RADIUS with password expiration
I'm trying to move our remote client vpn configuration from an all Microsoft solution by replacing the windows server with a Cisco/Radius configuration. However, I'm not sure how to set up the radius server in such a way that the passwords will expire in a given time and force the user to change it. So far I have freeRadius running on CentOS 5 (my server distro of choice). Please let me know if this is possible.
Ultimate Techie
I have never implemented Free Radius so my recommendations are based on things I have read.
I have read that Free Radius can use OpenLDAP (and ldap directories generally) for authentication.
OpenLDAP has a password policy overlay that will allow for password expiration, grace passwords, password expiration notification, etc. I have never used it, but it exists.
http://www.openldap.org/doc/admin24/...ord%20Policies
Active Directory uses LDAP for user authentication. You should therefore be able to configure Free Radius to authenticate against AD. Some people argue against using a single user account for local and remote logins. If the remote login is compromised, the attacker has access to the local network.
In general, find out the databases against which Free Radius can authenticate. See if these databases provide the password policies you are looking for.
Last edited by jamrock; Dec 12, 2010 at 08:55 PM.
Yeh, my manager wants to keep the vpn accounts separate. FreeRadius can authenticate against ldap. Is there simple way to get ldap configured, like a web interface? I love open source but I hate having to jump around 5 text files to get a service running.
Ultimate Techie
If you have been trained in Linux, most things are easy to set up. I find that people will attend classes to learn Windows. Then they will try and set up Linux without any formal training.Originally Posted by TwistedPair
Unfortunately, we are just wrapping up our sessions on ldap at the Jalug Network Administrator's course. Are you located in Kingston?
I have not been formally trained in either platform but with most things I learn the principles and try to apply them to which ever platform I have to use, be that Windows, Linux, Cisco, Nortel etc etc. My contention is that even if I do slog through config files getting the server up and running, I need to know that the rest of the IT staff can be able to maintain it without having to have a linux background.
Ultimate Techie
Are you located in Kingston?
Linux servers need very little maintenance. The ones I have at work tend to run un-attended for a very long time. I usually have to restart them once a year or so.I need to know that the rest of the IT staff can be able to maintain it without having to have a linux background.
If you plan to use Linux in the office, you really should understand how things work on that platform. Without that knowledge it will be difficult to set up things like OpenLDAP.
By maintenance I meant adding/removing users, reseting passwords etc. I hear you tho and I will evaluate whether or not openldap is the way to go.
Ultimate Techie
Don't get me wrong. These are simple things to do. Just be sure that people are properly trained.
It only takes a few minutes to set up OpenLDAP.
Install openldap-servers
Install openldap-clients
Install openldap-devel
Edit the /etc/openldap/slapd.conf file
Edit the /etc/openldap/ldap.conf file
Import your initial entries from a ldif file
Use a GUI tool to create your database
This is your basic installation. You will then need to get the password policy overlay working. I have never tried it so I can't help much.
If you want to have radius and OpenLDAP on different machines, you will need to use ssl to encrypt the ldap queries. If you want to have them on the same machine, ssl won't be necessary.
This can be done using GUI tools. For example LDAP Administrator will run on a Windows machine. You can use it to add and remove OpenLDAP users on a Linux machine.By maintenance I meant adding/removing users, reseting passwords etc
However, you need to understand Linux and OpenLDAP in order to do these things.
Another option is to use Windows 2008. Directory services on Windows uses ldap. Active Directory Lightweight Directory Service is one of the enhancements to Windows 2008. It allows you to run directory services independent of a domain controller.
http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspxPurpose
Microsoft Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory that provides dedicated directory services for applications.
Where Applicable
Although AD LDS independently provides directory storage and access for applications, AD LDS uses the same standard application programming interfaces (APIs) as Active Directory to manage and access the application data. The resulting conceptual and programming compatibility makes AD LDS ideal for applications that require directory services, but do not require the complete infrastructure features of Active Directory.
I haven't tested this on Windows 2008 yet. I have only used Linux applications with Windows 2003. You can download an evaluation copy of Windows 2008 and give it a try.
Note that you will need to use ssl between the Linux machine and the Windows machine. As a result, you will need either OpenSSL on Linux or Certificate Services on Windows to create the PKI certificates.
I think I will give the OpenLDAP password policy overlay a shot. It looks interesting.
Last edited by jamrock; Dec 13, 2010 at 07:52 PM.
Trying to keep this thing opensource but its not easy... I got radius configured and openldap set up. they work together well. The cisco router and radius work together well but not all three together. Seem like openldap can't deal with the mschapv2 passwords. One sugestion online was to configure samba to deal with the mschap and hook into the ldap directory
Ultimate Techie
Take a look at this post and the answers.
http://www.openldap.org/lists/openld.../msg00723.html
OpenLDAP encrypts the password by default. Mschapv2 cannot read the encrypted passwords. I am not sure re: the implications of using clear text passwords with OpenLDAP.
Is mschapv2 the only option re: passwords?
Samba emulates a Windows domain controller so it will work with mschapv2.
LOL!!! Not really. You just need to understand how Linux networking works. You are doing quite well so far. Don't give up.Trying to keep this thing opensource but its not easy...
Edit 17/12/10.
I should mention that you have other options for open source vpn connectivity. OpenVPN is a popular choice.
http://openvpn.net/
You can also look at Pfsense. This is a firewall based on FreeBSD. It uses OpenVPN to provide VPN services.
http://www.pfsense.org/
Remember to do a minimal installation of CentOS for your production machines. Especially those that face the internet. A full installation will install a lot of vulnerable applications such as sendmail and telnet.
http://wiki.centos.org/FAQ/CentOS5#h...cc6c916eb3cb6e
http://www.techjamaica.com/forums/sh...=centos+hacked
Make sure to use iptables to create a host based firewall for your CentOS server.
Last edited by jamrock; Dec 17, 2010 at 10:53 PM.
Posting Permissions
Reply With Quote