FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-22-2010, 07:43 PM
Natr Brazell
 
Default RHDS and Radius Certificate

I am trying to configure my freeradius box to use TLS to my RHDS server.* I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.* Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?* Any pointers would be most helpful.

*
Thanks,
Nate
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-23-2010, 11:36 AM
Andrey Ivanov
 
Default RHDS and Radius Certificate

Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.* Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.* We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our* case :



ldap Ldap-First {
******* server = <ldap server fqdn>
******* port = 389
******* net_timeout = 2
******* timeout = 10
******* timelimit = 10
******* #ldap_debug = 0xffff
******* identity = "uid=radius,dc=example,dc=com"


******* password = <password>
******* ldap_connections_number = 5
******* basedn = "ou=users,dc=example,dc=com"
******* filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"


******* base_filter = "(objectclass=inetOrgPerson)"

******* tls {
*************** start_tls = yes
*************** tls_mode = no
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt


*************** require_cert = demand
******* }

******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap

******* set_auth_type = yes


}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.



The file eap.conf :
eap {
******* default_eap_type = ttls
******* timer_expire**** = 60
******* ignore_unknown_eap_types = no
******* cisco_accounting_username_bug = no
******* max_sessions = 2048



******* tls {
*************** certdir = ${confdir}/certs

*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>


*************** CA_file = ${certdir}/CA_certif.crt
*************** cipher_list = "DEFAULT"

*************** dh_file = ${certdir}/dh
*************** random_file = ${certdir}/random

*************** fragment_size = 1024


*************** include_length = yes

******* }

******* ttls {
*************** default_eap_type = md5
*************** copy_request_to_tunnel = yes
*************** use_tunneled_reply = yes
******* }


}

2010/3/22 Natr Brazell <natrbrazell@gmail.com>


I am trying to configure my freeradius box to use TLS to my RHDS server.* I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.* Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?* Any pointers would be most helpful.



*
Thanks,
Nate

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-23-2010, 03:44 PM
Natr Brazell
 
Default RHDS and Radius Certificate

I think I would understand it more if I understood the following sections:
*
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)
*
*
Do I really need this section.* I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.
*
******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap


Again as in the first note above.
*
*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>
*************** CA_file = ${certdir}/CA_certif.crt

Doing an initial test without the need of an official CA.* What's the difference in the above 3 files and how to I generate them.* If I sound like a dunce, I am in this respect.* PKI is fairly new for me to configure.* I understand it in theory but getting all the pieces to fit is confusing.

*
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov <andrey.ivanov@polytechnique.fr>

Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.* Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.* We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our* case :


ldap Ldap-First {
******* server = <ldap server fqdn>
******* port = 389
******* net_timeout = 2
******* timeout = 10
******* timelimit = 10
******* #ldap_debug = 0xffff
******* identity = "uid=radius,dc=example,dc=com"

******* password = <password>
******* ldap_connections_number = 5
******* basedn = "ou=users,dc=example,dc=com"
******* filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"

******* base_filter = "(objectclass=inetOrgPerson)"

******* tls {
*************** start_tls = yes
*************** tls_mode = no
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt

*************** require_cert = demand
******* }

******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap

******* set_auth_type = yes

}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.


The file eap.conf :
eap {
******* default_eap_type = ttls
******* timer_expire**** = 60
******* ignore_unknown_eap_types = no
******* cisco_accounting_username_bug = no
******* max_sessions = 2048


******* tls {
*************** certdir = ${confdir}/certs

*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>

*************** CA_file = ${certdir}/CA_certif.crt
*************** cipher_list = "DEFAULT"

*************** dh_file = ${certdir}/dh
*************** random_file = ${certdir}/random

*************** fragment_size = 1024

*************** include_length = yes

******* }

******* ttls {
*************** default_eap_type = md5
*************** copy_request_to_tunnel = yes
*************** use_tunneled_reply = yes
******* }

}


2010/3/22 Natr Brazell <natrbrazell@gmail.com>



I am trying to configure my freeradius box to use TLS to my RHDS server.* I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.* Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?* Any pointers would be most helpful.

*
Thanks,
Nate
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-24-2010, 06:49 AM
Andrey Ivanov
 
Default RHDS and Radius Certificate

2010/3/23 Natr Brazell <natrbrazell@gmail.com>


I think I would understand it more if I understood the following sections:
*
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)
*
*It's the public certificate of the CA that has signed (in our case) both 389 and freeradius certificates.

*


Do I really need this section.* I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.
*
******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap


No, as i told you this section is only necessary if you want to pass some parameters from LDAP to radius. In your case you don't need this.

*

Again as in the first note above.
*
*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>
*************** CA_file = ${certdir}/CA_certif.crt

Doing an initial test without the need of an official CA.* What's the difference in the above 3 files and how to I generate them.* If I sound like a dunce, I am in this respect.* PKI is fairly new for me to configure.* I understand it in theory but getting all the pieces to fit is confusing.


These are private key and certificate of the freeradius server signed by a CA . In our case it's the same CA as in cacertfile. In order to generate them we use openssl, you can try tinyCA or some other web/gui manager of PKI. It's more of certificates/PKI question than LDAP one...




*



*
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov <andrey.ivanov@polytechnique.fr>

Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.* Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.* We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our* case :




ldap Ldap-First {
******* server = <ldap server fqdn>
******* port = 389
******* net_timeout = 2
******* timeout = 10
******* timelimit = 10
******* #ldap_debug = 0xffff
******* identity = "uid=radius,dc=example,dc=com"



******* password = <password>
******* ldap_connections_number = 5
******* basedn = "ou=users,dc=example,dc=com"
******* filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"



******* base_filter = "(objectclass=inetOrgPerson)"

******* tls {
*************** start_tls = yes
*************** tls_mode = no
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt



*************** require_cert = demand
******* }

******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap

******* set_auth_type = yes



}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.




The file eap.conf :
eap {
******* default_eap_type = ttls
******* timer_expire**** = 60
******* ignore_unknown_eap_types = no
******* cisco_accounting_username_bug = no
******* max_sessions = 2048




******* tls {
*************** certdir = ${confdir}/certs

*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>



*************** CA_file = ${certdir}/CA_certif.crt
*************** cipher_list = "DEFAULT"

*************** dh_file = ${certdir}/dh
*************** random_file = ${certdir}/random

*************** fragment_size = 1024



*************** include_length = yes

******* }

******* ttls {
*************** default_eap_type = md5
*************** copy_request_to_tunnel = yes
*************** use_tunneled_reply = yes
******* }



}


2010/3/22 Natr Brazell <natrbrazell@gmail.com>



I am trying to configure my freeradius box to use TLS to my RHDS server.* I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.* Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?* Any pointers would be most helpful.



*
Thanks,
Nate
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-24-2010, 11:15 AM
Natr Brazell
 
Default RHDS and Radius Certificate

Thanks,
*
I'll keep working it.
*
N


2010/3/24 Andrey Ivanov <andrey.ivanov@polytechnique.fr>




2010/3/23 Natr Brazell <natrbrazell@gmail.com>



I think I would understand it more if I understood the following sections:
*
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)
*
*
It's the public certificate of the CA that has signed (in our case) both 389 and freeradius certificates.

*


Do I really need this section.* I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.

*
******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap



No, as i told you this section is only necessary if you want to pass some parameters from LDAP to radius. In your case you don't need this.

*


Again as in the first note above.

*
*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>
*************** CA_file = ${certdir}/CA_certif.crt


Doing an initial test without the need of an official CA.* What's the difference in the above 3 files and how to I generate them.* If I sound like a dunce, I am in this respect.* PKI is fairly new for me to configure.* I understand it in theory but getting all the pieces to fit is confusing.


These are private key and certificate of the freeradius server signed by a CA . In our case it's the same CA as in cacertfile. In order to generate them we use openssl, you can try tinyCA or some other web/gui manager of PKI. It's more of certificates/PKI question than LDAP one...








*

*
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov <andrey.ivanov@polytechnique.fr>




Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.* Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.* We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our* case :


ldap Ldap-First {
******* server = <ldap server fqdn>
******* port = 389
******* net_timeout = 2
******* timeout = 10
******* timelimit = 10
******* #ldap_debug = 0xffff
******* identity = "uid=radius,dc=example,dc=com"

******* password = <password>
******* ldap_connections_number = 5
******* basedn = "ou=users,dc=example,dc=com"
******* filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"

******* base_filter = "(objectclass=inetOrgPerson)"

******* tls {
*************** start_tls = yes
*************** tls_mode = no
*************** cacertfile =* /usr/local/etc/freeradius/certs/CA_certif.crt

*************** require_cert = demand
******* }

******* access_attr_used_for_allow = yes
******* access_attr = "X-Vlan-WiFi"
******* dictionary_mapping = ${raddbdir}/ldap.attrmap

******* set_auth_type = yes

}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.


The file eap.conf :
eap {
******* default_eap_type = ttls
******* timer_expire**** = 60
******* ignore_unknown_eap_types = no
******* cisco_accounting_username_bug = no
******* max_sessions = 2048


******* tls {
*************** certdir = ${confdir}/certs

*************** private_key_file = ${certdir}/<radius-server.key>
*************** certificate_file = ${certdir}/<<radius-server.crt>

*************** CA_file = ${certdir}/CA_certif.crt
*************** cipher_list = "DEFAULT"

*************** dh_file = ${certdir}/dh
*************** random_file = ${certdir}/random

*************** fragment_size = 1024

*************** include_length = yes

******* }

******* ttls {
*************** default_eap_type = md5
*************** copy_request_to_tunnel = yes
*************** use_tunneled_reply = yes
******* }

}


2010/3/22 Natr Brazell <natrbrazell@gmail.com>



I am trying to configure my freeradius box to use TLS to my RHDS server.* I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.* Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?* Any pointers would be most helpful.

*
Thanks,
Nate
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org