Radius authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Radius authentication

Johann Spies
I am new to this list and new to nufw.  We are investigating the
possibility of replacing Checkpoint FW-1 with NuFw.

We want to authenticate users using radius and we have 25000 potential
users for this setup.

Our users pay for internet traffic and some of them use a
pay-as-you-go system.  In such cases the internet sessions should be
stopped when the credits are all used up.

I have read through the howto to install nufw and set it up for a test
environment and my first problem is that I do not know how to set it
up to authenticate against our radius server using libpam-nufw.

Maybe I must ask the question here:  Am I on the right track trying
out NuFW or should I look further?

Regards
Johann
--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Whether therefore ye eat, or drink, or whatsoever ye
      do, do all to the glory of God."    
                                  I Corinthians 10:31


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Eric Leblond-3
Hello,

On Friday, 2008 June 13 at 15:54:06 +0200, Johann Spies wrote:

> I am new to this list and new to nufw.  We are investigating the
> possibility of replacing Checkpoint FW-1 with NuFw.
>
> We want to authenticate users using radius and we have 25000 potential
> users for this setup.
>
> Our users pay for internet traffic and some of them use a
> pay-as-you-go system.  In such cases the internet sessions should be
> stopped when the credits are all used up.
>
> I have read through the howto to install nufw and set it up for a test
> environment and my first problem is that I do not know how to set it
> up to authenticate against our radius server using libpam-nufw.
libpam-nufw is a transparent NuFW client for Unixes.

To authenticate against radius, you need to configure nuauth to use the
"system" authentication module. Once it is done, you will have to
configure PAM to authenticate against radius:
 * nuauth and PAM configuration: http://www.nufw.org/docs/howto22/x668.html#AEN670
 * Howto PAM radius: http://www.wikidsystems.com/documentation/howtos/pamradius

> Maybe I must ask the question here:  Am I on the right track trying
> out NuFW or should I look further?

It seems ok but you may give us more details.

BR,
--
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Johann Spies
On Fri, Jun 13, 2008 at 04:43:19PM +0200, Eric Leblond wrote:

> libpam-nufw is a transparent NuFW client for Unixes.
>
> To authenticate against radius, you need to configure nuauth to use the
> "system" authentication module. Once it is done, you will have to
> configure PAM to authenticate against radius:
>  * nuauth and PAM configuration: http://www.nufw.org/docs/howto22/x668.html#AEN670
>  * Howto PAM radius: http://www.wikidsystems.com/documentation/howtos/pamradius

Thanks for your reply.  I made some progress with the help of these
two links as well as some others.

What I have done so far (This is a Debian Stable server):

* installed libpam-radius-auth
* compiled and installed nufw 2.2.15 from Debian Testing
* Have the following in
  - /etc/nufw/nuauth.conf
    nuauth_user_check_module="system"
    nuauth_acl_check_module="plaintext"

    I don't understand what the second of these two lines are doing.

  - /etc/pam_radius_auth.conf
    <server>      <secret>    4

  - /etc/pam.d/common_auth
    auth    sufficient     /lib/security/pam_radius_auth.so
    auth    required        pam_unix.so nullok_secure

Now my questions and problems:

1. Is it neccesary to configure nsswitch.conf?  Why or why not?
2. The following happens:
   $ sudo nuauth -vvvvvvvv
   ** Message: [7] debug_level is 8
   ** Message: [+] Starting nuauth 2.2.15 ($Revision: 4601 $) with config /etc/nufw//nuauth.conf

   ** ERROR **: Unable to load module nuprelude in /usr/lib/nuauth/modules
   aborting...
   Aborted

> > Maybe I must ask the question here:  Am I on the right track trying
> > out NuFW or should I look further?
>
> It seems ok but you may give us more details.

What type of details do you need?

