Discussion:
[PacketFence-users] EAP over AD/LDAP
Gair, Jon
2014-11-28 14:55:59 UTC
Permalink
I am trying to determine the best way of authenticating users for a secure SSID against an Active Directory source. My AD source is working fine for a captive portal to sponsor and approve roles for MAC based authentication but wondering if any of this config can relate to EAP authentication.

From reviewing the forums and manuals there does not appear to be a clear way forward on this. Is the best way to follow page 28 of the admin manual that describes installing samba, joining the server to the domain and editing various files in the RADIUS and Kerberos directories. Would setting this up as an LDAP source rather than AD local source make the process any easier ? Do the roles I have configured via the GUI for the portal get used by RADIUS for role/VLAN assignment for EAP ?

Thanks

Jon



The information contained in this e-mail may be subject to public disclosure
under the NHS Code of Openness or the Freedom of Information Act 2000.
Unless the information is legally exempt, the confidentiality of this e-mail
and your reply cannot be guaranteed.
Unless expressly stated otherwise, the information contained in this e-mail
is intended for the named recipient(s) only. If you are not the intended
recipient you must not copy, distribute, or take any action or reliance upon
it. If you have received this e-mail in error, please notify the sender. Any
unauthorised disclosure of the information contained in this e-mail is
strictly prohibited.
Louis Munro
2014-11-28 15:08:17 UTC
Permalink
Post by Gair, Jon
I am trying to determine the best way of authenticating users for a secure SSID against an Active Directory source. My AD source is working fine for a captive portal to sponsor and approve roles for MAC based authentication but wondering if any of this config can relate to EAP authentication.
From reviewing the forums and manuals there does not appear to be a clear way forward on this. Is the best way to follow page 28 of the admin manual that describes installing samba, joining the server to the domain and editing various files in the RADIUS and Kerberos directories. Would setting this up as an LDAP source rather than AD local source make the process any easier ? Do the roles I have configured via the GUI for the portal get used by RADIUS for role/VLAN assignment for EAP ?
Hi John,

If what you want is to authenticate your users with PEAP using 802.1x, LDAP will not work.
Protocol limitations inherent to PEAP mean that no LDAP query of any kind can get this to work with an Active Directory because you cannot get the NT hashed passwords out of it using LDAP.
See here for a protocol compatibility matrix: http://deployingradius.com/documents/protocols/compatibility.html

So pretty much your only way forward is to use winbind and join the machine to the domain.
The current PacketFence version comes preconfigured for NTLM authentication but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to match your local configuration.

Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for authentication (checking passwords) and the rules you configure in PacketFence are used for authorization (setting which role/VLAN is returned).
The two complement each other.

Hopefully that makes sense and gets you a bit further along.

Regards,
--
Louis Munro
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Gair, Jon
2014-11-28 15:28:12 UTC
Permalink
Thanks.

If I follow the Samba, Kerberos route do you know which ports I will have to open to my DC. Ideally going to position the packetfence server in a DMZ and was only expecting to expose LDAPS if I could get away with it. The krb5.conf files suggests this may just be 88 and 749 for Kerberos traffic but wondering how much of a risk this authentication traffic will cause.

Thanks

Jon


-----Original Message-----
From: Fabrice Durand [mailto:***@inverse.ca]
Sent: 28 November 2014 15:18
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] EAP over AD/LDAP


Just an alternative of installing Samba, kerberos ....

https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute

Fabrice
Post by Louis Munro
Post by Gair, Jon
I am trying to determine the best way of authenticating users for a secure SSID against an Active Directory source. My AD source is working fine for a captive portal to sponsor and approve roles for MAC based authentication but wondering if any of this config can relate to EAP authentication.
From reviewing the forums and manuals there does not appear to be a clear way forward on this. Is the best way to follow page 28 of the admin manual that describes installing samba, joining the server to the domain and editing various files in the RADIUS and Kerberos directories. Would setting this up as an LDAP source rather than AD local source make the process any easier ? Do the roles I have configured via the GUI for the portal get used by RADIUS for role/VLAN assignment for EAP ?
Hi John,
If what you want is to authenticate your users with PEAP using 802.1x, LDAP will not work.
Protocol limitations inherent to PEAP mean that no LDAP query of any kind can get this to work with an Active Directory because you cannot get the NT hashed passwords out of it using LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
So pretty much your only way forward is to use winbind and join the machine to the domain.
The current PacketFence version comes preconfigured for NTLM authentication but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to match your local configuration.
Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for authentication (checking passwords) and the rules you configure in PacketFence are used for authorization (setting which role/VLAN is returned).
The two complement each other.
Hopefully that makes sense and gets you a bit further along.
Regards,
--
Louis Munro
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


The information contained in this e-mail may be subject to public disclosure
under the NHS Code of Openness or the Freedom of Information Act 2000.
Unless the information is legally exempt, the confidentiality of this e-mail
and your reply cannot be guaranteed.
Unless expressly stated otherwise, the information contained in this e-mail
is intended for the named recipient(s) only. If you are not the intended
recipient you must not copy, distribute, or take any action or reliance upon
it. If you have received this e-mail in error, please notify the sender. Any
unauthorised disclosure of the information contained in this e-mail is
strictly prohibited.
Fabrice Durand
2014-11-28 15:17:37 UTC
Permalink
Just an alternative of installing Samba, kerberos ....

https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute

Fabrice
Post by Louis Munro
Post by Gair, Jon
I am trying to determine the best way of authenticating users for a secure SSID against an Active Directory source. My AD source is working fine for a captive portal to sponsor and approve roles for MAC based authentication but wondering if any of this config can relate to EAP authentication.
From reviewing the forums and manuals there does not appear to be a clear way forward on this. Is the best way to follow page 28 of the admin manual that describes installing samba, joining the server to the domain and editing various files in the RADIUS and Kerberos directories. Would setting this up as an LDAP source rather than AD local source make the process any easier ? Do the roles I have configured via the GUI for the portal get used by RADIUS for role/VLAN assignment for EAP ?
Hi John,
If what you want is to authenticate your users with PEAP using 802.1x, LDAP will not work.
Protocol limitations inherent to PEAP mean that no LDAP query of any kind can get this to work with an Active Directory because you cannot get the NT hashed passwords out of it using LDAP.
See here for a protocol compatibility matrix: http://deployingradius.com/documents/protocols/compatibility.html
So pretty much your only way forward is to use winbind and join the machine to the domain.
The current PacketFence version comes preconfigured for NTLM authentication but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to match your local configuration.
Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for authentication (checking passwords) and the rules you configure in PacketFence are used for authorization (setting which role/VLAN is returned).
The two complement each other.
Hopefully that makes sense and gets you a bit further along.
Regards,
--
Louis Munro
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Fabrice Durand
2014-11-28 15:40:34 UTC
Permalink
Probably these too:
UDP: 137, 138, 53 and TCP: 139,445,53

Fabrice
Post by Gair, Jon
Thanks.
If I follow the Samba, Kerberos route do you know which ports I will have to open to my DC. Ideally going to position the packetfence server in a DMZ and was only expecting to expose LDAPS if I could get away with it. The krb5.conf files suggests this may just be 88 and 749 for Kerberos traffic but wondering how much of a risk this authentication traffic will cause.
Thanks
Jon
-----Original Message-----
Sent: 28 November 2014 15:18
Subject: Re: [PacketFence-users] EAP over AD/LDAP
Just an alternative of installing Samba, kerberos ....
https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
Fabrice
Post by Louis Munro
Post by Gair, Jon
I am trying to determine the best way of authenticating users for a secure SSID against an Active Directory source. My AD source is working fine for a captive portal to sponsor and approve roles for MAC based authentication but wondering if any of this config can relate to EAP authentication.
From reviewing the forums and manuals there does not appear to be a clear way forward on this. Is the best way to follow page 28 of the admin manual that describes installing samba, joining the server to the domain and editing various files in the RADIUS and Kerberos directories. Would setting this up as an LDAP source rather than AD local source make the process any easier ? Do the roles I have configured via the GUI for the portal get used by RADIUS for role/VLAN assignment for EAP ?
Hi John,
If what you want is to authenticate your users with PEAP using 802.1x, LDAP will not work.
Protocol limitations inherent to PEAP mean that no LDAP query of any kind can get this to work with an Active Directory because you cannot get the NT hashed passwords out of it using LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
So pretty much your only way forward is to use winbind and join the machine to the domain.
The current PacketFence version comes preconfigured for NTLM authentication but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to match your local configuration.
Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for authentication (checking passwords) and the rules you configure in PacketFence are used for authorization (setting which role/VLAN is returned).
The two complement each other.
Hopefully that makes sense and gets you a bit further along.
Regards,
--
Louis Munro
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
The information contained in this e-mail may be subject to public disclosure
under the NHS Code of Openness or the Freedom of Information Act 2000.
Unless the information is legally exempt, the confidentiality of this e-mail
and your reply cannot be guaranteed.
Unless expressly stated otherwise, the information contained in this e-mail
is intended for the named recipient(s) only. If you are not the intended
recipient you must not copy, distribute, or take any action or reliance upon
it. If you have received this e-mail in error, please notify the sender. Any
unauthorised disclosure of the information contained in this e-mail is
strictly prohibited.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Loading...