SlideShare una empresa de Scribd logo

RADIUS and LDAP - pfSense Hangout August 2015

Netgate
Netgate

Slides for the August 2015 pfSense Hangout video

Tecnología
1 de 21
Descargar para leer sin conexión
RADIUS and LDAP August 2015 Hangout Jim Pingle
Project Notes ● 2.3 is progressing, should have public snapshots soon ● There may be a 2.2.5, not definite yet ● Book is still being updated ● SG-2220 shipping in a few days
About this Hangout ● RADIUS and LDAP intro ● Areas of pfSense that support RADIUS and LDAP ● Configuring RADIUS and LDAP servers for use by pfSense ● RADIUS and LDAP for the pfSense GUI ● RADIUS and LDAP for VPNs ● RADIUS for Captive Portal ● RADIUS for Wireless WPA2 Enterprise/802.1x ● User Manager, VPNs, Captive Portal, Wireless have all been covered in past hangouts, this hangout will focus only on RADIUS and LDAP authentication.
RADIUS Intro ● Remote Authentication Dial-In User Service ● Often used by ISPs for dialup, DSL, etc. Or by companies for central auth ● Provides AAA – Authentication, Authorization, and Accounting ● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via NPS, etc – Also various frontends such as daloRADIUS or billing systems with RADIUS ● In addition to auth, can send back reply info about users ● Accounting allows for tracking usage over time (e.g. X MB per day), total login time (X hours per day), and so on ● Can be compatible with external systems for additional auth such as OTP, tokens, and similar Multi-Factor implementations ● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN
LDAP Intro ● Lightweight Directory Access Protocol ● Primarily a repository of information about users and organizations, but can be used for authentication via LDAP BIND operations ● Can be searched to find user info (e.g. group membership) ● Commonly used not just for authentication but also for e-mail contact storage, user profile information, and similar tasks. ● Found in many systems such as OpenLDAP, Active Directory, Novell Directory Services, Apple Open Directory, and many more – Some distributions such as ClearOS and Turnkey Linux use OpenLDAP ● LDAP Schemas vary widely, two common variations: – RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group object – RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object ● Can use SSL to encrypt queries
RADIUS and LDAP on pfSense ● GUI Auth – LDAP on <= 2.2.4, RADIUS also with >= 2.2.5 – Groups must be present on pfSense with the same name plus desired privileges ● VPN Auth – OpenVPN supports RADIUS and LDAP ● IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes – IPsec supports RADIUS and LDAP – PPPoE, L2TP, and PPTP support only RADIUS ● Captive Portal – RADIUS Only – Per-user bandwidth restrictions can be passed back from RADIUS – Time/day limits and transfer total limits may also be enacted by the RADIUS server ● Wireless – 802.1x / WPA2 Enterprise – RADIUS only
RADIUS and LDAP Server Config ● Configure the auth server such that the firewall can query it ● Add users and groups as needed ● Determine the required parameters for the server necessary for pfSense to use it – Varies by protocol, but would include things such as server address and port, query credentials, and so on.
Configuring RADIUS Servers ● FreeRADIUS – Install the FreeRADIUS2 pfSense package, or use an external server – Add an Interface to FreeRADIUS to listen/bind – Add a NAS Client entry for the firewall, note the shared secret – Add users ● Active Directory (via NPS) – Add Network Policy and Access Services role – Configure NPS/NAP – Add RADIUS client entry for the firewall, note the shared secret – Add a Network Policy to grant access based on the attributes you want (e.g. users in a specific group) – May need to ensure users have Dial-In permission set to be managed by NPS – Add users/groups as needed
Configuring LDAP Servers ● OpenLDAP – Too complex to cover here, but there are many how-to docs out there – Be sure to add a cert for SSL support – Or use a distro such as Turnkey Linux or similar that has a frontend for it – Web-based LDAP Frontends can be helpful for finding info and managing users ● Active Directory – Support is already there in Windows Server by default – Add Certificate Authority role to use SSL – Use ADSI Edit to easily locate Base DN ● Others – Consult OS docs for info on what, if anything, needs to be done
Setup pfSense for a RADIUS Server ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to RADIUS ● Enter the address of the RADIUS server ● Enter the Shared Secret configured for this firewall's NAS/Client entry on the RADIUS server ● Pick which services the RADIUS server supplies, typically either Authentication or both Authentication and Accounting ● Unless the server ports have been changed, leave them at defaults. ● If the RADIUS is across a slow link, consider raising the timeout ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
Setup pfSense for an LDAP Server ● If SSL will be used, import the CA from the LDAP server under System > Cert Manager, CA tab before proceeding ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to LDAP ● Enter the address of the LDAP server – If using SSL, this should be the hostname! – Also make sure the server certificate (not imported to pfSense) contains this hostname, and that the hostname also exists in DNS ● Pick the transport, plain TCP or SSL – SSL is highly recommended as TCP would transmit credentials in the clear! ● Adjust the port if needed ● If using SSL, pick the CA imported previously ● Pick the LDAP protocol version, commonly 3 but may vary depending on server
pfSense LDAP Server (cont'd) ● Parameters from here on all depend on LDAP server style ● Search Scope – Level typically should be “Entire Subtree” – Especially on AD! – Base DN, e.g. DC=example,DC=com ● If unknown, check LDAP schema, GUI, ADSI Edit, etc ● Authentication Containers – Typically set to an OU, varies by LDAP schema – Select button will show containers from the server. BIND credentials will need to be correct for it to work. ● Extended Query – Specifies an LDAP filter to limit search results, such as: – memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com ● Bind credentials – May or may not be necessary – OpenLDAP typically allows anonymous binds/searches, but depends on schema – Active Directory typically requires a valid user to bind, may need to be a service account or admin, depends on configuration of the server, check Windows server docs
