Using the FreeNAC virtual machine with 802.1x

This virtual machine includes support for 802.1x which provides for stronger security. User authentication is performed against a windows domain controller so ensure you have one in place. If you don't, you can still enjoy of a fully functional LAN Access Control since it is already configured to do so. The 802.1X default configuration is intended to allow you tntpo authenticate users against Active Directory, and then validate devices and assign them a VLAN.

Presumably you already have a functioning Active Directory domain, and know how to run it. AD is very dependent on DNS (domain name system) so first you'll need to add an entry for your FreeNAC virtual machine in your DNS. Once you've added this entry, we need to configure kerberos.

Clock synchronization is so important in the security of the Kerberos protocol. If clocks are not synchronized within a reasonable window, Kerberos will report fatal errors and refuse to function. Clients attempting to authenticate from a machine with an inaccurate clock will be failed by the KDC in authentication attempts due to the time difference with the KDC's clock. This is why it is so important to have the clock of your virtual machine configured properly. This virtual machine is configured to use the Zurich's timezone, so if you live in a different part of the globe, you'll need to change the configuration of your timezone.

Change to the directory to /usr/share/zoneinfo, here you will find a list of time zone regions. Choose the most appropriate region, if you live in Canada or the US this directory is the "Americas" directory.

If you wish, backup the previous timezone configuration by copying it to a different location. Such as

mv /etc/localtime /etc/localtime-old

Make a symbolic link from the file with the appropiate timezone to /etc/localtime.

ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

Then, adjust the time of your virtual machine by using the command date. The syntax of the date command is 'date MMDDhhmmYYYY'. So, let's say it is January 30 2010, 13:35, you type:

date 013013352010

This will set the right time for your computer. You verify that the time is correct by typing 'date' again with no parameters.

date

and it will display the time you specified in the previous step.

The Network Time Protocol (NTP) is available for the time synchronization of servers. Add an entry in your crontab to synchronize the clock of your virtual machine with an external time source.

   crontab -e

A text editor will appear with some entries in it. The existent entries are required for the proper functioning of FreeNAC. Add the next entry at the beginning of the file:

   # Time synchronization

   0 * * * *        /usr/sbin/ntpdate -s server; /sbin/hwclock --systohc

Save your changes. This entry will synchronize hourly your VM's clock with the one of server.

Then, restart your VM.

Once it is up again, we need to modify the configuration files for Kerberos to work.
Edit /etc/krb5.conf. The provided krb5.conf file is as follows:

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_real = false
dns_lookup_kdc = false

[realms]
DOMAIN.COM = {
default_domain = domain.com
kdc = ad.domain.com
admin_server = ad.domain.com
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Modify the lines

default_realm = DOMAIN.COM
DOMAIN.COM = {
default_domain = domain.com

And change domain.com for your domain. Mind the case.
For the lines

kdc = ad.domain.com
admin_server = ad.domain.com

You specifiy your Active Directory domain server.
Save your changes, and then check that you get no error from typing

kinit Administrator

It'll request you for the Administrator password to create a ticket in your system.
If you get errors, check again your /etc/krb5.conf file.

Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down. So, add the entry for your Active Directory domain server in /etc/hosts.

Sample:
192.168.1.1 ad.domain.com ad

Once you have this part working, let's configure Samba.
Modify the file /opt/samba/lib/smb.conf. The provided smb.conf file is as follows:

[global]
workgroup = domain
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = ads.domain.com
realm = domain.com
[homes]
comment = Home Directories
browseable = No
writable = yes

Modify the lines

workgroup = domain
password server = ads.domain.com
realm = domain.com

With the appropiate values for your domain. Start Samba

/etc/init.d/smbd start

Verify that it started

ps uax ¦ grep smbd

And check for errors in /opt/samba/var/log.smbd. If errors are present, check again your sbm.conf file. Once Samba has started correctly, do:

net join

This will join your VM to the domain. You can verify that your computer has joined the domain by typing

klist

This should display valid Kerberos tickets and one of those is from your Active Directory domain server.
Now, start winbind

/etc/init.d/winbindd start

Verify that windbind is working. This command pulls a list of users from AD

wbinfo -u

And check for errors in /opt/samba/var/log.winbindd. If it started successfully, it will create another log file called log.wb-DOMAIN.
Once we have winbindd running, let's activate both smbd and winbindd as a service, so next time you restart your VM they'll be started automatically

chkconfig smbd on
chkconfig winbindd on

We have done all this just to get ntlm_auth running.
Now, let's try to auth with NTLM

ntlm_auth --request-nt-key --domain=domain.com --username=Administrator
password:
NT_STATUS_OK: Success (0x0)

This success message indicates that Samba is properly configured to authenticate users using AD, which is what we need for FreeRadius.

Now, let's configure FreeRadius.

Modify the file /usr/local/etc/raddb/clients.conf and add the switches you want to talk to this Radius server. Don't forget to specify the shared secret between this Radius server and your switch. In this configuration there are plenty of examples of how to define an entry for this file. You need to specify these entries in this file, otherwise the Radius server will ignore the incoming requests.

Another configuration file that you may modify is the /usr/local/etc/raddb/eap.conf. The certificates defined in this file are the ones provided by FreeRadius. These certificates are not intended to be used in a production environment. You will need to create your own certificates later on. If you only want to perform test, these will work.

The /usr/local/etc/raddb/radiusd.conf file is the main configuration file. This file will authenticate the username against your AD through ntlm_auth and then will authenticate the device and will assign a VLAN to it through the perl script /opt/nac/bin/rad2vmps. You don't need to modify anything. It is all set to start working right away.

Now, run

/etc/init.d/radius debug

If you get at the end of all the text the line:

Ready to process requests.

Your FreeRadius server is properly running. Now, press Ctrl+C to interrupt it, and activate the service

chkconfig radius on

And start the daemon

/etc/init.d/radius start

The configuration regarding your VM is finished. You only need to configure your switches to speak 802.1X to your FreeRadius and enable 802.1x in your computers.
If you have further questions, problems or comments, please post them in our forum.