Here are a few:

* At the moment we have FW-1 on two firewall servers and a management
  server clustered by Rainwall.
* Users authenticate against the firewall from a radius server when
  they want to use the internet. They pay for the bandwith they use.
* Some users use a pay-as-you-go method of payment and we should be
  able to monitor their usage in real time.  
* We need both IP-address and username to do proper accounting.

Regards
Johann
--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Many are the afflictions of the righteous; but the
      LORD delivereth him out of them all."      
                                   Psalms 34:19


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Eric Leblond-2
Hello,

On Tuesday, 2008 June 17 at 10:59:50 +0200, Johann Spies wrote:

> On Fri, Jun 13, 2008 at 04:43:19PM +0200, Eric Leblond wrote:
>
> > libpam-nufw is a transparent NuFW client for Unixes.
> >
> > To authenticate against radius, you need to configure nuauth to use the
> > "system" authentication module. Once it is done, you will have to
> > configure PAM to authenticate against radius:
> >  * nuauth and PAM configuration: http://www.nufw.org/docs/howto22/x668.html#AEN670
> >  * Howto PAM radius: http://www.wikidsystems.com/documentation/howtos/pamradius
>
> Thanks for your reply.  I made some progress with the help of these
> two links as well as some others.
>
> What I have done so far (This is a Debian Stable server):
>
> * installed libpam-radius-auth
> * compiled and installed nufw 2.2.15 from Debian Testing
> * Have the following in
>   - /etc/nufw/nuauth.conf
>     nuauth_user_check_module="system"
>     nuauth_acl_check_module="plaintext"
>
>     I don't understand what the second of these two lines are doing.

This tells nuauth to use the storage of acl in plaintext format. It will
read a file on computer.

>
>   - /etc/pam_radius_auth.conf
>     <server>      <secret>    4
>
>   - /etc/pam.d/common_auth
>     auth    sufficient     /lib/security/pam_radius_auth.so
>     auth    required        pam_unix.so nullok_secure
>
> Now my questions and problems:
>
> 1. Is it neccesary to configure nsswitch.conf?  Why or why not?

There is a problem here because you can not get userid and user groups
from radius. I did a quick search on nss radius and I did not find
something. A solution could be to directly act on the backend after
authentication...

> 2. The following happens:
>    $ sudo nuauth -vvvvvvvv
>    ** Message: [7] debug_level is 8
>    ** Message: [+] Starting nuauth 2.2.15 ($Revision: 4601 $) with config /etc/nufw//nuauth.conf
>
>    ** ERROR **: Unable to load module nuprelude in /usr/lib/nuauth/modules
>    aborting...
>    Aborted

Hmmm, bad configuration file in debian testing. Simply search for
nuprelude in /etc/nufw//nuauth.conf and suppress the reference to
nuprelude in uncommented line.

>
> > > Maybe I must ask the question here:  Am I on the right track trying
> > > out NuFW or should I look further?
> >
> > It seems ok but you may give us more details.
>
> What type of details do you need?
>
> Here are a few:
>
> * At the moment we have FW-1 on two firewall servers and a management
>   server clustered by Rainwall.
> * Users authenticate against the firewall from a radius server when
>   they want to use the internet. They pay for the bandwith they use.
> * Some users use a pay-as-you-go method of payment and we should be
>   able to monitor their usage in real time.  
> * We need both IP-address and username to do proper accounting.

OK, it seems fine for NuFW usage. The main issue could be if your users
are NATed before reaching the firewall. In this case, NuFW will not be
able to authenticate the packets.

BR,
--
Eric Leblond <[hidden email]>
NuFW, Now User Filtering Works : http://www.nufw.org


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Johann Spies
Hallo Eric,



> Hmmm, bad configuration file in debian testing. Simply search for
> nuprelude in /etc/nufw//nuauth.conf and suppress the reference to
> nuprelude in uncommented line.

Thanks. With your help that one was easy to sort out.

Now the next problem:

When I try to authenticate as a radius user (jspies) who does not have
a local account the following happens:

** Message: [7] [+] NuAuth is waiting for NuFW connections.
** Message: [7] NuFW TLS Handshaking (last error: 0)
** Message: Authentification error: SASL error: invalid credentials (username or password)
** Message: Authentification error: user: jspies@nufw from 127.0.0.1
** (port 46910), protocol version 4

When I create the user 'jspies' and do the same I get:

** Message: [6] [+] User "jspies" connected, groups: 1003
** Message: [8] Going to init PostgreSQL connection.
** Message: [8] PostgreSQL init done
** Message: [7] NuFW TLS Handshaking (last error: 0)

I have to be able to authenticate non-local users.  How do I do that?

Regards
Johann

--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
     "Many are the afflictions of the righteous; but the
      LORD delivereth him out of them all."      
                                   Psalms 34:19


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Johann Spies
In reply to this post by Eric Leblond-2
Eric,

I am making no progress.  If you can help me to understand a few
things I will appreciate it:

1. How many subscribers are on this list?
2. If I use radius authentication, what role does ldap play when using
   nufw?
3. I have the following now:

   /etc/common-auth
   auth    required        pam_unix.so nullok_secure

   /etc/nuauth
   @include common-auth
   auth    required      /lib/security/pam_env.so
   auth    sufficient     /lib/security/pam_radius_auth.so
   auth    required      /lib/security/pam_deny.so

   And I now get the following when I try to authenticate a non-local user:

** Message: Starting SASL negotiation: user not found
** Message: Authentification error: SASL error: invalid credentials (username or password)
** Message: Authentification error: user: jspies@nufw from 127.0.0.1 (port 49279), protocol version 4


   How do I get around this?

Regards
Johann  
--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Jesus said unto her, I am the resurrection, and the
      life; he that believeth in me, though he were dead,
      yet shall he live."                 John 11:25


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Eric Leblond-2
Hello,

On Wednesday, 2008 June 18 at 10:46:09 +0200, Johann Spies wrote:
> Eric,
>
> I am making no progress.  If you can help me to understand a few
> things I will appreciate it:
>
> 1. How many subscribers are on this list?

Active or inactive...

> 2. If I use radius authentication, what role does ldap play when using
>    nufw?

NuFW needs userid and user groups to be able to filter. The issue is
that radius dos not provide this. You thus need an other method to
access these informations. That's why I was suggesting to use LDAP
(which is often a backend for Radius) to fetch userid and user groups.
If you are using a different backend, you may try to configure NSS to
use this backend.

If you don't need to differentiate users and only want to do accounting
and logging stuff, we could think to a fallback method where users will
be in the same default group.

BR,
--
Eric Leblond <[hidden email]>
NuFW, Now User Filtering Works : http://www.nufw.org


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: Radius authentication

Johann Spies
On Wed, Jun 18, 2008 at 11:21:12AM +0200, Eric Leblond wrote:

> Hello,
>
> On Wednesday, 2008 June 18 at 10:46:09 +0200, Johann Spies wrote:
> > Eric,
> >
> > I am making no progress.  If you can help me to understand a few
> > things I will appreciate it:
> >
> > 1. How many subscribers are on this list?
>
> Active or inactive...

I use mailing lists as a support base and, when I can, to help others.
So far you were the only one answering my questions...


> > 2. If I use radius authentication, what role does ldap play when using
> >    nufw?
>
> NuFW needs userid and user groups to be able to filter. The issue is
> that radius dos not provide this. You thus need an other method to
> access these informations. That's why I was suggesting to use LDAP
> (which is often a backend for Radius) to fetch userid and user groups.
> If you are using a different backend, you may try to configure NSS to
> use this backend.
>
> If you don't need to differentiate users and only want to do accounting
> and logging stuff, we could think to a fallback method where users will
> be in the same default group.

I was beginning the think in this direction.  Thanks for your answer.
It helps me to get some direction until the next question pops up.

Regards
Johann
--
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Jesus said unto her, I am the resurrection, and the
      life; he that believeth in me, though he were dead,
      yet shall he live."                 John 11:25


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users