pfSense LDAP Server (cont'd) ● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory – Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style – For OpenLDAP with RFC 2307 groups, group member attribute should be memberUid ● RFC 2307 Groups (added after 2.2.4) – Default style lists groups on the user object (Used by Active Directory) – RFC 2307 lists group members on group object (Used by some OpenLDAP schemas) ● Group Object Class (added after 2.2.4) – Object class needed for RFC 2307 style, typically posixGroup ● UTF-8 Encoding – Necessary if using any special characters in LDAP usernames or passwords – Support varies by server, but should be safe to enable in most cases ● Username Alterations – By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve. ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
RADIUS and LDAP for the GUI ● Privileges are assigned based on group membership ● Add groups on pfSense to match groups on the server – Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers” ● Add privileges to the group(s) as desired ● Check the authentication server to be sure the groups are setup properly with users and to be seen by pfSense: – LDAP – Check the Schema to see if AD style group membership is needed or RFC 2307 (If RFC 2307 is needed, must be on 2.2.5 or later) – RADIUS (Will only work with 2.2.5 and later) – Ensure the server returns groups in Class attribute as a String, not binary ● Visit Diagnostics > Authentication, test users and ensure the groups are listed in the result. ● Visit System > User Manager, Settings tab, select the desired server, Save
RADIUS and LDAP for VPNs ● For LDAP, to limit access to a specific group, use Extended Filter ● On IPsec and OpenVPN, Ctrl-select multiple servers, if first fails, second is checked and so on – No way to reorder them currently ● L2TP, PPPoE, and PPTP support only RADIUS and have RADIUS settings on their configuration pages, nothing fancy. ● IPsec – Works for IKEv1 xauth style setup, no IKEv2/EAP yet – VPN > IPsec, Mobile Clients tab, select the desired auth server(s) ● OpenVPN – Next slide
RADIUS and LDAP for OpenVPN ● Auth can come from LDAP or RADIUS (or both) ● For use with OpenVPN Client Export Package: – Auth only mode – One installer works for everyone (no certs) – SSL/TLS + User Auth – Certs for external users must be manually added to the GUI ● No need to create local users, only certificates ● RADIUS Reply Attributes can be used to pass back info for clients! – Cisco-AVPair route=x.x.x.x y.y.y.y (IP address, subnet mask) – Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces) – Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any| host|net>, wildcard mask/Cisco ACL style – Framed-IP-Address = x.x.x.x, client gets x.x.x.x, server is x.x.x.x+1 ● Multi-Factor Auth should be possible with RADIUS if the RADIUS server supports it
RADIUS for Captive Portal ● Captive Portal only supports RADIUS auth at this time ● RADIUS Authentication can use PAP, CHAP_MD5, MSCHAPv1, or MSCHAPv2 – Check RADIUS server config/docs to see what it supports ● Enter IP address and port for the RADIUS server ● Shared Secret is the “password” set in the RADIUS server for the firewall as a NAS/Client ● Four total RADIUS Servers permitted: – Primary Authentication Source and its backup – Secondary Authentication Source and its backup – Backups are consulted if the main servers do not respond – Secondary authentication source is consulted if the primary fails – Can be used to effectively have two sources of auth (e.g. pre-paid cards and standard users) – all up to the servers and what they support
RADIUS for Captive Portal ● RADIUS Accounting: – If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on – Stop/start accounting only sends data on login and logout – Interim update sends periodic updates to the accounting server ● RADIUS Options – More here than are supported in the user manager ● Reauthentication – Forces a new auth request every minute. If users must be disconnected for time or bandwidth usage calculations this must be checked! ● RADIUS MAC Authentication – Sends the MAC address as user name and “MAC Authentication Secret” as the password. Allows automatic login by MAC address, MACs must be added to the RADIUS server as users. ● NAS IP – IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id) ● Session-Timeout – Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute. ● Type – Varies by need of RADIUS server, typically “default” – controls show Called-Station-Id and Calling- Station-Id are handled ● Accounting Style – Inverts value of input and output for bandwidth calculations to suit some RADIUS server assumptions ● NAT Identifier – A name passed to the RADIUS server to identify this firewall ● MAC Address Format – The format of the MAC address expected by the RADIUS server
RADIUS for Captive Portal ● Some parameters may be passed back in RADIUS Reply Attributes: – Varies by RADIUS vendor – WISPr-Bandwidth-Max-Up (and -Down) ● Sets up a limiter for this specific user to the given bw – WISPr-Redirection-URL ● Passes a string with a full URL to use for redirection – Acct-Interim-Interval – Session-Timeout – Idle-Timeout ● Do not set a simultaneous use limit on users that will use Captive Portal
RADIUS for Wireless ● 802.1x A.K.A. WPA Enterprise ● More secure than plain WPA/WPA2 – Less prone to brute forcing – Harder to snoop ● RADIUS only, no LDAP ● Second RADIUS server is used if the first fails ● Settings are placed on the wireless Interface (e.g. Interfaces > WiFi) ● Set WPA Key Management to EAP! ● Set client to PEAP (Or whatever mode is configured on RADIUS server) ● Clients will login using the username/password on the RADIUS server ● Check the Wireless log for info if access fails ● The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently enable that or support it in the GUI – perhaps in the future
Conclusion ● Eventually, all areas will converge on using the User Manager auth servers (Captive Portal, Wireless, L2TP, PPPoE, etc) ● Works well now but always room for improvement ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Recomendados

