Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018

Slides for the February 2018 pfSense Hangout video

Related Books

Free with a 30 day trial from Scribd

See all

RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018

  1. 1. RADIUS and LDAP pfSense 2.4 February 2018 Hangout Jim Pingle
  2. 2. About this Hangout ● Project News ● RADIUS and LDAP intro ● Areas of pfSense that support RADIUS and LDAP ● Configuring RADIUS and LDAP servers for use by pfSense ● RADIUS and LDAP for the pfSense GUI ● RADIUS and LDAP for VPNs ● RADIUS for Captive Portal ● RADIUS for Wireless WPA2 Enterprise/802.1x ● Using Google Authenticator with the FreeRADIUS 3.x package
  3. 3. Project News ● 2.4.3 will be coming soon – Security, bug fixes, a few new features – Kernel PTI mitigations for Meltdown in snapshots today ● XG-7100 1U device shipping next month – Replacing the 4860-1U and 8860-1U – (8) 1 GbE and (2) Intel® 10 GbE interfaces – Quad core Intel Atom C3558 CPU – 8 GB DDR4 RAM, and is upgradeable to 24GB – $999 ($1,998 for HA pair) ● Netgate is now a silver member of The Linux Foundation ● Be wary of purchasing firewalls running pfSense from unaffiliated vendors – We had a report of a user who purchased a firewall from an Amazon seller that had no affiliation with Netgate (not a partner), and the version of pfSense shipped on the device appears to have been compromised – If a device claims to be have pfSense pre-loaded before shipping, check to ensure it is coming from Netgate or a Netgate partner ● No other vendors can legally pre-load pfSense in this way, and if they do, the installation should not be trusted – Always download pfSense and install yourself from to ensure it is unmodified ● For Netgate appliances, login to your portal account and download the factory firmware image for your device
  4. 4. RADIUS Intro ● Remote Authentication Dial-In User Service ● Provides AAA – Authentication, Authorization, and Accounting ● Often used by ISPs for DSL/dialup/etc or by companies for central authentication ● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via NPS, many more – Also various frontends such as daloRADIUS or billing systems with RADIUS ● In addition to authentication, can send back reply info about users ● Accounting allows for tracking usage over time (e.g. X MB per day), total login time (X hours per day), and so on ● Can be compatible with external systems for additional authentication such as Google Authenticator/mOTP, tokens, and similar Multi-Factor implementations ● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN
  5. 5. LDAP Intro ● Lightweight Directory Access Protocol ● Primarily a repository of information about users and organizations, but can be used for authentication via LDAP BIND operations ● Can be searched to find user info (e.g. group membership) ● Commonly used not just for authentication but also for e-mail contact storage, user profile information, and similar tasks. ● Found in systems such as OpenLDAP, Active Directory, Novell Directory Services, Apple Open Directory, and many more – Some distributions such as ClearOS and Turnkey Linux use OpenLDAP ● LDAP Schemas vary widely, two common variations: – RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group object – RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object ● Can use SSL to encrypt queries
  6. 6. RADIUS and LDAP on pfSense ● GUI Authentication – LDAP and RADIUS can both be used for GUI authentication – Groups must be present on pfSense with the same name as LDAP or RADIUS, plus desired privileges ● For longer group names or group names with spaces, set the Group’s Scope to Remote on pfSense ● VPN Authentication – OpenVPN supports RADIUS and LDAP ● IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes – IPsec supports RADIUS (IKEv2/EAP or xauth) and LDAP (xauth) – PPPoE and L2TP support only RADIUS ● Captive Portal – RADIUS Only, there is some LDAP code in testing for a future version – Per-user bandwidth restrictions can be passed back from RADIUS – Time/day limits and transfer total limits may also be enacted by the RADIUS server ● Wireless – 802.1x / WPA2 Enterprise – RADIUS only ● Other services cannot be used with RADIUS or LDAP, such as SSH.
  7. 7. RADIUS and LDAP Server Config ● Configure the authentication server to allow queries from the firewall – Network connectivity to the server (VPN, routes, firewall rules, etc) – Client access (NAS entry, bind user, etc) ● Add users and groups to the authentication server as needed ● Determine the parameters required for pfSense to access the server – Varies by protocol, but would include things such as server address and port, query credentials, and so on.
  8. 8. Configuring RADIUS Servers ● FreeRADIUS – Install the FreeRADIUS 3.x pfSense package, or use an external server – Select CA/certificate on the EAP tab – Add an Interface to FreeRADIUS to listen/bind – Add a NAS / Clients entry for the firewall, note the shared secret – Add Users – Adjust any other required items on the Settings tab, Save ● Active Directory (via NPS) – Add Network Policy and Access Services role – Configure NPS/NAP – Add RADIUS client entry for the firewall, note the shared secret – Add a Network Policy to grant access based on user attributes (e.g. users in a specific group) – May need to ensure users have Dial-In permission set to be managed by NPS – Add users/groups as needed
  9. 9. Configuring LDAP Servers ● OpenLDAP – Too complex to cover here, but there are many how-to docs out there – Be sure to add a cert for SSL support (Let’s Encrypt is great for this) – Or use a distro such as Turnkey Linux or similar that has a frontend for it – Web-based LDAP Frontends can be helpful for finding info and managing users ● Active Directory – Support is already there in Windows Server by default – Add Certificate Authority role to use SSL – Use ADSI Edit to easily locate Base DN ● Others – Consult OS docs for info on what, if anything, needs to be done
  10. 10. Setup pfSense for a RADIUS Server ● System > User Manager, Authentication Servers tab, click + Add ● Enter a Descriptive Name ● Set Type to RADIUS ● Select the Protocol – Must match what is supported by the RADIUS server – MSCHAPv2 is the best choice, but some features like OTP (Google Authenticator or mOTP) require using PAP ● Enter the Hostname or IP address of the RADIUS server ● Enter the Shared Secret configured for this firewall in the NAS/Client entry on the RADIUS server ● Pick the Services offered by the RADIUS server, typically either Authentication or both Authentication and Accounting ● Unless the server ports have been changed, leave them at default values ● If the RADIUS server is reached through a slow connection or tunnel, consider raising the timeout – Default is 5 seconds, can be higher but may slow down access to resources while the firewall waits for a response ● Save and visit Diagnostics > Authentication to test ● For group membership to work: – The RADIUS server must return the group name(s) in the Class attribute as a string, e.g. Class := "admins;VPNUsers" – The same group names must be present on pfSense (Groups tab)
  11. 11. Setup pfSense for an LDAP Server ● If the LDAP server uses SSL, import the CA from the LDAP server under System > Cert Manager, CA tab before proceeding ● System > User Manager, Authentication Servers tab, Add + ● Enter a Descriptive Name ● Set Type to LDAP ● Enter the Hostname or IP address of the LDAP server – If using SSL, this should be the hostname! – Also ensure the server certificate (not imported to pfSense) contains this hostname, and that the hostname also exists in DNS ● Pick the Transport, plain TCP or SSL – SSL is highly recommended as TCP transmits credentials in the clear! – Use TCP to start with, so you can use a packet capture to see the results for troubleshooting in Wireshark ● Adjust the Port value if needed ● If using SSL, set the Peer Certificate Authority to the CA imported previously ● Pick the LDAP Protocol Version, commonly 3 but may vary depending on server ● Set the Server Timeout to a somewhat low value, if used for GUI access any timeout will delay page loads by this amount
  12. 12. pfSense LDAP Server (cont'd) ● Parameters from here on all depend on LDAP server configuration and type ● Search Scope – Level typically should be Entire Subtree – Especially on Active Directory! – Base DN, the lowest level distinguished name on the LDAP server for this site, e.g. DC=example,DC=com ● If unknown, check LDAP schema, GUI, ADSI Edit, etc ● Authentication Containers – Typically set to an OU, varies by LDAP schema – Select button will show containers from the server. BIND credentials will need to be correct for it to work. ● Extended Query – Specifies an LDAP filter to limit search results, such as: – memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com ● Bind Credentials – May or may not be necessary – OpenLDAP typically allows anonymous binds/searches, but depends on schema – Active Directory typically requires a valid user to bind, may need to be a service account or Administrator, depends on configuration of the server, check Windows server docs
  13. 13. pfSense LDAP Server (cont'd) ● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory – Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style – For OpenLDAP with RFC 2307 groups, Group member attribute should be memberUid ● RFC 2307 Groups – Default style lists groups on the user object (Used by Active Directory) – RFC 2307 lists group members on group object (Used by some OpenLDAP schemas) ● Group Object Class – Object class needed for RFC 2307 style, typically posixGroup ● UTF-8 Encoding – Necessary if using any special characters in LDAP usernames or passwords – Support varies by server, but should be safe to enable in most cases ● Username Alterations – By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve. ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
  14. 14. RADIUS and LDAP for the GUI ● Privileges are assigned based on group membership ● Add groups on pfSense to match groups on the server – Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers” ● Add privileges to the group(s) as desired ● Check the authentication server to be sure the groups are setup properly with users and to be seen by pfSense: – LDAP – Check the Schema to see if AD style group membership is needed or RFC 2307 – RADIUS – Ensure the server returns groups in Class attribute as a String, not binary ● Visit Diagnostics > Authentication, test users and ensure the groups are listed in the result – If LDAP returns inconsistent authentication tests, use option 16 and then 11 on the console menu ● Visit System > User Manager, Settings tab, select the desired server, Save – The Auth Refresh Time option controls how often a user’s group memberships are refreshed from the server, a low value will mean more authentication server queries vs a high time that might not catch a change in user access
  15. 15. RADIUS and LDAP for VPNs ● For LDAP, to limit access to a specific group, use Extended Filter – For different levels of access on different services, use multiple LDAP server entries with different filters ● On IPsec and OpenVPN, Ctrl-select multiple servers, if first fails, second is checked and so on – No way to reorder them currently ● L2TP and PPPoE support only RADIUS and have RADIUS settings on their configuration pages, nothing fancy ● IPsec – RADIUS and LDAP both work for IKEv1 xauth – Only RADIUS works with IKEv2/EAP – VPN > IPsec, Mobile Clients tab, select the desired authentication server(s) – For IKEv2, on Phase 1 also set Authentication Method to EAP-RADIUS – IP Addresses can be assigned via RADIUS, leave the Virtual Address Pool blank and assign all users a Framed-IP- Address ● OpenVPN – Next slide
  16. 16. RADIUS and LDAP for OpenVPN ● Auth can come from LDAP or RADIUS (or both) ● No accounting support at the moment ● For use with OpenVPN Client Export Package: – User Auth only mode – One installer works for everyone (no certs) – SSL/TLS + User Auth – Certs for external users must be manually added to the GUI ● No need to create local users, only certificates ● RADIUS Reply Attributes can be used to pass back info for clients! – Cisco-AVPair route=x.x.x.x y.y.y.y (Network/subnet address, subnet mask) – Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces) – Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any|host|net>, wildcard mask/Cisco ACL style – Framed-IP-Address = x.x.x.x ● With topology subnet, client gets x.x.x.x, but also requires the RADIUS server to send back a Framed-Mask with subnet mask appropriate for the tunnel network ● With topology net30, client gets x.x.x.x, server is x.x.x.x-1, be sure to align these properly for /30 networks ● Multi-Factor Auth is possible with RADIUS if the RADIUS server supports it/has a plugin/etc
