For this lab we will be focusing on wired networks and will be attempting to address the problem of visiting employees from company A from plugging in their equipment into Company B's infrastructure.
To start we will need the following components:
- A client machine running Windows 7 / 10 (192.168.20.2/24)
- A Cisco 2960 switch with IOS > 15 (192.168.20.1/24)
- A linux box running FreeRadius (192.168.20.254/24)
Switch
So let's firstly look at the switch portion - we'll configure dot1x and radius on the switch:
conf t
aaa new-model
radius server dot1x-auth-serv
address ipv4 192.168.20.2 auth-port 1812 acct-port 1813
timeout 3
key (7) <sharedkey>
aaa group server radius dot1x-auth
server name dot1x-auth-serv
aaa authentication dot1x default group dot1x-auth
aaa accounting dot1x default start-stop group dot1x-auth
aaa authorization network default group dot1x-auth
and proceed by enabling dot1x:
dot1x system-auth-control
and we'll then enable it on the relevant ports:
int range gi0/1-5
switchport mode access
authentication port-control auto
dot1x pae authenticator
FreeRADIUS Server
We'll continue on the server by installing radiusd:
sudo yum install freeradius
and then use samba to communicate with the domain:
sudo yum install samba samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
(We are not actually setting up a samba server - instead just using some of the tools that are provided with it!)
vi /etc/samba/smb.conf
[global]
workgroup = <domain-name>
security = user
winbind use default domain = no
password server = <ad-server>
realm = <domain-name>
#passdb backend = tdbsam
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
and then edit the kerberos configuration:
vi /etc/krb5.conf
Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
domain.com = {
kdc = pdc.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
and then modify NSS to ensure that it performs lookups using windbind:
vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
protocols: files winbind
services: files winbind
netgroup: files winbind
automount: files winbind
ensure samba starts on boot and restart the system:
sudo systemctl enable smb
sudo systemctl enable winbind
sudo shutdown -r now
Now join the domain with:
net join -U <admin-user>
and attempt to authenticate against a user with:
wbinfo -a <username>%<password>
should return something like:
Could not authenticate user user%pass with plaintext password
challenge/response password authentication succeeded
We also need to ensure NTLM authentication works (as this is what is used with FreeRadius):
ntlm_auth --request-nt-key --domain=<domain-name> --username=<username>
should return:
NT_STATUS_OK: Success (0x0)
(Providing the account is in good order e.g. not locked etc.)
The 'ntlm_auth' program needs access to the 'winbind_privileged' directory - so we should ensure that the user running the radius server is within the 'wbpriv' group:
usermod -a -G wbpriv radiusd
and then proceed to install and setup freeradius:
sudo yum install freeradius
sudo systemctl enable radiusd
mv /etc/raddb/clients.conf /etc/raddb/clients.conf.orig
vi /etc/raddb/clients.conf
and add the following:
client <switch-ip> {
secret = <secret-key>
shortname = <switch-ip>
nastype = cisco
}
We'll now configure mschap:
vi /etc/raddb/mods-enabled/mschap
and ensure the following is set:
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
and the EAP configuration:
sudo vi /etc/raddb/mods-available/eap
Search for the following line:
tls-config tls-common
and uncomment:
random_file = /dev/urandom
Make sure your firewall is setup correctly:
sudo iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1812 -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1813 -j ACCEPT
and then test the configuration by running FreeRadius in test mode:
sudo radiusd -XXX
Then on the Windows 7 / 10 client workstation ensure that the 'Wired AutoConfig' service has been started (and has also been set to 'Automatic'.)
On the relevant NIC properties ensure that 'Enable 802.1X authentication' has been enabled:
Within Windows 10 you should not need to perform this - however it's always best to check the defaults just in case!
Click 'Configure...' next to 'Secured password (EAP-MSCHAP v2) and ensure that 'Automatically use my Windows logon name and password' is ticked.
Finally hit 'OK' and back on the 'Authentication' tab - click on 'Additional settings...' and ensure 'Specify authentication mode' is ticked and is set to 'User authentication'.
We can now attempt to plug the client into the switch and with any luck we will obtain network access!
Sources
https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client
http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
No comments:
Post a Comment