VPN Single SignOn with Samba AD: Difference between revisions

From SambaWiki
No edit summary
No edit summary
Line 155: Line 155:
Let's start configure first the LDAP module. You will have to configure it and change the required parameters to reflect your own configuration (Like the identity parameter (the user that bind to the LDAP server), the basedn (which in our example is DC=Domain,Local=Local). The most impotent parameters is the ''' access_attr = "msNPAllowDialin"''', which is the filed that tell our radius server, if the user is configure to allow a VPN access. The parameters change from TRUE to FALSE ''(case sensitive)'' via the ADUC Dial-in TAB:
Let's start configure first the LDAP module. You will have to configure it and change the required parameters to reflect your own configuration (Like the identity parameter (the user that bind to the LDAP server), the basedn (which in our example is DC=Domain,Local=Local). The most impotent parameters is the ''' access_attr = "msNPAllowDialin"''', which is the filed that tell our radius server, if the user is configure to allow a VPN access. The parameters change from TRUE to FALSE ''(case sensitive)'' via the ADUC Dial-in TAB:


**[[:Image:http://img404.imageshack.us/img404/3170/msnpallowdialin.jpg]]
[[Image:Example.jpg]]

ldap {
ldap {
server = "DC"
server = "DC"

Revision as of 15:32, 15 April 2010

Creating a Single Sing-on VPN with Samba4 on Ubuntu/Debian Server

These instructions are pretty rough, but they "worked for me" and I hope they give others some guidance. I've tried to go into as much detail as possible (painfully so) but I'm sure there are things that I'm missing. Please expand upon this HOWTO if you do find errors.

Overview

1. The purpose of this guide, is to provide an a step by step guidelines how to create a L2TP VPN server, which is fully integrated with the Samba4 Server.

Network Topology

2. Before we are going over how to actually build and configure the VPN server, we need first to understand about our network topology. Basically our network is construct with a Layer II switch, a Firewall Server (which in our case is also the network gateway), a one Samba4 Domain Controller and one or more linux/windows user machines.


                         NetID                                  --------- Windows XP - 172.16.0.10/24
                     172.16.0.0/24                             /
                         ------                   --------    /
                        |      |                 |        |  /
                        |      |                 |        | /
 Internet----Public-IP--|  FW  |--172.16.0.1/24--| Switch | ------------- Samba4 DC - 172.16.0.2/24
                        |      |                 |        | \
                        |      |                 |        |  \
                         ------                   --------    \
                                                               \
                                                                ---------- Fedora Linux - 172.16.0.50/24
      

Plese note that the Domain Controller (Samba4) can also be configure on the Firewall itself, but this is strongly not recommended due to a security issues.

Install & Configure Your Samba4 Domain Controller

4. This guide assume you have one/or more Samba4 Domain Controller runing in your network. For the purpose of thie guide, I will refer to our Domain Controller host-name as "DC.Domain.Local" and our Domain Name as "Domain.Local". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see here.

Please Note that if you want to use MS-CHAP or MS-CHAPv2 authentication, you will have to configure the winbind service before continue.

Install & Configure a Radius Server

5. Once you have a Samba4 Server up and runing, our next step is to install and configure a Radius Server as an alternative to the Microsoft IAS or NPS.
There are plenary of radius implementation in the open source community, but I truly recomended to go with the FreeRadius solution.

Please note the that in our example the FreeRadius software is installed on our firewall server. It is also possible to install it on the Domain Controller server, but since samba4 is still consider Alpha, I strongly recommend to keep it has native as possible, which will make it easy for updates and software upgrades.

6. Install the FreeRadius software on your Ubuntu/Debian Server

sudo apt-get install freeradius freeradius-common freeradius-krb5 freeradius-ldap freeradius-utils

7. Configure the Radius server parameters at /etc/freeradius/radiusd.conf as following:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

listen {
       type = auth
       ipaddr = 172.16.0.1
       port = 0
       interface = eth0
}
listen {
       type = auth
       ipaddr = 127.0.0.1
       port = 0
       interface = lo
}
listen {
       type = acct
       ipaddr = 172.16.0.1
       port = 0
       interface = eth0
}
listen {
       type = acct
       ipaddr = 127.0.0.1
       port = 0
       interface = lo
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes

log {
       destination = files
       file = ${logdir}/radius.log
       syslog_facility = daemon
       stripped_names = no
       auth = no
       auth_badpass = no
       auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
       max_attributes = 200
       reject_delay = 1
       status_server = yes
}
proxy_requests  = no
$INCLUDE clients.conf
thread pool {
       start_servers = 5
       max_servers = 32
       min_spare_servers = 3
       max_spare_servers = 10
       max_requests_per_server = 0
}
modules {
       $INCLUDE ${confdir}/modules/
} 
instantiate {
       exec
       expr
       expiration
       logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

Basically, What we have done here was to make the radius service bind to our main network interface (eth0 in my example), and to configure it for the type of packets to listen to (type=acct & type=auth).

If you install this service on the Domain Controller, make sure to change the ipaddr to your DC ip address.

8. Now we need to configure which clients can use the Radius service. This is done at th /etc/freeradius/clients.conf file. Please note that since in our example we have installed the FreeRadius on the Firewall server itself, the L2TP service which will define later connect to the Radius service via the local host, so basically there is nothing to do here except changing the default radius client password.

client localhost {
       ipaddr = 127.0.0.1
       netmask = 32
       secret          = samba4
       shortname       = localhost
}

However, if you have installed the FreeRadius server on the DC machine, then you will have to configure the FW server as a radius client member:

client 172.16.0.1 {

      secret      = samba4
      shortname   = fw
      nastype     = other

}

It is also a good advice to define here an additional client for debugging purpose. We will use it later, once we will try to test and if our Radius Server can authenticate with the Samba4 domain controller.


9. Our next step is to disable the inner tunnel requests for EAP-TTLS and PEAP types on the Radius Server. This can be easy done by deleting the inner-tunnel file at the /etc/freeradius/sites-enabled folder.

sudo rm -rf /etc/freeradius/sites-enabled/inner-tunnel

10. Our last task is to configure the FreeRaidus modules. There are at least one relevant module which need to be configure, which is the LDAP module. If you are interesting in doing MS-CHAP/MS-CHAPv2 authentication, then some additional changes need to be doe to the mshcap module.

Let's start configure first the LDAP module. You will have to configure it and change the required parameters to reflect your own configuration (Like the identity parameter (the user that bind to the LDAP server), the basedn (which in our example is DC=Domain,Local=Local). The most impotent parameters is the access_attr = "msNPAllowDialin", which is the filed that tell our radius server, if the user is configure to allow a VPN access. The parameters change from TRUE to FALSE (case sensitive) via the ADUC Dial-in TAB:

ldap {
       server = "DC"
       identity = "cn=VPN,cn=users,dc=domain,dc=local"
       password = MyDomainVPN
       basedn = "dc=domain,dc=local"
       ldap_connections_number = 5
       timeout = 4
       timelimit = 3
       net_timeout = 1
       tls {
               start_tls = no
       }
       access_attr = "msNPAllowDialin"
       dictionary_mapping = ${confdir}/ldap.attrmap
       edir_account_policy_check = no
}


mschap {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = no
       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=% {mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
I can recommend on using VACMAN RADIUS Client Simulator from Vasco