{"id":313,"date":"2013-08-29T11:57:24","date_gmt":"2013-08-29T10:57:24","guid":{"rendered":"http:\/\/www.simweb.ch\/blog\/?p=313"},"modified":"2014-01-23T23:20:29","modified_gmt":"2014-01-23T22:20:29","slug":"a-freeradius-for-your-switch-authentication","status":"publish","type":"post","link":"https:\/\/www.simweb.ch\/blog\/2013\/08\/a-freeradius-for-your-switch-authentication\/","title":{"rendered":"A FreeRADIUS for your Switch authentication"},"content":{"rendered":"<p>As <a title=\"Admin login through RADIUS on Netgear managed\" href=\"https:\/\/www.simweb.ch\/blog\/2013\/07\/move\/\">previously blogged<\/a>, I wanted to share and comment a sample config - where I use ntlm_auth for <strong>authentication<\/strong> against AD and LDAP for <strong>authorization<\/strong> of Administrators, this was done using FreeRADIUS 2.1.12 on Debian wheezy (7.x). Remember to do your own reading. I found \"FreeRADIUS Beginner's Guide\" over at <a href=\"http:\/\/www.packtpub.com\/freeradius-master-authentication-authorization-accessing-your-network-resources\/book\">PacktPub <\/a>to be a very good read to get a better understanding of FreeRADIUS and overall AAA concepts.<\/p>\n<p>Synopsis<\/p>\n<ul>\n<li>Show an example of a (then-working) FR virtual server for (Netgear) CLI authentication.<\/li>\n<li>Have some explanation why I did things this way or not \ud83d\ude09<\/li>\n<li>I derived from the preinstalled <code>default<\/code> server config and shrinked it to the minimum required<\/li>\n<li>For the Samba \/ Winbind configuration, consider the Book at PacktPub or look at Alan Dekok's <a href=\"http:\/\/www.deployingradius.com\">DeployingRadius.com<\/a><\/li>\n<li>I use a non-standard port since another (main) RADIUS server is already listening on UDP 1812<\/li>\n<li>Uses PAP since that's what the switch only does. PAP sends plaintext password, but AD doesn't have the plaintext password stored - blimey. We need ntlm_auth from Samba to do the check for us.<\/li>\n<\/ul>\n<p>The server config is located in \/etc\/freeradius\/sites-available and has to be symlinked to sites-enabled, but before doing so, youneed to<\/p>\n<ul>\n<li>Configure Samba and Winbind, join the box to your Domain<\/li>\n<li><span style=\"line-height: 13px;\">Configure ntlm_auth module<\/span>\n<ul>\n<li>ntlm_auth binary path<\/li>\n<li>ntlm_auth's domain<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>These parts can be found on DeployinRadius.com, then you might want to do rememeber \/ adapt to AD specific behaviour:<\/p>\n<ul>\n<li>Modify the LDAP module to support AD nested groups if your users are not direct members (thanks <a href=\"http:\/\/linax.wordpress.com\/2012\/07\/17\/freeradius-check-nested-ldap-group-membership\/\">Nasser Heidari<\/a>):\n<ul>\n<li>\n<pre>groupmembership_filter = \"(&amp;(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))\"<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Check, that your user group you want to query is NOT the primary group of your admin users since that doesn't appear in the memberOf attribute .<br \/>\n(if you are a LDAP magician and know a trick, let me know)<\/li>\n<\/ul>\n<p>Anyway, let's get started with the server:<\/p>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">server netdevices {<\/span><\/p>\n<pre class=\"brush: bash; gutter: true; first-line: 1\">listen {\r\n        ipaddr = 10.0.0.2\r\n        port = 41812\r\n        type = auth\r\n}\r\n\r\n# local test listener for debug of this virtual server\r\nlisten {\r\n        ipaddr = 127.0.0.1\r\n        port = 41812\r\n        type = auth\r\n}<\/pre>\n<p>Then the authorize section basically tells the server:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">To use PAP (some switch vendors support (MS)CHAP but Broadcom FASTPATH only does PAP, so we can disable all the rest<\/span><\/li>\n<li>If no Auth-Type was sent, update the control to use our own ntlm_auth that will be defined in authenticate.<\/li>\n<\/ul>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">authorize {\r\n        #  If you are using multiple kinds of realms, you probably\r\n        #  want to set \"ignore_null = yes\" for all of them.\r\n        #  Otherwise, when the first style of realm doesn't match,\r\n        #  the other styles won't be checked.\r\n        #\r\n        suffix\r\n\r\n        expiration\r\n        logintime\r\n\r\n        # Most switches support PAP only\r\n        #\r\n        #  This module should be listed last, so that the other modules\r\n        #  get a chance to set Auth-Type for themselves.\r\n        #\r\n        pap\r\n\r\n        # If no Auth-Type was sent, we assume PAP but that we should\r\n        # use ntlm_auth for AD authentication through ntlm_auth.\r\n        if(!control:Auth-Type) {\r\n                update control {\r\n                        Auth-Type = \"ntlm_auth\"\r\n                }\r\n        }\r\n}<\/pre>\n<p>The authenticate section is quite simple but we need to tell the server that it can use ntlm_auth, at the end. You'll need to adapt \/etc\/freeradius\/modules\/ntlm_auth.<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">authenticate {\r\n        # For PAP against AD with ntlm_auth we need to\r\n        # let Samba ntlm_auth do the authentication work.\r\n        Auth-Type NTLM_AUTH {\r\n                ntlm_auth\r\n        }\r\n\r\n        # For local users with plaintext password we can still use LDAP\r\n        # Reminder - you might disable update conrol in such casse in\r\n        # authorize because it's an unconditinal update.\r\n        Auth-Type PAP {\r\n                pap\r\n        }\r\n}<\/pre>\n<p>Most of the \"magic\" is finally done in the post-auth section:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">Check if the user is in the required LDAP group, else reject<\/span>\n<ul>\n<li>In AD I experienced problems with primary group memberships since they're not written in memberOf Attributes<\/li>\n<\/ul>\n<\/li>\n<li>If it is an admin user, update the reply with the Netgear\/Fastpath-specific AVpairs so the switch knows that it's an administrative user<\/li>\n<li>The remaining is from the default config, I'm not sure if we need it to work correctly.<\/li>\n<\/ul>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">#  Post-Authentication\r\n#  Once we KNOW that the user has been authenticated, there are\r\n#  additional steps we can take.\r\npost-auth {\r\n        # Only Domain admins are allowed, don't use the german group\r\n        # name due to encoding issues\r\n        if (LDAP-Group == \"Network-Admins\") {\r\n                # Getting authorized requires informing the\r\n                # (Netgear) device about privilege level.\r\n                # Depending on the config only with this additional\r\n                # reply message one gets authorized as admin on the shell.\r\n\r\n                # Both seemed to work on Netgear 10.0.x,\r\n                # Administrative-User is more vendor-neutral.\r\n\r\n                update reply {\r\n                        Service-Type = Administrative-User\r\n                        Cisco-AVpair = \"shell:priv-lvl=15\"\r\n                }\r\n\r\n                noop\r\n        }\r\n\r\n        # No-one else is allowed.\r\n        else {\r\n                reject\r\n        }\r\n\r\n        # For Exec-Program and Exec-Program-Wait\r\n        exec\r\n\r\n        #\r\n        #  Access-Reject packets are sent through the REJECT sub-section of the\r\n        #  post-auth section.\r\n        #\r\n        #  Add the ldap module name (or instance) if you have set\r\n        #  'edir_account_policy_check = yes' in the ldap module configuration\r\n        #\r\n        Post-Auth-Type REJECT {\r\n                # log failed authentications in SQL, too.\r\n#               sql\r\n                attr_filter.access_reject\r\n        }\r\n}\r\n\r\n}<\/pre>\n<p>Done, now symlink your config to \/etc\/freeradius\/sites-enabled and start FreeRADIUS (as recommended for testing) in debug mode (service freeradius stop, then freeradius -X)<br \/>\nIf everything went ok, you should now be able to authenticate against your Switch SSH and the Web-UI, as well as getting authorized for administration.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As previously blogged, I wanted to share and comment a sample config &#8211; where I use ntlm_auth for authentication against AD and LDAP for authorization of Administrators, this was done using FreeRADIUS 2.1.12 on Debian wheezy (7.x). Remember to do your own reading. I found &#8220;FreeRADIUS Beginner&#8217;s Guide&#8221; over at PacktPub to be a very &#8230; <a class=\"moretag\" href=\"https:\/\/www.simweb.ch\/blog\/2013\/08\/a-freeradius-for-your-switch-authentication\/\">more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[1],"tags":[35],"class_list":["post-313","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-freeradius"],"_links":{"self":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts\/313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/comments?post=313"}],"version-history":[{"count":0,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts\/313\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/media?parent=313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/categories?post=313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/tags?post=313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}