AAA Servers

FreeRADIUS, LDAP, and AD

FreeRADIUS
Authentication, Authorization, and Accounting Can verify the user against LDAP, Kerberos, SQL, AD, etc. Server side certs are loaded during the install

Some important file locations

radiusd.conf is saved under /usr/local/etc/raddb eap.conf to enable PEAP and TLS radius.log under /var/log/freeradius directory contains the log Certs are located at /etc/raddb/certs

Allow ZD as client
Configure clients.conf
# Here, we specify which network we're serving client 192.168.0.2/32 { # This is the shared secret between the Authenticator (the # access point) and the Authentication Server (RADIUS). secret = SharedSecretZD shortname = testnet }

Specify user database

radiusd.conf should be setup like below

Supported auth methods

By default PAP CHAP MS-CHAP EAP-MD5 EAP-MSCHAPv2 Cisco LEAP If you disable server cert validation on the supplicant PEAPv0 EAP-GTC EAP-MSCHAPv2 EAP-TTLS PAP CHAP MS-CHAP EAP-MD5 EAP-MSCHAPv2

Common problems
Client can connect but ZD cant verify the same credentials
Customer might be using AD We use PAP as an authentication method which is not supported by default In the AD check the checkbox for PAP and test again

Client fails to connect but ZD is OK

Make sure EAP is also checked (not just PAP)

Client fails to connect (contd)

Make sure server side cert verification is unchecked if the server is using self-generated default certs

Client fails to connect (contd)

Alternately load the non-trusted CA cert both on the RADIUS server as well as on the clients

PEAP, TTLS, and TLS comparison

PEAP Server Authentication Client Authentication User identity protection Cipher-Session Negotiation EAP Attacks: Session hijacking, Man-in the middle, Dictionary attack certificate Any EAP method Yes, TLS No Protected (TLS) EAP-TTLS certificate Any Authentication method Yes, TLS Yes Protected (TLS) EAP-TLS certificate certificate

No No Protected (TLS)

Packet capture example 1

Packet capture example 2

Opportunistic PMK Caching

WLAN should be configured to use WPA2 Enable Fast Reconnect should be checked on the client Client skips entire EAP authentication process (beginning with EAPOW-Start ) so there is really no authenticator (ZD) and auth server
Client sends PMK ID inside the authentication response to the original AP and proceeds to the 4-way handshake OKC Client starts by sending PMK ID inside the authentication response to the roam-to AP and proceeds to the 4-way handshake OKC BG scanning should be enabled on the ZD OKC Client should maintain IP within the same subnet while roaming (use VLANs)

Machine authentication
Gives wired experienced Useful for schools since credentials of all students can not be cached

Microsoft NPS
IAS equivalent on Windows Server 2008 and above Microsoft supports migration from IAS Enables client health check before allowing access NPS = IAS + Microsoft equivalent of NAP
Checks anti-virus presense Checks firewall enabled or not Checks OS patch level

Can act as RADIUS proxy too Lot of policies - separate network policies for all three types (NPS capable and compliant, NPS capable and non-compliant, and NPS non-capable) Policies are checked in a sequential order

3 different policies

Health check enforcement before letting access Device that connects to NPS. Typically, ZD.

Who can connect?

Dynamic VLANs
RADIUS can be configured to specify different VLAN for each client (or for different user groups) ZD will know the VLAN ID in the RADIUS access-accept message RADIUS returned value will override ZDs setting AP should be connected to a trunk port Currently only 802.1x WLANs are supported Helps to minimise broadcast domains Helps to isolate client traffic into separate network segments wlanX will have separate group key for each broadcast domain (VLAN specific group keys)

Dynamic VLAN configuration IAS/NPS

Dynamic VLAN configuration - FreeRADIUS

client_mac_address: Tunnel-Type = VLAN, (required) Tunnel-Medium-Type = IEEE-802, (required) Tunnel-Private-Group-ID = 100, (required) User-Name = name (optional)

RADIUS attributes
Interaction goes in between authenticator and RADIUS server Two types authentication and accounting attributes (start, interim update, and stop) WLAN type specific (e.g., WISPr specific attributes) More info is at https://ruckuswirelessmain.pbworks.com/w/page/174834/RadiusAttributes

LDAP
Hierarchical directory of objects with associated attributes Support simple authentication (aka, simple bind) Enter IP, Base, and Admin DN details in the ZD DN = distinguished name (what it means is, Unique Identifier) Base and Admin DNs specify the path for user and admin accounts Specify Admin DN if server requires it for user db search Key Attribute is what you want to search username/mail/telephoneNumber

LDAP Hierarchy

LDAP Configuration
DNs are built from bottom to top in a hierarchy (each level is separated by a ,) Base DN dc=mhs-xserve,dc=minarets,dc=org Admin DN uid=diradmin,cn=users,dc=mhs-xserve,dc=minarets,dc=org