Netsh Komutları
Netsh KomutlarıNetsh Komutları
Netsh Komutları
AliMETN
 
Mpls Qos Jayk
Mpls Qos JaykMpls Qos Jayk
Mpls Qos Jayk
Suraj Kumar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
Server configuration
Server configurationServer configuration
Server configuration
Aisha Talat
 
Computer networks--networking hardware
Computer networks--networking hardwareComputer networks--networking hardware
Computer networks--networking hardware
Mziaulla
 
SSH
SSHSSH
SSH
Zach Dennis
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 

Recomendados

Netsh Komutları
Netsh KomutlarıNetsh Komutları
Netsh Komutları
AliMETN
 
Mpls Qos Jayk
Mpls Qos JaykMpls Qos Jayk
Mpls Qos Jayk
Suraj Kumar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
Server configuration
Server configurationServer configuration
Server configuration
Aisha Talat
 
Computer networks--networking hardware
Computer networks--networking hardwareComputer networks--networking hardware
Computer networks--networking hardware
Mziaulla
 
SSH
SSHSSH
SSH
Zach Dennis
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configuration
Wahyu Nasution
 
VPN
VPNVPN
VPN
Shiraz316
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015
Netgate
 
Manet
ManetManet
Manet
Sajid Marwat
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
rinnocente
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Chinthaka Deshapriya (RHCA)
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
Prabhakar Thota
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
DMVPN
DMVPNDMVPN
DMVPN
NetProtocol Xpert
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
syedasadraza13
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network services
Uc Man
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
Festus Oriaku
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
vishalgohel12195
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
guest095022
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
SANE Ibrahima
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configuration
 
VPN
VPNVPN
VPN
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015
 
Manet
ManetManet
Manet
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Active Directory
Active Directory Active Directory
Active Directory
 
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
DMVPN
DMVPNDMVPN
DMVPN
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network services
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
 

Similar a RADIUS and LDAP - pfSense Hangout August 2015

Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
SANE Ibrahima
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 

Similar a RADIUS and LDAP - pfSense Hangout August 2015 (20)

RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
 
Cl212
Cl212Cl212
Cl212
 
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionInstallation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server Edition
 
Modern Deployment Strategies
Modern Deployment StrategiesModern Deployment Strategies
Modern Deployment Strategies
 
Neo4j 4.1 overview
Neo4j 4.1 overviewNeo4j 4.1 overview
Neo4j 4.1 overview
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
SrinivasR
SrinivasRSrinivasR
SrinivasR
 
Cl116
Cl116Cl116
Cl116
 
Cl221
Cl221Cl221
Cl221
 

Más de Netgate

Más de Netgate (20)

pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

RADIUS and LDAP - pfSense Hangout August 2015

  • 1. RADIUS and LDAP August 2015 Hangout Jim Pingle
  • 2. Project Notes ● 2.3 is progressing, should have public snapshots soon ● There may be a 2.2.5, not definite yet ● Book is still being updated ● SG-2220 shipping in a few days
  • 3. About this Hangout ● RADIUS and LDAP intro ● Areas of pfSense that support RADIUS and LDAP ● Configuring RADIUS and LDAP servers for use by pfSense ● RADIUS and LDAP for the pfSense GUI ● RADIUS and LDAP for VPNs ● RADIUS for Captive Portal ● RADIUS for Wireless WPA2 Enterprise/802.1x ● User Manager, VPNs, Captive Portal, Wireless have all been covered in past hangouts, this hangout will focus only on RADIUS and LDAP authentication.
  • 4. RADIUS Intro ● Remote Authentication Dial-In User Service ● Often used by ISPs for dialup, DSL, etc. Or by companies for central auth ● Provides AAA – Authentication, Authorization, and Accounting ● Lots of implementations: FreeRADIUS, RADIATOR, Windows Server via NPS, etc – Also various frontends such as daloRADIUS or billing systems with RADIUS ● In addition to auth, can send back reply info about users ● Accounting allows for tracking usage over time (e.g. X MB per day), total login time (X hours per day), and so on ● Can be compatible with external systems for additional auth such as OTP, tokens, and similar Multi-Factor implementations ● Protocol itself is not encrypted, so (ideally) run it locally or over a VPN
  • 5. LDAP Intro ● Lightweight Directory Access Protocol ● Primarily a repository of information about users and organizations, but can be used for authentication via LDAP BIND operations ● Can be searched to find user info (e.g. group membership) ● Commonly used not just for authentication but also for e-mail contact storage, user profile information, and similar tasks. ● Found in many systems such as OpenLDAP, Active Directory, Novell Directory Services, Apple Open Directory, and many more – Some distributions such as ClearOS and Turnkey Linux use OpenLDAP ● LDAP Schemas vary widely, two common variations: – RFC 2307 (OpenLDAP default) – Group membership indicated by a list of users on a group object – RFC 2307bis/Active Directory – Group membership indicated by a list of groups on user object ● Can use SSL to encrypt queries
  • 6. RADIUS and LDAP on pfSense ● GUI Auth – LDAP on <= 2.2.4, RADIUS also with >= 2.2.5 – Groups must be present on pfSense with the same name plus desired privileges ● VPN Auth – OpenVPN supports RADIUS and LDAP ● IP address, Routes, firewall rules, and DNS servers can be passed back via RADIUS attributes – IPsec supports RADIUS and LDAP – PPPoE, L2TP, and PPTP support only RADIUS ● Captive Portal – RADIUS Only – Per-user bandwidth restrictions can be passed back from RADIUS – Time/day limits and transfer total limits may also be enacted by the RADIUS server ● Wireless – 802.1x / WPA2 Enterprise – RADIUS only
  • 7. RADIUS and LDAP Server Config ● Configure the auth server such that the firewall can query it ● Add users and groups as needed ● Determine the required parameters for the server necessary for pfSense to use it – Varies by protocol, but would include things such as server address and port, query credentials, and so on.
  • 8. Configuring RADIUS Servers ● FreeRADIUS – Install the FreeRADIUS2 pfSense package, or use an external server – Add an Interface to FreeRADIUS to listen/bind – Add a NAS Client entry for the firewall, note the shared secret – Add users ● Active Directory (via NPS) – Add Network Policy and Access Services role – Configure NPS/NAP – Add RADIUS client entry for the firewall, note the shared secret – Add a Network Policy to grant access based on the attributes you want (e.g. users in a specific group) – May need to ensure users have Dial-In permission set to be managed by NPS – Add users/groups as needed
  • 9. Configuring LDAP Servers ● OpenLDAP – Too complex to cover here, but there are many how-to docs out there – Be sure to add a cert for SSL support – Or use a distro such as Turnkey Linux or similar that has a frontend for it – Web-based LDAP Frontends can be helpful for finding info and managing users ● Active Directory – Support is already there in Windows Server by default – Add Certificate Authority role to use SSL – Use ADSI Edit to easily locate Base DN ● Others – Consult OS docs for info on what, if anything, needs to be done
  • 10. Setup pfSense for a RADIUS Server ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to RADIUS ● Enter the address of the RADIUS server ● Enter the Shared Secret configured for this firewall's NAS/Client entry on the RADIUS server ● Pick which services the RADIUS server supplies, typically either Authentication or both Authentication and Accounting ● Unless the server ports have been changed, leave them at defaults. ● If the RADIUS is across a slow link, consider raising the timeout ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
  • 11. Setup pfSense for an LDAP Server ● If SSL will be used, import the CA from the LDAP server under System > Cert Manager, CA tab before proceeding ● System > User Manager, Servers tab, + ● Enter a Descriptive Name ● Set Type to LDAP ● Enter the address of the LDAP server – If using SSL, this should be the hostname! – Also make sure the server certificate (not imported to pfSense) contains this hostname, and that the hostname also exists in DNS ● Pick the transport, plain TCP or SSL – SSL is highly recommended as TCP would transmit credentials in the clear! ● Adjust the port if needed ● If using SSL, pick the CA imported previously ● Pick the LDAP protocol version, commonly 3 but may vary depending on server
  • 12. pfSense LDAP Server (cont'd) ● Parameters from here on all depend on LDAP server style ● Search Scope – Level typically should be “Entire Subtree” – Especially on AD! – Base DN, e.g. DC=example,DC=com ● If unknown, check LDAP schema, GUI, ADSI Edit, etc ● Authentication Containers – Typically set to an OU, varies by LDAP schema – Select button will show containers from the server. BIND credentials will need to be correct for it to work. ● Extended Query – Specifies an LDAP filter to limit search results, such as: – memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com ● Bind credentials – May or may not be necessary – OpenLDAP typically allows anonymous binds/searches, but depends on schema – Active Directory typically requires a valid user to bind, may need to be a service account or admin, depends on configuration of the server, check Windows server docs
  • 13. pfSense LDAP Server (cont'd) ● Initial Template – OpenLDAP, Microsoft AD, Novell eDirectory – Pre-fills the User naming, Group naming, and Group member attributes with common defaults for each style – For OpenLDAP with RFC 2307 groups, group member attribute should be memberUid ● RFC 2307 Groups (added after 2.2.4) – Default style lists groups on the user object (Used by Active Directory) – RFC 2307 lists group members on group object (Used by some OpenLDAP schemas) ● Group Object Class (added after 2.2.4) – Object class needed for RFC 2307 style, typically posixGroup ● UTF-8 Encoding – Necessary if using any special characters in LDAP usernames or passwords – Support varies by server, but should be safe to enable in most cases ● Username Alterations – By default if someone enters user@host style naming, the @ and after is stripped. Check to preserve. ● Save and visit Diagnostics > Authentication to test ● For group membership to work, the RADIUS server must return the group name(s) in the Class attribute as a string AND the same group names must be present on pfSense (Groups tab)
  • 14. RADIUS and LDAP for the GUI ● Privileges are assigned based on group membership ● Add groups on pfSense to match groups on the server – Example: LDAP group “VPNUsers” needs a pfSense group “VPNUsers” ● Add privileges to the group(s) as desired ● Check the authentication server to be sure the groups are setup properly with users and to be seen by pfSense: – LDAP – Check the Schema to see if AD style group membership is needed or RFC 2307 (If RFC 2307 is needed, must be on 2.2.5 or later) – RADIUS (Will only work with 2.2.5 and later) – Ensure the server returns groups in Class attribute as a String, not binary ● Visit Diagnostics > Authentication, test users and ensure the groups are listed in the result. ● Visit System > User Manager, Settings tab, select the desired server, Save
  • 15. RADIUS and LDAP for VPNs ● For LDAP, to limit access to a specific group, use Extended Filter ● On IPsec and OpenVPN, Ctrl-select multiple servers, if first fails, second is checked and so on – No way to reorder them currently ● L2TP, PPPoE, and PPTP support only RADIUS and have RADIUS settings on their configuration pages, nothing fancy. ● IPsec – Works for IKEv1 xauth style setup, no IKEv2/EAP yet – VPN > IPsec, Mobile Clients tab, select the desired auth server(s) ● OpenVPN – Next slide
  • 16. RADIUS and LDAP for OpenVPN ● Auth can come from LDAP or RADIUS (or both) ● For use with OpenVPN Client Export Package: – Auth only mode – One installer works for everyone (no certs) – SSL/TLS + User Auth – Certs for external users must be manually added to the GUI ● No need to create local users, only certificates ● RADIUS Reply Attributes can be used to pass back info for clients! – Cisco-AVPair route=x.x.x.x y.y.y.y (IP address, subnet mask) – Cisco-AVPair dns-servers=x.x.x.x y.y.y.y z.z.z.z (IP addresses separated by spaces) – Cisco-AVPair inacl= or outacl=<permit|deny> [tcp|udp] from <any|host|net> to <any| host|net>, wildcard mask/Cisco ACL style – Framed-IP-Address = x.x.x.x, client gets x.x.x.x, server is x.x.x.x+1 ● Multi-Factor Auth should be possible with RADIUS if the RADIUS server supports it
  • 17. RADIUS for Captive Portal ● Captive Portal only supports RADIUS auth at this time ● RADIUS Authentication can use PAP, CHAP_MD5, MSCHAPv1, or MSCHAPv2 – Check RADIUS server config/docs to see what it supports ● Enter IP address and port for the RADIUS server ● Shared Secret is the “password” set in the RADIUS server for the firewall as a NAS/Client ● Four total RADIUS Servers permitted: – Primary Authentication Source and its backup – Secondary Authentication Source and its backup – Backups are consulted if the main servers do not respond – Secondary authentication source is consulted if the primary fails – Can be used to effectively have two sources of auth (e.g. pre-paid cards and standard users) – all up to the servers and what they support
  • 18. RADIUS for Captive Portal ● RADIUS Accounting: – If enabled, sends information about user login sessions, data transferred, time of login/logout, and so on – Stop/start accounting only sends data on login and logout – Interim update sends periodic updates to the accounting server ● RADIUS Options – More here than are supported in the user manager ● Reauthentication – Forces a new auth request every minute. If users must be disconnected for time or bandwidth usage calculations this must be checked! ● RADIUS MAC Authentication – Sends the MAC address as user name and “MAC Authentication Secret” as the password. Allows automatic login by MAC address, MACs must be added to the RADIUS server as users. ● NAS IP – IP address sent in RADIUS requests to identify this firewall (e.g. Called-Station-Id) ● Session-Timeout – Obtain the client's allowed session time from the Session-Timeout RADIUS reply attribute. ● Type – Varies by need of RADIUS server, typically “default” – controls show Called-Station-Id and Calling- Station-Id are handled ● Accounting Style – Inverts value of input and output for bandwidth calculations to suit some RADIUS server assumptions ● NAT Identifier – A name passed to the RADIUS server to identify this firewall ● MAC Address Format – The format of the MAC address expected by the RADIUS server
  • 19. RADIUS for Captive Portal ● Some parameters may be passed back in RADIUS Reply Attributes: – Varies by RADIUS vendor – WISPr-Bandwidth-Max-Up (and -Down) ● Sets up a limiter for this specific user to the given bw – WISPr-Redirection-URL ● Passes a string with a full URL to use for redirection – Acct-Interim-Interval – Session-Timeout – Idle-Timeout ● Do not set a simultaneous use limit on users that will use Captive Portal
  • 20. RADIUS for Wireless ● 802.1x A.K.A. WPA Enterprise ● More secure than plain WPA/WPA2 – Less prone to brute forcing – Harder to snoop ● RADIUS only, no LDAP ● Second RADIUS server is used if the first fails ● Settings are placed on the wireless Interface (e.g. Interfaces > WiFi) ● Set WPA Key Management to EAP! ● Set client to PEAP (Or whatever mode is configured on RADIUS server) ● Clients will login using the username/password on the RADIUS server ● Check the Wireless log for info if access fails ● The AP daemon (hostapd) supports dynamic VLAN assignment but we do not currently enable that or support it in the GUI – perhaps in the future
  • 21. Conclusion ● Eventually, all areas will converge on using the User Manager auth servers (Captive Portal, Wireless, L2TP, PPPoE, etc) ● Works well now but always room for improvement ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc