Sometimes my work require me to do stuff that is so interesting I work overtime without actually telling anybody to make it work better, like I’ve done for Munin and Icinga — most of the time, though, my work is just boring, repetitive, but that’s okay, excitement goes a long way to ruin a person’s health. Especially when said excitement hits you on the jawbone with a network where Ethernet ports are authenticated with 802.1x…
You might not know it but there is a way to authenticate clients more or less the same way you do on WiFi when you use actual wired Ethernet. This is done through 802.1x and RADIUS. What is RADIUS? Well, it’s basically an authentication and accounting protocol, which I guess was originally developed for dial-up Internet access… remember those 56k modem days? No? Sigh, I feel old now. At any rate, for that reason, you’ll find the FreeRADIUS server in
net-dialup/freeradius as of this moment .. it really should be moved to
sys-auth/freeradius-server but I don’t want to bother with that right now.
So what happens during 802.1x is simple: the switch act as a proxy between the client and the RADIUS server (called authenticator), passing through the authentication messages, most of the case EAP-based. Until the authentication is passed, all other packets sent over the network are simply dropped. Now depending on how you set up the network and the capability of your switch, you can make it so that if authentication does not happen in a given time you go to a guest VLAN, or you just keep dropping packets waiting for authentication. Unfortunately if you go with default DHCP configuration, with the default timeouts, it’s likely that you won’t get any network, which is the problem we hit with our device (comparatively, OSX had the same issue, and you had to renew the DHCP lease after about a minute of connecting the Ethernet cable).
So I bought the cheapest 802.1x capable switch I could find on Amazon (an eight ports Cisco SG-200, if you’re interested) and started setting up to simulate an 802.1x network — this switch does not support the guest vlan as far as I can tell, which is actually what bothers me quite a bit, but on the whole it looks okay for our testing. I actually found out after the whole work was done, that it was technically possible to authenticate against a local database instead of having to deal with an external authenticator, but I’ve not been able to get it running that way, so it’s okay.
For what concerns the main topic of this discussion from the Gentoo point of view, I was quite lucky actually; there is good documentation for it on nothing less than TLDP — it’s a 2004 howto but it’s still almost perfect. The only difference in syntax for FreeRADIUS’s configuration is the way the password is designed in the users configuration file. I’ve not checked the client-side configuration of course, since that is probably completely out of date nowadays thanks to WPA Supplicant and NetworkManager.
The big hurdle was getting FreeRADIUS in a decent shape: simply emerging it and trying to start it would get it to fail silently, so I had to kick it into submission, hard. It so happened that a new version of the server was just released in September, so I decided to update to that one version and get it working as a proper ebuild. The new ebuild in tree should work quite nicely, the problem is that if you look at it, it’s hideous. The big problem is that their build system is a complete fsckup, and you have to resolve to deleting whole subdirectories to configure the features to build, and it has quite a few of them as it has over half a dozen database backends, and so many integrations that it’s really not funny to deal with those optional dependencies.
If you used the older ebuilds, or compare the new one to the old ones you can probably notice that I dropped a number of USE flags, especially those that were so specific to FreeRADIUS that they had a
fr- prefix. This is because I’ve followed my usual general idea, that USE flags are great, if you’re turning on/off features that are heavy, or that have external dependencies, but if you just enable/disable codepaths that are barely noticeable, they just add to the noise. For this reason there is now only one local USE flag for pcap (which is actually a global flag with a more detailed description).
Also, when you build with SSL (which you want to do when doing 802.1x!) you need a CA to sign the users’ certificates. While you can set up your own CA relatively easily, like you already do for OpenVPN, I’ve made it much easier by wiring the originally-provided script to the
--config option for the package (so you just need to run
emerge --config freeradius for it to work).
As I said, the build system is extremely bad, to the point that they are actually committing to their GIT repository the whole autotools-generated files, which is not a good idea. At least this time around I was able to free up the files directory as all the patches are handled as tarballed patchsets on my devspace; if you want to see the patches in a more friendly way, I also got a copy of the repository on Gentoo’s GitHub account — you can also find a number of other projects that I patched the same way, including Munin.
Due to security issues, the new version of FreeRADIUS I put in tree is now stable on the two arches that were stable before, and all the old versions are gone, together with their patches (it cleaned up nicely) for the love for our rsyncs. Hopefully that doesn’t screw with anybody’s plans — if somebody has a problem with my changes, feel free to prod me.
RADIUS can also be configured for user authentication/authorization for your NAS. Since not all networking components support TACACS+, I think about migrating to RADIUS from tac_plus, for the AAA. I have bought recently a mikrotik router and that does not have support TACACS. RADIUS is more powerful. The only problem with RADIUS is its communication is send in clear text between the client and the server, except credentials.I just miss some good tools for freeRADIUS since, I am to lazy to edit config files, and mostly you want to delegate routine jobs like add/delete/change to responsible parties.You could not have written this article at a better time, it gives me a kick to migrate to RADIUS. Also because of dot1X which is over here a nice to have, but I never worked with it until now and have the feeling I should do it.I wish there was more gentoo networking related guys like you around. It’s always cool to read such great articles. Thanks
Yeah it seems like Radius is one of the most common centralized AAA. I think at least FreeRADIUS can set up TLS tunnels for information as well, but that might not be part of the basic RADIUS support that network supports.One solution you can use with FreeRADIUS to deal with adding users is simply to get FreeRADIUS to bridge to PAM or to some other database.. I’d be surprised if there isn’t a web interface that can be used to deal with it. Gentoo also packages the “client” side of FreeRADIUS, I guess for writing compatible netwokr devices, but I haven’t looked into it.I suppose I should consider doing the pkgmove sometime this month, before it gets too cold.Also, there are plenty of Gentoo developers that work on networking infrastructures.. it’s just that most of them don’t have the time to blog — and I do understand them, I’m using my spare time to blog, or sometimes actually the paid time, with the understanding that I’ll use the post to document something we’ve been doing.
Don’t feel old, Flameeyes – my first modem was 300 baud, and I remember how much speedier things felt when the 1200 baud modems became available! 😉
Actual versions of FreeRadius in more or less all Unix Distributions nowadays come with SSL precompiled.So setting up a .1x Environment with FreeRadius (on a Raspberry Pi for example) is now a piece of cake and runs out of the box.The FreeRadius website has a lot of documentations how to set this up as well as many websites.Even with WLAN User security (Radius authentication) this has become more and more common.