FreeNAC uses 'vmps' by default for identifying network devices, based on their MAC address. For stronger authentication look at 802.1x (which although not bullet proof, is a cryptographic authentication and more difficult to break).
This step is optional, if you already have the standard FreeNAC running, and don't need the additional security.
For an a technical discussion of 802.1x, see the techguide chapter. This section covers some concrete use cases and how to get up and running with them:
For 802.1X support you need to have a RADIUS server installed. The one we use is FreeRadius because it provides a host of features that others don't.
There are several ways to get freeradius running. If you have the FreeNAC Vm it is included, or you can compile from a tarball, or install the binary packages as follows.
Ubuntu:
apt-get install freeradius
SuSE:
yast -i freeradius
By default, FreeRadius comes with a sample configuration file (radiusd.conf) which allows you to run your RADIUS server out-of-the-box. The location of the different configuration files is distribution dependant.
To test that you have a working server, as root type:
radiusd -xX
If in the end you see the following line
Info: Ready to process requests.
then your Radius server is working. Press Ctrl+C to stop the radius server and activate FreeRadius. Bear in mind that the start up filename is distribution dependant.
Ubuntu:
update-rc.d freeradius defaults
SuSE:
chkconfig freeradius on
You need to define the switches that'll be contacting your Radius server. To do so, create a backup of your clients.conf file and edit it. The configuration files are probably in /etc/freeradius or /usr/local/etc/raddb or /etc/raddb.
cp clients.conf clients.conf.$$ vi clients.conf
Then add an entry for every switch you want to contact your server in the following form.
client 192.168.1.1 {
secret = whatever
shortname = my_switch
nastype = cisco
}
where secret is the string shared between your switch and the Radius server, used to encrypt and sign packets. It doesn't have to be same for all your switches. shortname is your switch's identifier and is used for logging and nastype is the type of switch your are using and this field is optional.
Create a backup of your radiusd.conf file and proceed to configure your radius server.
cp radiusd.conf radiusd.conf.$$
Below you'll find two common configuration scenarios for your Radius server.
This section describes how to configure FreeRadius to authenticate users in Active Directory.
To authenticate users in Active Directory, make sure you have the following installed in your system:
Create or modify the file smb.conf to include the following minimum configuration (change for your Windows environment)
[global] workgroup = domain security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = no password server = ads.domain.com realm = domain.com [homes] comment = Home Directories browseable = No writable = yes
Presumably you already have a functioning Active Directory domain, and know how to run it. AD is very dependent on DNS (domain name system) so first you'll need to add an entry for your server in your DNS.
Once you've added this entry, we need to configure kerberos. Edit the file krb5.conf and add in the realms section info concerning your domain.
Your krb5.conf file should look like
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_real = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
default_domain = domain.com
kdc = ads.domain.com
admin_server = ads.domain.com
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Modify the lines
default_realm = DOMAIN.COM
DOMAIN.COM = {
default_domain = domain.com
And change domain.com for your domain. Mind the case.
For the lines
kdc = ad.domain.com admin_server = ad.domain.com
You specifiy your Active Directory domain server.
Clock synchronization is so important in the security of the Kerberos protocol.
If clocks are not synchronized within a reasonable window, Kerberos will report fatal errors and refuse to function.
Clients attempting to authenticate from a machine with an inaccurate clock will be failed by the KDC in authentication attempts due to the time difference with the KDC's clock.
Ensure you have your clock properly configured. If you want to use an external source to synchronize your server use ntp.
The Network Time Protocol (NTP) is available for the time synchronization of servers.
Add an entry in your crontab to synchronize the clock of your computer with an external time source adding the next entry.
#Time synchronization 0 0 * * * /usr/sbin/ntpdate server > /dev/null 2>&1
Save your changes. This entry will synchronize every midnight your clock with the one of server.
Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down. So, add the entry for your Active Directory domain server in /etc/hosts.
192.168.1.1 ad.domain.com ad
Check that you get no error from typing
kinit Administrator
or with other user who has enough privileges to read from Active Directory
This will ask you for the user's password. Make sure you know it beforehand.
Possible causes of error are:
Edit the file /etc/nsswitch.conf and add winbind at the end of the following lines:
passwd: group: protocols: services: netgroup: automount:
If everything went ok, start Samba and verify that it started. Check for errors in the Samba log. If errors are present, check again your smb.conf file. Once Samba has started correctly, do:
net join
This will join you to the domain. You can verify that your computer has joined the domain by typing
klist
This should display valid Kerberos tickets and one of those is from your Active Directory domain server.
Now, change the group that the lock winbindd_privileged belongs to
chgrp radiusd /opt/samba/var/locks/winbindd_privileged
Ajust the path and the group according to your system.
This is done because we'll run freeradius as the radiusd user, and this user needs to access this lock in order to perform the authentication against the Windows Domain
Now change its permissions
chmod 750 /opt/samba/var/locks/winbindd_privileged
And start winbind
/etc/init.d/winbindd start
Verify that windbind is working. This command pulls a list of users from AD
wbinfo -u
And check for errors in the winbindd log. If it started successfully, it will create another log file called log.wb-DOMAIN. Once we have winbindd running, activate both smbd and winbindd as services if they are not already activated.
All this has been done in order to get ntlm_auth to run. Try to auth with NTLM
ntlm_auth --request-nt-key --domain=domain.com --username=Administrator password: NT_STATUS_OK: Success (0x0)
This success message indicates that Samba is properly configured to authenticate users against AD, which is what we need for FreeRadius.
Below are the relevant sections to configure in radiusd.conf
modules:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
authorize:
mschap eap
authenticate:
Auth-Type MS-CHAP {
mschap
}
eap
As a requirement for this section you need to have installed and working FreeRadius and FreeNAC.
Before starting configuring your Radius server, there is a step you
need to perform. You need to add the user required to run your Radius server
to the freenac group. In that way, it can access the configuration file
located at /opt/nac/etc/config.inc. In our system, the FreeRadius server runs under the radiusd user, so:
usermod -a -G freenac radiusd
Find in your /opt/nac/etc/config.inc file the variable $vmps_servers and put there the IP addresses or hostnames of your FreeNAC servers like follows:
##Binding with FreeRadius $vmps_servers = "freenac01, 192.168.201.201,freenac03";
Below are the relevant sections to MAC-Authentication bypass to configure in radiusd.conf:
modules:
perl check_mac {
module = "/opt/nac/bin/rad2vmps"
}
authorize:
# Enable MAC lookup via VMPS: collect request data from radius check_mac
authenticate:
Auth-Type MAC-Auth-Bypass {
check_mac
}
post-auth
# Enable MAC lookup via VMPS: query vmps and assign vlan or deny check_mac