CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250907

Browse Source
This commit is contained in:
Petar Cubela
2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
projects/gg/freeradius/20250725_init.md
View File

@@ -0,0 +1,40 @@
## Now
- Probably MS Radius Server. -> Network Policy Server on gg-srv-pd-app-01
![[Pasted image 20250727185114.png]]
- eap type: secured peap (proprietary?)
- mschapv2 as second next
## TODO
- [x] ruckus network config
- [x] network config
- [x] Ruckus filter via username (identity + group). If user already connected with one device do not allow other device. Measure time -> next 8 hours device is connected and can not connect with other device
- [x] test authentication with user not being in ldap group
- [ ] Restrict user login to only one device at a time
- [ ] Auto logout after 8h
## Notes
- MS AD makes things complicated
- RADIUS does not get 'good password' from AD which it needs
## Questions
- Which authorization and authentication methods do the iPads use?
- How should the system behave when the same user connects with different devices?
- Do we track the used devices?
- Are rules applied depending on the user or/and on the device?
## Resources
- [ruckus radius attributes](https://docs.commscope.com/bundle/fastiron-10010-securityguide/page/GUID-15CBE7F1-4898-4311-8A4E-28ED2268BD86.html)
- <https://www.golinuxcloud.com/configure-freeradius-pap-chap-authentication/>
- <https://www.freeradius.org/documentation/freeradius-server/3.2.8/concepts/modules/ldap/authentication.html>
- <https://www.inkbridgenetworks.com/blog/blog-10/how-to-connect-freeradius-to-active-directory-for-authentication-105>
- <https://www.inkbridgenetworks.com/blog/blog-10/can-you-use-freeradius-and-active-directory-together-121>
- <https://cloudinfrastructureservices.co.uk/setup-freeradius-active-directory-authentication-integration/>
- <https://nbailey.ca/post/peap-freeradius/>

137
projects/gg/freeradius/20250726-setup_for_byod.md Normal file
View File

@@ -0,0 +1,137 @@
### **FreeRADIUS Setup for Student Network Access (IPv4-Only)**
**Context:**
- **FreeRADIUS Server IP:** `172.16.2.5`
- **AD Server IP:** `172.16.2.10`
- **Student VLAN:** `10.10.135.254/22` (ensure this VLAN is isolated and routed to the RADIUS server).
- **Goal:**
- Students authenticate via AD.
- Prevent multiple devices per user (same credentials) from connecting.
- Track connected devices per user.
---
### **1. FreeRADIUS Configuration (Key Sections)**
#### **A. LDAP Authentication to AD**
Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`):
```ini
ldap {
server = "172.16.2.10" # AD Server IP
base_dn = "DC=example,DC=com" # Replace with your domain
bind_dn = "CN=radius,OU=ServiceAccounts,DC=example,DC=com" # AD service account
bind_password = "your_ad_password" # AD service account password
ldap_filter = "(sAMAccountName=%{User-Name})" # Query for user
timeout = 5
retry = 3
start_tls = no
}
```
- **Note:** Ensure the AD service account has read access to user attributes (e.g., `sAMAccountName`, `userPrincipalName`).
---
#### **B. Prevent Multiple Devices per User**
Use the `Limit` directive to enforce **1 session per user**:
```ini
authorize {
...
Limit-User-Name {
max = 1 # Max 1 session per user
reject # Reject if limit is exceeded
}
}
```
- **How it works:**
- The `Limit` directive checks the `User-Name` attribute.
- If a user is already logged in, the second request is rejected.
- **Limitations:**
- Requires **persistent session tracking** (e.g., a database or file).
- FreeRADIUS itself does not natively track active sessions.
#### **C. Track Connected Devices (Optional)**
If you need to **track devices per user**, use a **database** (e.g., MySQL, PostgreSQL) or a **file** to store active sessions. Example:
```ini
authorize {
...
if (User-Name == "student1") {
update {
User-Name := "student1"
Framed-IP-Address := "%{Framed-IP-Address}"
Calling-Station-Id := "%{Calling-Station-Id}"
}
}
}
```
- **Store this data in a database** to check for duplicates.
- Use `radacct` for accounting records (requires `accounting` section).
---
### **2. VLAN Configuration (Network Layer)**
Ensure the **student VLAN** (`10.10.135.254/22`) is properly routed to the RADIUS server:
- **NAS (Network Access Server):**
- Configure the NAS to send the **`Framed-Interface-Id`** (VLAN ID) in the RADIUS request.
- Example:
```ini
[nas]
type = other
shortname = NAS-Name
secret = shared_secret
framed-interface-id = 135 # VLAN ID
```
- **Firewall Rules:**
- Allow traffic between the student VLAN and the RADIUS server (`172.16.2.5`).
- Block unauthorized access to the VLAN.
---
### **3. NAS Configuration (Example: Cisco IOS)**
If using a router as the NAS:
```bash
aaa authentication login default group radius local
aaa authentication login default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
radius-server host 172.16.2.5 key your_shared_secret
radius-server vsa send-template
```
- Ensure the NAS sends the **`Calling-Station-Id`** (MAC address) and **`Framed-IP-Address`** in the RADIUS request.
---
### **4. Testing and Debugging**
1. **Test LDAP Authentication:**
- Use `radtest` to simulate a login:
```bash
radtest student1 password 172.16.2.5 1812 testing123
```
2. **Check Logs:**
- `/var/log/freeradius/radius.log` for authentication errors.
3. **Monitor Active Sessions:**
- Use `radwho` or a database query to list active users.
---
### **5. Advanced: Session Tracking with a Database**
If you need precise tracking, set up a database (e.g., MySQL) with a table like:
```sql
CREATE TABLE active_sessions (
username VARCHAR(255) PRIMARY KEY,
ip_address VARCHAR(45),
mac_address VARCHAR(45),
session_id VARCHAR(255),
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
```
- Update the RADIUS config to insert session data into the table.
- Use a script to clean up old sessions (e.g., every 5 minutes).
---
### **Final Notes**
- **Security:** Ensure the RADIUS secret and AD credentials are encrypted.
- **Scalability:** For large deployments, use a **database** to track sessions.
- **Fallback:** If the `Limit` directive is insufficient, use a **script** to check the database for active sessions and reject new ones.
This configuration ensures students authenticate via AD, prevents multiple devices per user, and isolates their VLAN for secure access.

16
projects/gg/freeradius/20250728-FreeRADIUS-docs.md Normal file
View File

@@ -0,0 +1,16 @@
## Authenticating Users with LDAP
Please be aware the FreeRADIUS is an AAA server, and LDAP is a _database_. This separation of roles means that FreeRADIUS supports multiple kinds of authentication protocols such as `PAP`, `CHAP`, `MS-CHAP`, etc. An LDAP database supports only one authentication method: "bind as user". This authentication method is compatible only with PAP.
Our recommendation is to use LDAP as a database. FreeRADIUS should read the "known good" password from LDAP, and then use that information to authenticate the user. It is almost always wrong to use the LDAP "bind as user" method for authenticating users.
The only caveat to the above recommendation is Active Directory. For "security" reasons, Active Directory will not return the "known good" password to FreeRADIUS over a standard LDAP query. Therefore when Active Directory is used, the choices are:
PAP
- Use "bind as user"
[MS-CHAP::](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) Use [`ntlm`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ntlm_auth) and [`winbind`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) configuration.
Due to the limitations of Active Directory, There are unfortunately no other possible choices.

189
projects/gg/freeradius/homelab/20250726-test_environment-homelab.md Normal file
View File

@@ -0,0 +1,189 @@
To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
---
### **1. Install Required Packages**
Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker.
#### **For Ubuntu/Debian (if using a VM or bare metal):**
```bash
sudo apt update
sudo apt install freeradius freeradius-ldap freeradius-mysql
```
#### **If using Docker (optional):**
```bash
docker run -d \
--name freeradius \
--network host \
--restart unless-stopped \
--volume /path/to/config:/etc/freeradius \
--volume /path/to/ldap-cert:/etc/ssl/certs \
--volume /path/to/mariadb:/var/lib/mysql \
freeradius/freeradius:3.2.1
```
---
### **2. Configure FreeRADIUS to Use LDAP (LDAPS)**
#### **2.1. Edit `radiusd.conf`**
Set the listening address to **IPv4 and IPv6**:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Update the following lines:
```ini
listen {
ipaddr = 0.0.0.0
port = 1812
instance = main
}
listen {
ipaddr = ::
port = 1812
instance = main
}
```
#### **2.2. Configure LDAP Backend in `ldap` Module**
Create or edit the LDAP configuration file:
```bash
sudo nano /etc/freeradius/ldap
```
Add the following (replace placeholders with your actual values):
```ini
ldap {
server = ad.reliyya.xyz
port = 6360
timeout = 5
bind = yes
base_dn = DC=reliyya,DC=xyz
filter = (objectClass=person)
start_tls = yes
ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
}
```
**Key Notes:**
- `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`).
- `port` = LDAPS port (`6360`).
- `start_tls = yes` enables TLS (if your LDAP server uses LDAPS).
- If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`.
#### **2.3. Configure `ldap` Module in `radiusd.conf`**
Enable the LDAP module:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add this line under `[modules]`:
```ini
ldap
```
#### **2.4. Configure `users` File (Optional)**
If you want to test without LDAP, you can use a static user:
```bash
sudo nano /etc/freeradius/users
```
Add:
```ini
testuser Cleartext-Password := "password"
```
---
### **3. Configure Clients in `clients.conf`**
Set up the Unifi controller as a client:
```bash
sudo nano /etc/freeradius/clients.conf
```
Add:
```ini
client unifi-controller {
ipaddr = 10.56.0.0/24
secret = your_shared_secret
require_client_certificate = no
}
```
Replace `your_shared_secret` with a secure password (same on Unifi controller).
---
### **4. Test LDAP Connectivity**
Verify the LDAP server is reachable:
```bash
ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
```
Replace `testuser` and `password` with a valid LDAP user.
---
### **5. Test FreeRADIUS Authentication**
Use `radtest` to test authentication:
```bash
radtest testuser password 10.56.1.251 0 testing123
```
If successful, you'll see:
```
Sending Access-Request of type Auth-Request
...
Access-Accept
```
---
### **6. Configure Unifi Controller to Use FreeRADIUS**
1. Log in to the Unifi controller web UI.
2. Navigate to **Network > Radius**.
3. Add a new RADIUS server:
- **Name**: `radius.reliyya.xyz`
- **IP Address**: `radius.reliyya.xyz` (DNS entry)
- **Port**: `1812` (Authentication), `1813` (Accounting)
- **Shared Secret**: `your_shared_secret`
- **NAS ID**: `unifi-controller`
4. Save and test the connection.
---
### **7. Optional: Set Up MariaDB for Session Tracking**
If you want to store session data:
1. Install MariaDB:
```bash
sudo apt install mariadb-server
```
2. Configure `radiusd.conf` to use MySQL:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add:
```ini
mysql
```
3. Configure `sql` module in `radiusd.conf`:
```bash
sudo nano /etc/freeradius/sql.conf
```
Set the database connection details and table schema.
---
### **8. Security Considerations**
- Ensure **TLS is enforced** for LDAPS.
- Use **strong secrets** for RADIUS and LDAP.
- Restrict access to the FreeRADIUS server via OPNsense firewall.
---
### **Summary**
- **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql`
- **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users`
- **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS
- **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret
Let me know if you need help with certificate setup or advanced LDAP filters! 🚀

134
projects/gg/freeradius/homelab/20250726-tls_certs_peap.md Normal file
View File

@@ -0,0 +1,134 @@
The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step.
---
### **1. Understand the Root Cause**
- **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication.
- Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**.
- The client (phone) is not trusting the **CA** that signed the server's certificate.
---
### **2. Fix: Configure TLS for PEAP on FreeRADIUS**
You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how:
#### **A. Generate a Self-Signed Certificate (For Testing)**
If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added).
1. **Generate a private key and certificate:**
```bash
openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
```
- Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key.
2. **Set correct permissions:**
```bash
chown -R freeradius:freeradius /etc/freeradius/certs/
chmod 600 /etc/freeradius/certs/your_radius_server.key
chmod 644 /etc/freeradius/certs/your_radius_server.crt
```
#### **B. Configure FreeRADIUS to Use the Certificate**
Update `/etc/freeradius/eap.conf` to use the certificate:
```ini
eap {
default_eap_type = peap
timer_expire = 60
max_sessions = 256
peap {
# Path to your certificate and key
certificate = /etc/freeradius/certs/your_radius_server.crt
private_key = /etc/freeradius/certs/your_radius_server.key
ca_list = /etc/freeradius/certs/ca.crt # Optional: If you're using a chain
dh_file = /etc/freeradius/certs/dh2048.pem # Optional: Diffie-Hellman parameters
}
}
```
- If you're using a **self-signed certificate**, skip the `ca_list` line.
- If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate.
#### **C. Generate Diffie-Hellman Parameters (Optional)**
For stronger TLS security:
```bash
openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048
```
---
### **3. Ensure the Client (Phone) Trusts the Certificate**
If you're using a **self-signed certificate**, the phone must trust it manually. Here's how:
#### **A. Export the Server's Certificate**
1. Use `openssl` to extract the certificate from the `.crt` file:
```bash
openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der
```
2. Convert it to PEM format (optional):
```bash
openssl x509 -in your_radius_server.crt -out your_radius_server.pem
```
#### **B. Install the Certificate on the Phone**
- **Android**:
1. Go to **Settings > Security > Trusted Credentials > User Certificates**.
2. Import the `.der` or `.pem` file.
- **iOS**:
1. Go to **Settings > General > About > Certificate Trust Settings**.
2. Add the certificate to the trusted list (may require a certificate from a trusted CA).
#### **C. Use a Trusted CA (Recommended for Production)**
If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure:
- The certificate is correctly installed.
- The **CA chain** is complete (e.g., intermediate certificates are included).
- The phone's trust store includes the CA's certificate.
---
### **4. Verify FreeRADIUS TLS Configuration**
1. **Restart FreeRADIUS**:
```bash
systemctl restart freeradius
```
2. **Check Logs for TLS Errors**:
```bash
tail -f /var/log/freeradius/radius.log
```
Look for:
- `TLS: Server certificate is not trusted`
- `TLS: No trusted certificate found`
3. **Test with `radtest`** (Ensure PEAP is working):
```bash
radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET
```
---
### **5. Advanced: Debug TLS Handshake**
If the issue persists, enable **TLS debugging** in `eap.conf`:
```ini
eap {
debug = yes
...
}
```
Then check the logs for detailed TLS handshake errors.
---
### **Summary of Fixes**
| Step | Action |
|------|--------|
| 1 | Generate a valid TLS certificate (self-signed or trusted CA) |
| 2 | Configure FreeRADIUS to use the certificate in `eap.conf` |
| 3 | Install the certificate on the phone (or ensure the CA is trusted) |
| 4 | Restart FreeRADIUS and verify TLS is working |
| 5 | Debug with `debug = yes` if issues persist |
After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