search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.32k stars 281 forks source link

eduroam authentication with Google LDAPs #7295

Open drthiruna opened 1 year ago

drthiruna commented 1 year ago

When the eduroam users try to authenticate, the NAC failed with the following message Our user database is Google LDAP. Roaming users in Local: Reason: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' Inbound eduroam authentication: Attribute "User-Password" is required for authentication. This is an AD attribute. It indicated that the eduroam default configuration in the NAC looking for NTLM authentication. For doing NTLM the NAC should be connected with an AD. In this case, there is a dependency on MS AD. packetfence tries to use winbindd for Active Directory authentication. When there is no domain present then "Reading winbind reply failed" message we are getting., as the machine is not joined into the domain Hence we need that there should be no dependency for the MS AD when NAC using LDAP as the user database

nqb commented 1 year ago

Hello, Please adjust your issue description using our template if you want us to take it into account.

drthiruna commented 1 year ago

@nqb Is your feature request related to a problem? Please describe. Our user database is Google LDAP. PF is not connected with MS AD. I am trying to configure the PF for eduroam. But eduroam users authentication failed with the following message.

Roaming users in Local (PF to NRO-eduroam) - Reason: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'

Inbound eduroam authentication - Attribute "User-Password" is required for authentication.

It might be due to that the eduroam default configuration in the PF is looking for NTLM authentication. In this case, there is a dependency on MS AD. In addition, PF tries to use winbindd for Active Directory authentication. Hence we need that there should be no dependency for the MS AD when NAC using LDAP as the user database

Describe the solution you'd like The PF may authenticate the users against the LDAP without the depency of the MS AD.

Describe alternatives you've considered I tried to use external NPS server as RADIUS Proxy. That is used the NPS only for eduroam. For Local authentication I tried to configure the NPS to use the PF. For roaming users NPS and the RADIUS Proxy. But no success.

drthiruna commented 1 year ago

@nqb As you mentioned the issue presented in the standard template

drthiruna commented 1 year ago

@nqb Can you please reply on this issue?

fdurand commented 1 year ago

@drthiruna in fact it require some code in order to happen the ldaps configuration in the FreeRadius eduroam section. I will have a look.

drthiruna commented 1 year ago

@fdurand Thanks a lot This enchancement will remove the dependency of AD in future

extrafu commented 1 year ago

You likely cannot do EAP-PEAP with Google LDAP since it probably doesn't expose NT/LM password hashes nor a cleartext version of the password.

That being said, you'll have to do EAP-TTLS - and that has nothing to do with AD/winbind.