I don't think inserting eboxLmPassword & eboxNtPassword will help.
I will install winbind, and let you know if i made it work.
-
Yes, I meant there is no need of client certificates, ebox-radius is intended to work using user and password ... when you use client certificates to authenticate it's called EAP TLS: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS
We wait for the MS-CHAPv2 support contribution ! ;-D
-
Ok. Here we go.
1. Install winbind
2. Edit the file /etc/nsswitch.conf
and add winbind at the end of the following lines:
passwd:
group:
protocols:
services:
netgroup:
automount:
3. Give user freerad rights to write to winbindd_privileged folder. Even though it looks like you are running freeradius under root credentials. Please, confirm.
sudo adduser freerad winbindd_priv
sudo chmod 750 /var/run/samba/winbindd_privileged
4. Modified smb.conf for Winbind Setup
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = \
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
5. Restart winbind, samba, and as root join the domain:
net join -U Administrator
Very important = cost me almost 2 days of testing(!!!)
6. Tests to confirm it's working:
wbinfo -u
Correctly gives list of PDC users
wbinfo -g
Correctly gets group information from the PDC
getent passwd
Gets unified lists of both local and PDC users and groups.
wbinfo -a user%password
<- substitute with real user credentials
plaintext password authentication succeeded
challenge/response password authentication succeeded
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password
<- substitute with real user credentials
NT_STATUS_OK: Success (0x0)
If something is not giving the expected result, debug, do not continue.
If it works, we successfully configured winbind + samba + ntlm_auth.
7. Configuring FreeRADIUS to use ntlm_auth:
Modify file /etc/freeradius/modules/mschap
Following lines should be uncommented:
mschap {
....
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Now setup windows client and test as radtest
Side notes:
1. You can start freeradius in debug mode from command line:
sudo /usr/sbin/freeradius -X
during testing -> see all errors /comments
2. I created all certificates by hand. So far I made a use of only CA root authority ca.der:
my windows clients always validate server certificate.
3. I verified that MS built-in supplicant works using EAP-MSCHAP v2. Did not have time or desire to make "Smard Card or other certificate" work using client.p12 personal certificate.
So not sure if it works or not.
4. You could create certificates using ebox certificate module, but then you have to fix all relative paths to them in radius config files (i.e. radiusd.conf, eap.conf, etc)
Cheers
-
Does this work with ebox-samba ? Or breaks any other configuration ? Thanks for this ! I'll try to merge this configuration en ebox-radius before 2.0. Or are you interested on doing it yourself ? I could help you with the first steps of ebox development ;-)
-
Yes, it works on ebox-samba, even though if I restart samba, I am sure my changes will be gone.
Still it is configured only 50% to what it supposed to do.
Windows logon process in secured wireless access networks works as follows:
1. User enters credentials using GUI
2. If network connection available? If no, Perform PEAP/MSCHAPv2 authentication using station credentials. If yes, authenticate user against domain controller.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session.
As I told I made PEAP/MSCHAPv2 authentication using user credentials work:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=john
expand: %{mschap:NT-Domain} -> MYDOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
The FreeRADIUS configuration file must contain attribute rewrite rules in order to modify the incoming username into a format which matches the names in samba/ldap. Windows sends the machine name in the form host/MACHINE-NAME.DOMAIN-NAME.
I followed NOVEL guide how to strip "/host" and add "$", but so far my understanding of regex statements and unlang language is not adequate to accomplish it. As a result I cannot configured freeradius to authenticate work station.
http://www.novell.com/coolsolutions/feature/17044.html#7 (http://www.novell.com/coolsolutions/feature/17044.html#7)
Fortunately, the Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic.
Which means in my case authentication still works, but it is much less secure that enterprise environment requires:
1. User enters credentials using GUI
2. If network connection available? If no, it means no domain controller is available, but user is able to logon using cached credentials.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session (Now it works as wireless connection is successfully established).
If you good as regex statements, and could fix "station" authentication, this ebox peap/mschapv2 could be rock solid even for enterprise environments.
-
I've created a ticket to track this feature: http://trac.ebox-platform.com/ticket/1945. Thanks !
-
Is this feature going to be in eBox 2.0? MsCHAPv2 would be great for the radius pptpd plugin.
-
The thing i did was edit ldap module and mschap config. and of course stop and start radius in console.
/etc/freeradius/modules/mschap
edit :Following lines should be uncommented:
mschap {
....
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
And in /etc/freeradius/modules/ldap edit line:
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
-
Drummel,
Is it a fix for "station" authentication? Please, elaborate what does it do?
-
Drummel,
Is it a fix for "station" authentication? Please, elaborate what does it do?
You get workstation auth but it wont check the user from what i can see.
-
Drummel,
Is it a fix for "station" authentication? Please, elaborate what does it do?
Im on vaccation now but will be glad to help u out later. Just check the code NT hack.
In 1.5 ver. they hav fix the certificate thing, but i miss the possibeility to have a pasword when creating the certificate. Plz Fix CODERS ::)
-
Drummel,
Is it a fix for "station" authentication? Please, elaborate what does it do?
You get workstation auth but it wont check the user from what i can see.
Plz run radius in debugg mode and pase the log. thx
-
As I explained before, authentication using user credentials works using PEAP/MSCHAPv2, but not LDAP. Do not change ldap module, it is irrelevant:
[ldap] performing user authorization for MYDOMAIN\john
expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=john)
expand: dc=mydomain,dc=local -> dc=mydomain,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://127.0.0.1:389/, authentication 0
rlm_ldap: bind as cn=ebox,dc=mydomain,dc=local/XXXXXXX/ to ldap://127.0.0.1:389/
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=local, with filter (uid=john)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0xxx531
rlm_ldap: sambaLmPassword -> LM-Password == 0xxx545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
but EAP/mschapv2 works just fine:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=john
expand: %{mschap:NT-Domain} -> MYDOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
But for computer authentication to work you need to strip host/Domain name and add $.
Novell web site http://www.novell.com/coolsolutions/feature/17044.html#7 (http://www.novell.com/coolsolutions/feature/17044.html#7) suggests to use attr_rewrite, i.e:
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
So if you know regex well, try to play with /etc/freeradius/modules/mschap and attr_rewrite to convert host/MYCOMPUTER.MYDOMAIN to MYCOMPUTER$.
If you made it work, please, post the configuration.