Network Startup Resource Center www.nsrc.org

Similar documents
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Installing Squid with Active Directory Authentication

Active Directory Integration

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

A practical guide to Eduroam

SSSD Active Directory Improvements

CYAN SECURE WEB HOWTO. NTLM Authentication

Attunity RepliWeb PAM Configuration Guide

RHEL Clients to AD Integrating RHEL clients to Active Directory

FreeRADIUS Database Connection Best Practice Document

Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Belnet Networking Conference 2013

INTRODUCING SAMBA 4 NOW, EVEN MORE AWESOMENESS

Integration with Active Directory. Jeremy Allison Samba Team

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Univention Corporate Server. Extended domain services documentation

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Using Windows NPS as RADIUS in eduroam

Management Authentication using Windows IAS as a Radius Server

Chapter 3 Authenticating Users

FreeRADIUS server. Defining clients Access Points and RADIUS servers

SUSE Manager 1.2.x ADS Authentication

LinuxCon North America

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Setting Up a Backup Domain Controller

Windows Vista: Connecting to the wireless network at Hood College

How to Configure a BYOD Environment with the Unified AP in Standalone Mode

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Application Note User Groups

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

User Guide for eduroam

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Bluesocket virtual Wireless Local Area Network (vwlan) FAQ

Create a virtual machine at your assigned virtual server. Use the following specs

eduroam Network guide configuration for Microsoft Windows 7

How to connect to the diamonds wireless network with Vista.

Active Directory and Linux Identity Management

Chapter 5 - Basic Authentication Methods

Connecting to the University Wireless Network

vwlan External RADIUS 802.1x Authentication

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

On-boarding and Provisioning with Cisco Identity Services Engine

Linux Terminal Server Project

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Identity Management based on FreeIPA

Remote Unix Lab Environment (RULE)

ALL Mbits Powerline WLAN N Access Point. User s Manual

SURFnet. Supplicant. Gast Employee. Commercial VLAN VLAN. Student. Proxy server VLAN

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Strong Authentication for Juniper Networks SSL VPN

Using Active Directory as your Solaris Authentication Source

AeroLab Wireless Network Code of Conduct. Connecting to the AeroLab Wireless Network

Creating a DUO MFA Service in AWS

Remote Access Technical Guide To Setting up RADIUS

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published:

Juniper SSL VPN Authentication QUICKStart Guide

Chapters. Prerequisites: Eduroam in a Microsoft Windows 2008r2 environment.

Seamless and Secure Access (SSA) Manual Configuration Guide for Windows 7

How to configure MAC authentication on a ProCurve switch

TB168 (Rev4) - Networking Linux Based Controls

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Unifying Authorization Models

Wireless Alphabet. Soup CHAP WPA(2) 802.1x RADIUS TKIP AES i CBC-MAC EAP TSN WPA(1) EAPOL PEAP WEP PAP RSN CCMP

Active Directory integration with CloudByte ElastiStor

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Websense Support Webinar: Questions and Answers

Securing Wireless LANs with LDAP

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.

Case Study - Configuration between NXC2500 and LDAP Server

Microsoft Active Directory and Windows Security Integration with Oracle Database

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

INFORMATION SYSTEMS SERVICE NETWORKS AND TELECOMMUNICATIONS SECTOR

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Laboration 3 - Administration

WIRELESS SETUP FOR WINDOWS 7

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

Configuring Sponsor Authentication

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Integrating Ubuntu 8.04 LTS into Microsoft Active Directory using Likewise Open

Configuring a Windows 2003 Server for IAS

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Free Dynamic DNS account you can use one of your choosing I like DynDNS but there's also No-IP and probably others.

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Connect to the Sheridan College / Gillette College - STUDENT Secure Wireless Network with the PEAP Client (Windows XP Pro)

AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE. RADIUS installation and configuration

Integrating Linux systems with Active Directory

Transcription:

λ Wireless Lab λ 802.1x Authentication Network Startup Resource Center www.nsrc.org Last edit: Patrick Okui, Nov 2015 These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

Recap λ Recall that 802.1x has multiple components to it: - The authentication server is what has the usernames and passwords or knows how to find them. - The authenticator is the network device the client is trying to connect to. Can be an Ethernet switch or in our case WiFI access point. The authenticator will only grant network access (even to DHCP) if the authentication server accepts the credentials given. - The supplicant is the software on the client that tries to sign in. Handled by the operating system The following sections cover the various components you need to have configured to get this to work.

Source: Wikipedia 802.1x/EAP How does it work

Authentication server: radius

FreeRadius installation λ Your instructors will have assigned one or more virtual machines to your group. λ You will work together to install radius on the server(s). λ If you have more than one machine per group you can run the same installation λ steps on each server most authenticators (dealt with in the next session) can try λ multiple authentication servers one after the other incase one is down. Your instructors may have also installed a Radius server that you can all use and skip to the Authenticator section. Write down the ip address(es) of the authentication server(s) you are going to use.

FreeRadius λ Very popular high performance open source radius server. λ We shall install version 3 (version 2 as of this writing is deemed legacy). λ It has very active development and can authenticate against many sources λ including SQL databases, Active directory, etc. λ Lots of options available: - Some access points with controllers have an inbuilt radius server. - Windows server has an optional (free) install of Network Policy Server (NPS) or - Internet Authentication Service (IAS) for Microsoft only environments.

Basic installation As of Nov 2015 Ubuntu still ships with FreeRadius 2.x which is a legacy release. We will install version 3 from an unofficial repository. Note that version 3 configuration is not fully compatible with version 2. If you have version 2 you should recreate your configuration Type the following on the server you'll use for authentication $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:freeradius/stable-3.0 $ sudo apt-get update $ sudo apt-get install build-essential freeradius

Radius clients λ The FreeRadius server refers to any device that asks it to authenticate a user as a client. λ For our purposes the clients are the authenticators. λ i.e the access points that are running 802.1X. λ Each authenticator needs an entry in /etc/freeradius/clients.conf that looks as follows. client grpx-wifi1 { secret = secrets321 ipaddr = 10.10.0.1X nastype = other }

Concerning heartbleed λ Since most radius auth (especially as required by 802.1X) is wrapped in SSL, λ the radius project updated its distribution to refuse to start if linked against a λ version of SSL that has significant vulnerabilities. In this case the heartbleed λ (the version we have just installed has the fix). λ To get FreeRadius to start on our systems, λ we need to edit the file /etc/freeradius/radiusd.conf. Under the section that starts security { λ Add the line allow_vulnerable_openssl = 'CVE-2014-0160'

Authentication sources Radius can authenticate from a number of sources where the actual username/password credentials are stored. λ Active Directory is popular amongst Microsoft Windows environments. This is a specialised form of LDAP. λ SQL databases can hold your user authentication and be updated by web based frontends. λ Users can be statically defined in the freeradius configuration. λ While this may be useful for testing we strongly recommend you use another method for production as this does not scale.

auth: Active Directory Your instructors have installed an active directory server for you to authenticate against. They will avail the following details which you will need to write down to use this server: - The workgroup - The realm - The DNS name of the server - The admin account + password you will use to join the domain - A username/password you will use for web access in the next section

auth: Active Directory λ Now we install samba to allow the linux authentication server talk to the active directory λ and open the configuration file in a text editor $ sudo apt-get install samba winbind krb5-user $ sudo vi /etc/samba/smb.conf λ Insert the correct workgroup in the line that says λ workgroup = WORKGROUP λ Bellow that line add the following lines substituting as necessary: security = ads winbind use default domain = no password server = KDC1.WS.NSRC.ORG //your AD-server realm = WS.NSRC.ORG //your realm

auth: Active Directory λ Next, edit /etc/krb5.conf in the [libdefaults] section just under the line that says default_realm = WS.NSRC.ORG add lines as follows (watch for case sensitivity) dns_lookup_realm = false dns_lookup_kdc = false λ Next, look for the [realms] section, and λ add the following just bellow at the top of the λ section (replace with the correct REALM given λ by the instructor). The realm name must λ be uppercase.s [realms] WS.NSRC.ORG = { kdc = kdc1.ws.nsrc.org

auth: Active Directory λ Reboot the machine at this point with sudo reboot λ Next, ensure the file /etc/nsswitch.conf has winbind added to the following lines. passwd: compat winbind group: compat winbind shadow: compat winbind protocols: db files winbind services: db files winbind netgroup: nis winbind

auth: Active Directory λ Once the machine is back up try and join the λ domain using the administrator username and password availed to you. $ net join U Administrator λ Next is to attempt to authenticate with the wireless username/password that has been given to you. $ ntlm_auth -request-nt-key -domain=wsnsrcorg -username=<your username> λ If this was successful, then NTLM will report it thus: NT_STATUS_OK : Success (0x0) λ We also need freeradius to have read access to λ the winbind privileged directory

auth: Active Directory λ Next, edit the mods-available/mschap file λ Add a new line just under the mschap { line that looks like this: with_ntdomain_hack = yes λ Find the line that starts with: # ntlm_auth = "/path/to/ntlm_auth λ And modify it so that it begins like: ntlm_auth = "/usr/bin/ntlm_auth

auth: Active Directory λ Edit the file /etc/freeradius/mods-available/eap λ Find the line that reads default_eap_type = md5 λ Change it to default_eap_type = peap λ Find the section that begins tls-config tls-common { λ In there remove the comment on the line # random_file = /dev/urandom

Authenticator

Wifi AP configuration λ Next we need to configure our access points to do 802.1X authentication against the radius λ we have built or the instructors have built. λ How to do this depends on the units available. In most cases you either use a web λ interface to the unit or a controller software. The authentication for the relevant SSID λ needs to be set to WPA2/Enterprise. λ Ensure you have the following details to be filled into the authenticator: - IP address of the radius server. DNS names work in many cases but introduce possible fragility to the auth process. - Shared secret on the radius server as configured in the clients.conf file.

Supplicant

End user device configuration λ The end user device needs to join the wifi domain. Any operating system after λ WindowsXP service pack 3 has a supplicant capable of 802.1X. Only new additions λ (which we haven't used) require newer operating systems. λ The user needs the wifi username/password that has been entered into the λ authenticator back-end in the previous section. λ Since we have used self signed certificates, the devices will popup an error saying λ they don't trust the certificate. In this case it is fine. λ For larger deployments, the opensource CAT tool developed by eduroam (can be λ extended to provision other SSIDs) is available. See https://cat.eduroam.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information