  17. 17. RADIUS for Captive Portal ● See the Advanced Captive Portal hangout (June 2017) for lots more info ● Captive Portal only supports RADIUS at this time, but there are patches in testing to allow LDAP – The patches move Captive Portal auth to the user manager, so LDAP support is gained naturally ● RADIUS Authentication can use PAP, CHAP-MD5, MSCHAPv1, or MSCHAPv2 – Check RADIUS server config/docs to see what it supports, MSCHAPv2 is the current recommended choice ● Enter the IP address and port for the RADIUS server ● Shared Secret is the “password” set in the RADIUS server for the firewall as a NAS/Client ● Four total RADIUS Servers permitted: – Primary Authentication Source and its backup – Secondary Authentication Source and its backup – Backups are consulted if the main servers do not respond – Secondary authentication source uses separate fields – Can be used to effectively have two sources of auth (e.g. pre-paid cards and standard users) – all up to the servers and what they support
  18. 18. RADIUS for Captive Portal ● RADIUS Accounting: – If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on – Stop/start accounting only sends data on login and logout – Stop/start (FreeRADIUS) sends session data in a way that is accepted by FreeRADIUS for time/data tracking – Interim update sends periodic updates to the accounting server during a user session ● RADIUS Options – More here than are supported in the user manager ● Reauthentication – Forces a new auth request every minute. If users must be disconnected for time or bandwidth usage calculations this must be checked! ● RADIUS MAC Authentication – Sends the MAC address as user name and “MAC Authentication Secret” as the password. Allows automatic login by MAC address, MACs must be added to the RADIUS server as users. ● NAS IP – IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id)
  19. 19. RADIUS for Captive Portal ● Session-Timeout – Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute. ● Type – Controls how Called-Station-Id and Calling-Station-Id are handled – Varies by need of RADIUS server, typically “default” ● Accounting Style – Inverts value of input and output for bandwidth calculations to suit some RADIUS server assumptions ● Idle time accounting – Includes idle time in a user’s session time when disconnecting the user for an idle timeout ● NAS Identifier – A name passed to the RADIUS server to identify this firewall ● MAC Address Format – The format of the MAC address expected by the RADIUS server
  20. 20. RADIUS for Captive Portal ● Some parameters may be passed back in RADIUS Reply Attributes: – Varies by RADIUS vendor – WISPr-Bandwidth-Max-Up (and -Down) ● Sets up a limiter for this specific user to the given bw – WISPr-Redirection-URL ● Passes a string with a full URL to use for redirection – Acct-Interim-Interval – Session-Timeout – Idle-Timeout ● Do not set a simultaneous use limit on users that will use Captive Portal
  21. 21. RADIUS for Wireless ● 802.1x A.K.A. WPA2 Enterprise ● More secure than plain WPA/WPA2 – Less prone to brute forcing – Harder to snoop ● RADIUS only, no LDAP ● Second RADIUS server is used if the first fails ● Settings are placed on the wireless Interface (e.g. Interfaces > WiFi) ● Set WPA Key Management to EAP! ● Check Enable 802.1X Authentication ● Enter the RADIUS server settings ● Set client to PEAP (Or whatever mode is configured on RADIUS server) ● Clients will login using the username/password on the RADIUS server ● Check the Wireless log for info if access fails ● The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently enable that or support it in the GUI – perhaps in the future
  22. 22. Bonus: Google Authenticator ● Settings tab, enable OTP, keep the defaults ● Install the Google Authenticator application on user devices (phone, tablet, etc) ● For individual users in FreeRADIUS 3… – Enter the Username – Leave the Password field blank – Check Enable One-Time Password for this user – Change OTP Auth Method to Google-Authenticator – Click Generate OTP Secret ● If the user is manually configuring their Google Authenticator application (not using QR Code), they will need this secret, click Show OTP Secret to view it – Enter a random PIN for the user ● This PIN is prepended to the OTP generated by the app, for example, if the PIN is 1234 and the code is 888888, the user enters 1234888888 for the password – Leave the Time Offset as 0 unless the user is in a different time zone – Click Generate QR Code to display a code which can be scanned by the Google Authenticator app ● This image could be saved and given to the user, printed, etc. ● Do not e-mail it or send it via insecure means! ● The RADIUS NAS/Client must use PAP when communicating with the RADIUS server
  23. 23. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc