OpenNAC Free Radius & Active Directory Configuration¶

The main purpose of this document is provide a guide to set up FreeRadius server in order to authenticate users against Active Directory.

1. Join to Active Directoy Domain¶

First of all, you have to check you can access to the following ports on Active Directory server:
- 53/UDP/TCP (dns)
- 88/UDP/TCP (kerberos)
- 123/UDP (ntp)
- 135/TCP (dcom/rpc)
- 137-139/UDP/TCP (netbios)
- 389/TCP (ldap)
- 445/TCP/UDP (smb)
- 464/TCP/UDP (kpasswd)
- 636/TCP (ldaps, if exists that service)

Then, modify your /etc/hosts file, adding the hostname in Fully Qualified Domain Name (FQDN) format, on the first position, and add the single hostname, too.

127.0.0.1     example_host.mycompany.com example_host localhost

Install samba and kerberos packages, if that are not installed.

yum install samba krb5-server krb5-workstation

Configure samba to connect the Linux server to Active Directory, in /etc/samba/smb.conf file:

[global]
workgroup = MYCOMPANY
password server = 192.168.108.60, 192.168.108.15
realm = MYCOMPANY.COM
security = ads
winbind use default domain = false
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
load printers = no
printcap name = /dev/null

[homes]
comment = Home Directories
browseable = no
writable = yes

MYCOMPANY is the Windows domain name (the prefix used in domain username), MYCOMPANY.COM is the realm (the suffix after @ in DNS domain name), 192.168.108.60**is the main Active Directory server and **192.168.108.15 is a replicated Active Directory.

Configure /etc/krb5.conf file, indicating default realm and realm information:

[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = MYCOMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]

MYCOMPANY.COM = {
kdc = 192.168.108.60
kdc = 192.168.108.15
admin_server = 192.168.108.60
admin_server = 192.168.108.15
}

[domain_realm]

.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM

Configure /var/kerberos/krb5kdc/kdc.conf file, indicating realm information:

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
MYCOMPANY.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

Use Active Directory servers as name servers, in /etc/resolv.conf file:

Configure DNS Servers for this DNS Zone.

nameserver 192.168.108.60
nameserver 192.168.108.15
options timeout:1

Note

Timeout option, sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server (measured in seconds). Obtain and cache Kerberos ticket-granting ticket with kinit.

kinit Administrator@MYCOMPANY.COM

Administrator is the name of the domain controller admin. The password is required when prompted.

Check the cached Kerberos tickets:

klist

Create the new Kerberos database:

kdb5_util create -s

A new password is required twice, in order to create the database for its future access.

Register Linux server to Windows domain:

net join -U Administrator

Administrator is the name of the domain controller admin. The password is required when prompted.

Configure automatically start on smb, winbind and krb5kdc services and start it:

chkconfig smb on
/etc/init.d/smb start
chkconfig winbind on
/etc/init.d/winbind start
chkconfig krb5kdc on
/etc/init.d/krb5kdc start

Check user authentication against Active Directory with ntlm_auth command:

ntlm_auth --request-nt-key --domain=MYCOMPANY --username=testUser
**testUser** is the name of a valid domain user. The password is required when prompted.

2. FreeRadius configuration files¶

When called by radiusd user the ntlm_auth program needs permission to access /var/lib/samba/winbindd_privileged directory:

setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged

radiusd is the radius user

Check radius user permission on directory /var/log/opennac to write the execution time log:

chgrp radiusd /var/log/opennac

chmod g+w /var/log/opennac

radiusd is the radius user.

Create the file /var/log/opennac/ntlm_auth_exec_time.log, using radiusd like file owner, to store the execution time for Active Directory requests;

touch /var/log/opennac/ntlm_auth_exec_time.log

chown radiusd:radiusd /var/log/opennac/ntlm_auth_exec_time.log

In order to avoid ldap connection, to gain performance, comment the block indicated in /etc/raddb/sites-available/inner-tunnel file:

#       ldapuser {
#               fail = 2
#       }
# if ldap module fail, ignores ldap error
#       if (fail) {
#               notfound = 1
#       }

Add mschap_ad authentication in inner-tunnel file. Replace the original code by the following indicated:
- Original:

Auth-Type MS-CHAP {
mschap_default
}

- Modified:

Auth-Type MS-CHAP {
mschap_ad {
        reject = 2
        }
        if (reject && Module-Failure-Message != '') {
                # In case a proxy radius exists
                update outer.reply {
                        opennac-Msg := "%{Module-Failure-Message}"
                }
                # If proxy radius exists, evaluating openNAC policies,
                # update request and python execution could be commented
                # to improve performance update request {

                opennac-Msg := "%{Module-Failure-Message}"

                Calling-Station-Id := "%{outer.request:Calling-Station-Id}"
                }
                python
                mschap_default
        }
}

Configure the module ntlm_auth, placed in /etc/raddb/modules/ntlm_auth, with the following content:

exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --username='%{User-Name}' --password='%{User-Password}'"
}

Note: By default, is not necessary use the –domain parameter, but when some relationships exist between Active Directories, can be necessary to indicate the desired domain to be used.

Add additional configuration in /etc/raddb/sites-available/default file, to allow authentications received with username and password, to be validated against Active Directory, using ntlm_auth module, if there is no other valid authentication methods found. So in authorize section, add these lines after pap line:

# If any module has set Auth-Type, neither PAP, we will try with NTLMAuth,
# when this server is joined to an Active Directory.
                if (!control:Auth-Type) {
                update control {
                Auth-Type = 'NTLMAuth'
            }
        }

Note

Check if configuration exists in default file.

In the same /etc/raddb/sites-available/default file, but in authenticate section, add these lines before any others:

Auth-Type NTLMAuth {

        ntlm_auth

}

With this configuration, radius logrotate script has to be patched, because a reload action is not enough and radius has to be restarted when logrotate is done. So, in /etc/logrotate.d/radiusd file, the following change has to be applied:
Original:

/sbin/service radiusd reload

Modified:

/sbin/service radiusd restart >/dev/null

Restart FreeRadius service:

/etc/init.d/radiusd restart

If you want use Collectd to show ntlm_auth execution time, captured with /usr/bin/time command in mschap module from FreeRadius, you have to uncomment the lines marked with “#.#” in /etc/collectd.d/tail.conf file.

To avoid this file would be upgraded automatically in new upgrades, remove the line “# REMOVE THIS LINE …”.

Restart Collectd service:

/etc/init.d/collectd restart

Note

You can review the following links for further information:

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

http://deployingradius.com/documents/configuration/active_directory.html

3. openNAC FreeRadius Add certificates¶

When you deploy an openNAC server from an OVA, probably you have the FreeRadius certificates expired, and “eapol_test” will fail.

Renewal of certificates

You can follow the next steps to renew the certificates in testing mode and take care when you use it to production mode. We have followed the <raddb_dir>/certs/README indications.

First of all, go to the certificates folder and remove the old test certificates and the certificate’s counters:

cd /etc/raddb/certs
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

Or execute the destroycerts make command:

cd /etc/raddb/certs
make destroycerts

Note

In case you only want regenerate one specific kind of certificate, you have to remove the indicated CRT and KEY files, and modify the property “unique_subject = no” inside index.txt.attr file, to allow rewrite an existing subject.</notice>

Define the “default_days” property in each CNF files (ca, server or client), to indicate the validity of the certificates. By default, 60 days is configured. If you want, you can modify the information related with organization and passwords.
Execute bootstrap file, to generate the CA and server certificates:

./bootstrap

To generate client certificates, you have to indicate a unique emailAddress and commonName in client.cnf file, and generate the certificate with the next command:

make client
cp client.p12 `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.p12

Note

A copy of the PEM file is generated with the emailAddress name, but is highly recommended copy the P12 file to preserve it with the same format, due to Windows clients can import this file using the system wizard.</notice>

Finally, provide to all new files the right ownership and restart radius server:

chown root:radiusd *
service radiusd restart

Use an external CA certificate

In case you have your own CA certificate, you can use it with FreeRADIUS.

Like in section before, you have to remove the old test certificates information:

cd /etc/raddb/certs
make destroycerts

Modify in server.cnf file, all the properties you consider, taking special care in the following list:
- default_days
- input_password
- output_password
- countryName
- stateOrProvinceName
- localityName
- organizationName

Note

Server properties (countryName, stateOrProvinceName, localityName and organizationName) have to match with CA certificate values.</notice>

Modify the private_key_password property from tls section, in the /etc/raddb/eap.conf and /etc/raddb/modules/inner-eap files, with the output_password value previosly indicated.
Generate the CSR request file, for server certificate:

make server.csr

Send the generated server.csr file to your certificate authority, in order to obtain the certificate. Remember include the XP extensions for use with Microsoft Windows. If you have to create the server certificate, using your CA certificate and OpenSSL, you could use this commands:

cat >xpext.txt<<EOF
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOF
PASSWORD_CA=`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'`
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key ${PASSWORD_CA} -out server.crt -extensions xpserver_ext -extfile xpext.txt -config ./server.cnf

You have to receive the server.crt file from Certificate Authority, and copy in /etc/raddb/certs directory. Then you can generate the server.pem file, with the following commands:

PASSWORD_SERVER=`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}
openssl pkcs12 -in server.p12 -out server.pem -passin pass:${PASSWORD_SERVER} -passout pass:${PASSWORD_SERVER}

From Certificate Authority, you have to get the public certificate, for example the ca.pem file, and copy it in /etc/raddb/certs directory, to be used by FreeRADIUS for check the client certificates.
Prepare the dh and random files:

make dh
make random

Finally, provide to all new files the right ownership and restart radius server:

chown root:radiusd *
service radiusd restart

Install CA certificate on Windows

In order to avoid deselect the option “Validate server certificate” in “Protected EAP Properties” as is shown in step 4 on Setup 802.1x clients document, you can install the CA certificate in the Windows client, and enable this like a “Trusted Root Certification Authority”, following these steps:

From the Windows client you have to access to the ca.der file or copy on it. Double click on this file, open the certificate properties and you can install certificate from it using “Certificate Import Wizard”. In this wizard, you have to specify the “Certificate store” as “Trusted Root Certification Authorities”. Once installed, you can modify the 802.1x connection indicating “Validate server certificate”, deselect “Connect to these servers” (or specify the list of possible servers) and select the imported CA as a trusted root certification authority. In case you don’t select the new trusted root CA, a window will appear the first time user connect to validate this CA.

Note

You can find more information of how to configure 802.1x connection on Setup 802.1x clients.

Use client certificate on Windows To use a client certificate with 802.1x connections on Windows machine, you have to import the certificate and configure the 802.1x connection to use it.

First of all, you have to access to the client.p12 file, and with double click on it, the “Certificate Import Wizard” is opened. Introduce the password used when the certificate was created (output_password in client.cnf file) and not select the option “Enable strong private key protection”. Finally, store it in “Personal” folder or “Automatically select the certificate store based on the type of certificate”. If you select the option “Enable strong private key protection”, the certificate can not be used by Windows to establish the connection.

Once installed, in the 802.1x connection properties, you can specify “Smart Card or other Certificate” as “Network authentication method” in order to use “Protected EAP”, and configure these properties: Select the option “Use a certificate on this computer”. If you have installed the CA certificate, you can leave the “Validate server certificate” selected, how is defined in previous section. Depending on the commonName specified in the client certificate, you have to allow change this value as user name when connection is established, selecting “Use a different user name for the connection”. With this configuration, Statement of Health (SoH) doesn’t work. It could be resolved deploying some changes on FreeRadius server and using PEAP with certificate in order to use MSCHAP.

Related external links

FreeRADIUS Certificate README: https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/certs/README

Production Certificates: http://deployingradius.com/documents/configuration/certificates.html

Installing Root Certificates: http://wiki.zs64.net/Installing_Root_Certificates

Howto setup an EAP-TLS WPA network with freeradius: http://hanoteau.blogspot.com.es/2009/03/howto-setup-eap-tls-wpa-network-with.html

Microsoft PEAP-EAP-TLS support (certificate auth with SoH): http://freeradius.1045715.n5.nabble.com/Microsoft-PEAP-EAP-TLS-support-certificate-auth-with-SoH-td5159392.html

5. openNAC AD/LDAP Binding and Authorization¶

We will explain which steps are required to bind to a Directory Services and how to use it as authorization method.

As soon as you have joined openNAC to Active Directory using Active Directory Integration wizard or manually, you will require the use the Active Directory object such as Users or computers at Policy Engine. So you have to configure a User Data Source (UDS) to get this kind of information from identity repository, Please create a LDAP Search to filter some kind of them.

Configure a User Data Source (no SSL)

AD/LDAP Binding

Active Directory users list

The following parameters have to be configured as a new User Data Source:

Name: AD_users
Type: LDAP
Read Only: Yes
LDAP Host: 192.168.108.60,192.168.108.15
LDAP Port: 389
LDAP Username: john.smith@mycompany.com
LDAP Password: johnPassword
LDAP BaseDn: cn=users,dc=mycompany,dc=com
LDAP AccountDomainName: mycompany.com
LDAP AccountDomainNameShort: mycompany
LDAP AccountFilterFormat: (sAMAccountName=%s)
LDAP BindRequiresDN: No
LDAP Uid attr: sAMAccountName
LDAP Mail attr: mail

Note

We can use the DN format like cn=John Smith,cn=Users,dc=mycompany,dc=com in field LDAP Username, checking LDAP BindRequiresDN.

192.168.108.60 is one of the replicated Active Directory server and 192.168.108.15 is another replicated Active Directory. john.smith@mycompany.com is the username of a domain user, normally UPN (Universal Master Name) johnPassword is the password for the domain user. mycompany.com is the realm or DNS domain name. mycompany is the domain name, known as “pre-Windows 2000” syntax by Microsoft sAMAccountName is the user name attribute.

If you don’t know the BaseDN value, you can extract information using the next command:

ldapsearch -LLL  -H ldap://192.168.108.60 -x  -s base -b '' '(objectClass=*)' namingContexts

Configure a User Data Source (SSL activated)

In order to connect to the server using ssl we need to trust the certificate issued.

If ssl is not yet activated in the AD server this tutorial may be helpful to enable it:

Please visit the following link http://www.javaxt.com/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory

At the openNAC Core Side we have to use the following commands:

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust enable

Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp CACERT.crt /etc/pki/ca-trust/source/anchors/

Use command:

update-ca-trust extract

Active Directory Users List

The following parameters have to be configured as a new User Data Source:

Name: AD_users
Type: LDAP
Read Only: Yes
LDAP Host: 192.168.108.60
LDAP Port: 636
LDAP Username: john.smith@mycompany.com
LDAP Password: johnPassword
LDAP BaseDn: cn=users,dc=mycompany,dc=com
LDAP AccountDomainName: mycompany.com
LDAP AccountDomainNameShort: mycompany
LDAP AccountFilterFormat: (sAMAccountName=%s)
LDAP BindRequiresDN: No
LDAP Uid attr: sAMAccountName
LDAP Mail attr: mail
UseSSL: True

Active Directory Computers List

The following parameters have to be configured as a new User Data Source:

Name: AD_computers
Type: LDAP
Read Only: Yes
LDAP Host: 192.168.108.60
LDAP Port: 636
LDAP Username: john.smith@mycompany.com
LDAP Password: johnPassword
LDAP BaseDn: cn=computers,dc=mycompany,dc=com
LDAP AccountDomainName: mycompany.com
LDAP AccountDomainNameShort: mycompany
LDAP AccountFilterFormat: (serviceMasterName=%s)
LDAP BindRequiresDN: No
LDAP Uid attr: serviceMasterName
LDAP Mail attr:
UseSSL: True

Note

We can use the DN format like cn=John Smith,cn=Users,dc=mycompany,dc=com in field LDAP Username, checking LDAP BindRequiresDN.

192.168.108.60 is the Active Directory server. john.smith@mycompany.com is the name of a domain user. johnPassword is the password for the domain user. mycompany.com is the realm or DNS domain name. mycompany is the domain name, known as “pre-Windows 2000” syntax by Microsoft serviceMasterName is the computer name attribute in format HOST/computerName.

Note

If you don’t know the BaseDN value, you can extract information using the next command:

ldapsearch -LLL  -H ldap://192.168.108.60 -x  -s base -b '' '(objectClass=*)' namingContexts

6. AD/LDAP for Authorization¶

In order to select some specific objects (users or computers) in Active Directory, we can use LDAP filters.

A tipically use is select users of an indicated group. This situation is defined with the property “memberOf”, using the DN name of the group.

For example, a group “Development” inside the “Users” folder in our previous sample AD, would be the following DN name:

CN=Development,CN=Users,DC=mycompany,DC=com

So, the “LDAP query” required to filter the Development’s users will be:

memberOf='CN=Development,CN=Users,DC=mycompany,DC=com'

Note

If you require check a neested group membership, you have to use the “LDAP_MATCHING_RULE_IN_CHAIN” matching rule (OID 1.2.840.113556.1.4.1941).

For example:

memberOf:1.2.840.113556.1.4.1941:='CN=Development,CN=Users,DC=mycompany,DC=com'

If we don’t know the name of the property we are looking for, we can browse AD objects using some LDAP browser or the command line ldapsearch. For example:

ldapsearch -LLL  -H ldap://192.168.108.60 -x  -D 'john.smith@mycompany.com' -w 'johnPassword' -b 'cn=users,dc=mycompany,dc=com'

Once we have the “LDAP query” desired, we can check with the same command line:

ldapsearch -LLL  -H ldap://192.168.108.60 -x  -D 'john.smith@mycompany.com' -w 'johnPassword' -b 'cn=users,dc=mycompany,dc=com' memberOf='CN=Development,CN=Users,DC=mycompany,DC=com'

The last filter only works when the group is no a PrimaryGroup (like Domain Users) and all the members group are users and not nested groups. See next examples to fix both scenarios:

Test if a user effectively belongs to a group named vpnusers. Trainer1 belongs to the group “trainers” and at the same time this group is inside the group “vpnusers”.

ldapsearch -LLL  -H ldap://$LDAPIP -x  -D $LDAPUSER -w $LDAPPASSWD -b 'dc=mycompany,dc=com' '(&(memberof:1.2.840.113556.1.4.1941:=CN=vpnusers,ou=Groups,OU=openNACTraining,DC=mycompany,DC=com)(sAMAccountName=trainer1))'

In case we need to check if the user has as a primary group “Domain Users” (ID=513) use the following syntax:

ldapsearch -LLL  -H ldap://$LDAPIP -x  -D $LDAPUSER -w $LDAPPASSWD -b 'dc=mycompany,dc=com' '(&(sAMAccountName=trainer1)(primaryGroupID=513))'

If you have several domains to check through a single UDS (with domains with a trust domain ) you’ll need to be able to distinguish the user domain, this may be done with and & and an object category).

ldapsearch -LLL  -H ldap://$LDAPIP -x  -D $LDAPUSER -w $LDAPPASSWD -b 'dc=mycompany,dc=com' '(&(sAMAccountName=trainer1)(primaryGroupID=513) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mycompany,DC=com))'

and this filter in openNAC will be written as:

&(primaryGroupID=513) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mycompany,DC=com)

As soon as these two steps are done you can Use Active Directory at Policies Engine.

For identification We have to select the username in User/Identity field in Policy definition form, in case we want to authorize all the users LDAP/AD Filter must be choosen.
For Authorization We have to select the User Data Source in UDS LDAP Filter, and choose a LDAP filter defined as described before, to match the specific users/computers.