Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RADIUS and LDAP - pfSense Hangout August 2015


Published on

Slides for the August 2015 pfSense Hangout video

Published in: Technology
  • Be the first to comment

  • Be the first to like this

RADIUS and LDAP - pfSense Hangout August 2015

  1. 1. RADIUS and LDAP August 2015 Hangout Jim Pingle
  2. 2. Project Notes ● 2.3 is progressing, should have public snapshots soon ● There may be a 2.2.5, not definite yet ● Book is still being updated ● SG-2220 shipping in a few days
  3. 3. About this Hangout ● RADIUS and LDAP intro ● Areas of pfSense that support RADIUS and LDAP ● Configuring RADIUS and LDAP servers for use by pfSense ● RADIUS and LDAP for the pfSense GUI ● RADIUS and LDAP for VPNs ● RADIUS for Captive Portal ● RADIUS for Wireless WPA2 Enterprise/802.1x ● User Manager, VPNs, Captive Portal, Wireless have all been covered in past hangouts, this hangout will focus only on RADIUS and LDAP authentication.
  4. 4. RADIUS Intro ● Remote Authentication Dial-In User Service ● Often used by ISPs for dialup, DSL, etc. Or by companies for central auth ● Provides AAA – Authentication, Authorization, and Accounting ● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via NPS, etc – Also various frontends such as daloRADIUS or billing systems with RADIUS ● In addition to auth, can send back reply info about users ● Accounting allows for tracking usage over time (e.g. X MB per day), total login time (X hours per day), and so on ● Can be compatible with external systems for additional auth such as OTP, tokens, and similar Multi-Factor implementations ● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN
  5. 5. LDAP Intro ● Lightweight Directory Access Protocol ● Primarily a repository of information about users and organizations, but can be used for authentication via LDAP BIND operations ● Can be searched to find user info (e.g. group membership) ● Commonly used not just for authentication but also for e-mail contact storage, user profile information, and similar tasks. ● Found in many systems such as OpenLDAP, Active Directory, Novell Directory Services, Apple Open Directory, and many more – Some distributions such as ClearOS and Turnkey Linux use OpenLDAP ● LDAP Schemas vary widely, two common variations: – RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group object – RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object ● Can use SSL to encrypt queries
  6. 6. RADIUS and LDAP on pfSense ● GUI Auth – LDAP on <= 2.2.4, RADIUS also with >= 2.2.5 – Groups must be present on pfSense with the same name plus desired privileges ● VPN Auth – OpenVPN supports RADIUS and LDAP ● IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes – IPsec supports RADIUS and LDAP – PPPoE, L2TP, and PPTP support only RADIUS ● Captive Portal – RADIUS Only – Per-user bandwidth restrictions can be passed back from RADIUS – Time/day limits and transfer total limits may also be enacted by the RADIUS server ● Wireless – 802.1x / WPA2 Enterprise – RADIUS only
  7. 7. RADIUS and LDAP Server Config ● Configure the auth server such that the firewall can query it ● Add users and groups as needed ● Determine the required parameters for the server necessary for pfSense to use it – Varies by protocol, but would include things such as server address and port, query credentials, and so on.
  8. 8. Configuring RADIUS Servers ● FreeRADIUS – Install the FreeRADIUS2 pfSense package, or use an external server – Add an Interface to FreeRADIUS to listen/bind – Add a NAS Client entry for the firewall, note the shared secret – Add users ● Active Directory (via NPS) – Add Network Policy and Access Services role – Configure NPS/NAP – Add RADIUS client entry for the firewall, note the shared secret – Add a Network Policy to grant access based on the attributes you want (e.g. users in a specific group) – May need to ensure users have Dial-In permission set to be managed by NPS – Add users/groups as needed
  9. 9. Configuring LDAP Servers ● OpenLDAP – Too complex to cover here, but there are many how-to docs out there – Be sure to add a cert for SSL support – Or use a distro such as Turnkey Linux or similar that has a frontend for it – Web-based LDAP Frontends can be helpful for finding info and managing users ● Active Directory – Support is already there in Windows Server by default – Add Certificate Authority role to use SSL – Use ADSI Edit to easily locate Base DN ● Others – Consult OS docs for info on what, if anything, needs to be done
  10. 10. Setup pfSense for a RADIUS Server ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to RADIUS ● Enter the address of the RADIUS server ● Enter the Shared Secret configured for this firewall's NAS/Client entry on the RADIUS server ● Pick which services the RADIUS server supplies, typically either Authentication or both Authentication and Accounting ● Unless the server ports have been changed, leave them at defaults. ● If the RADIUS is across a slow link, consider raising the timeout ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
  11. 11. Setup pfSense for an LDAP Server ● If SSL will be used, import the CA from the LDAP server under System > Cert Manager, CA tab before proceeding ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to LDAP ● Enter the address of the LDAP server – If using SSL, this should be the hostname! – Also make sure the server certificate (not imported to pfSense) contains this hostname, and that the hostname also exists in DNS ● Pick the transport, plain TCP or SSL – SSL is highly recommended as TCP would transmit credentials in the clear! ● Adjust the port if needed ● If using SSL, pick the CA imported previously ● Pick the LDAP protocol version, commonly 3 but may vary depending on server
  12. 12. pfSense LDAP Server (cont'd) ● Parameters from here on all depend on LDAP server style ● Search Scope – Level typically should be “Entire Subtree” – Especially on AD! – Base DN, e.g. DC=example,DC=com ● If unknown, check LDAP schema, GUI, ADSI Edit, etc ● Authentication Containers – Typically set to an OU, varies by LDAP schema – Select button will show containers from the server. BIND credentials will need to be correct for it to work. ● Extended Query – Specifies an LDAP filter to limit search results, such as: – memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com ● Bind credentials – May or may not be necessary – OpenLDAP typically allows anonymous binds/searches, but depends on schema – Active Directory typically requires a valid user to bind, may need to be a service account or admin, depends on configuration of the server, check Windows server docs
  13. 13. pfSense LDAP Server (cont'd) ● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory – Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style – For OpenLDAP with RFC 2307 groups, group member attribute should be memberUid ● RFC 2307 Groups (added after 2.2.4) – Default style lists groups on the user object (Used by Active Directory) – RFC 2307 lists group members on group object (Used by some OpenLDAP schemas) ● Group Object Class (added after 2.2.4) – Object class needed for RFC 2307 style, typically posixGroup ● UTF-8 Encoding – Necessary if using any special characters in LDAP usernames or passwords – Support varies by server, but should be safe to enable in most cases ● Username Alterations – By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve. ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
  14. 14. RADIUS and LDAP for the GUI ● Privileges are assigned based on group membership ● Add groups on pfSense to match groups on the server – Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers” ● Add privileges to the group(s) as desired ● Check the authentication server to be sure the groups are setup properly with users and to be seen by pfSense: – LDAP – Check the Schema to see if AD style group membership is needed or RFC 2307 (If RFC 2307 is needed, must be on 2.2.5 or later) – RADIUS (Will only work with 2.2.5 and later) – Ensure the server returns groups in Class attribute as a String, not binary ● Visit Diagnostics > Authentication, test users and ensure the groups are listed in the result. ● Visit System > User Manager, Settings tab, select the desired server, Save
  15. 15. RADIUS and LDAP for VPNs ● For LDAP, to limit access to a specific group, use Extended Filter ● On IPsec and OpenVPN, Ctrl-select multiple servers, if first fails, second is checked and so on – No way to reorder them currently ● L2TP, PPPoE, and PPTP support only RADIUS and have RADIUS settings on their configuration pages, nothing fancy. ● IPsec – Works for IKEv1 xauth style setup, no IKEv2/EAP yet – VPN > IPsec, Mobile Clients tab, select the desired auth server(s) ● OpenVPN – Next slide
  16. 16. RADIUS and LDAP for OpenVPN ● Auth can come from LDAP or RADIUS (or both) ● For use with OpenVPN Client Export Package: – Auth only mode – One installer works for everyone (no certs) – SSL/TLS + User Auth – Certs for external users must be manually added to the GUI ● No need to create local users, only certificates ● RADIUS Reply Attributes can be used to pass back info for clients! – Cisco-AVPair route=x.x.x.x y.y.y.y (IP address, subnet mask) – Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces) – Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any| host|net>, wildcard mask/Cisco ACL style – Framed-IP-Address = x.x.x.x, client gets x.x.x.x, server is x.x.x.x+1 ● Multi-Factor Auth should be possible with RADIUS if the RADIUS server supports it
  17. 17. RADIUS for Captive Portal ● Captive Portal only supports RADIUS auth at this time ● RADIUS Authentication can use PAP, CHAP_MD5, MSCHAPv1, or MSCHAPv2 – Check RADIUS server config/docs to see what it supports ● Enter IP address and port for the RADIUS server ● Shared Secret is the “password” set in the RADIUS server for the firewall as a NAS/Client ● Four total RADIUS Servers permitted: – Primary Authentication Source and its backup – Secondary Authentication Source and its backup – Backups are consulted if the main servers do not respond – Secondary authentication source is consulted if the primary fails – Can be used to effectively have two sources of auth (e.g. pre-paid cards and standard users) – all up to the servers and what they support
  18. 18. RADIUS for Captive Portal ● RADIUS Accounting: – If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on – Stop/start accounting only sends data on login and logout – Interim update sends periodic updates to the accounting server ● RADIUS Options – More here than are supported in the user manager ● Reauthentication – Forces a new auth request every minute. If users must be disconnected for time or bandwidth usage calculations this must be checked! ● RADIUS MAC Authentication – Sends the MAC address as user name and “MAC Authentication Secret” as the password. Allows automatic login by MAC address, MACs must be added to the RADIUS server as users. ● NAS IP – IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id) ● Session-Timeout – Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute. ● Type – Varies by need of RADIUS server, typically “default” – controls show Called-Station-Id and Calling- Station-Id are handled ● Accounting Style – Inverts value of input and output for bandwidth calculations to suit some RADIUS server assumptions ● NAT Identifier – A name passed to the RADIUS server to identify this firewall ● MAC Address Format – The format of the MAC address expected by the RADIUS server
  19. 19. RADIUS for Captive Portal ● Some parameters may be passed back in RADIUS Reply Attributes: – Varies by RADIUS vendor – WISPr-Bandwidth-Max-Up (and -Down) ● Sets up a limiter for this specific user to the given bw – WISPr-Redirection-URL ● Passes a string with a full URL to use for redirection – Acct-Interim-Interval – Session-Timeout – Idle-Timeout ● Do not set a simultaneous use limit on users that will use Captive Portal
  20. 20. RADIUS for Wireless ● 802.1x A.K.A. WPA Enterprise ● More secure than plain WPA/WPA2 – Less prone to brute forcing – Harder to snoop ● RADIUS only, no LDAP ● Second RADIUS server is used if the first fails ● Settings are placed on the wireless Interface (e.g. Interfaces > WiFi) ● Set WPA Key Management to EAP! ● Set client to PEAP (Or whatever mode is configured on RADIUS server) ● Clients will login using the username/password on the RADIUS server ● Check the Wireless log for info if access fails ● The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently enable that or support it in the GUI – perhaps in the future
  21. 21. Conclusion ● Eventually, all areas will converge on using the User Manager auth servers (Captive Portal, Wireless, L2TP, PPPoE, etc) ● Works well now but always room for improvement ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc