tbldapenviron_1370.pdf

Extreme Networks Technical Brief

Configuration Requirements

The following components are required to install the access control solution:

Linux server with Linux Red Hat 4.0•

FreeRADIUS 1.1.x•

OpenLDAP 2.3.x•

Extreme Networks• ® Summit® X450e switches

Windows XP clients•

Overview

Customers with a directory services authentication solution such as Lightweight Directory Access Protocol (LDAP) require cost-effective, secure edge access devices. For added security, customers need a dynamic policy enforce-ment edge solution that does not depend on open, unse-cured edge ports.

Customers also want to use existing directory services infrastructures to reduce administrative overhead as well as reduce time and effort to configure edge switches.

Extreme Networks® Universal Port framework can establish and enforce policies based on an authenticated user or device. Each port is secured because it is not part of any subnet until access is granted by an authentication authority.

Authentication is typically accomplished using a Remote Authentication Dial-In User Service (RADIUS) protocol which holds the authentication database. The solution to providing secure edge provisioning requires the addition of an authenticating element to the network configuration that can work with directory services. In other words, to integrate the Universal Port in an LDAP environment, a RADIUS server must be added to use the LDAP database.

The following is a configuration example that enables an IP phone or PC to use the Universal Port technology to authenticate to an LDAP environment.

Configuration Instructions

Basic Configuration Steps Install and configure RADIUS Server on existing Linux 1. server

Install and configure OpenLDAP2.

Add vendor specific attributes to RADIUS server and 3. LDAP server

Configure edge switches4.

Configure supplicant5.

Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) Environment

© 2007 Extreme Networks, Inc. All rights reserved. Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) Environment—

5070-01

EAPS RING(RFC 3619)

Transit 1

Transit 2 EAPS Master

802.1x phone802.1x phone

Avaya HQ callserver

Current DomainAuthentication

Avaya G250

FreeRadiusDirectory Services

OpenLDAP802.1x PC

EAPS PrimaryPort 23

EAPS PrimaryPort 23

EAPS PrimaryPort 21

EAPS SecondaryPort 24



`

Internet

`

Figure 1: Completed Authentication Design


Install and Test the RADIUS Server

RADIUS protocol is defined in IETF RFC 2865. RADIUS protocol allows a Network Access Server (NAS) to perform authentication, authorization, and accounting for users. RADIUS is a client/server protocol based on UDP. The RADIUS client, the network access server, is typically a router, switch, or wireless access point. In this configura-tion, the RADIUS server is a daemon process running on a UNIX server.

RADIUS server software can be obtained from several sources. This solution uses FreeRADIUS available on the following URLs: http://www.freeradius.org or www.redhat.com. FreeRADIUS fits well in a distributed, heterogeneous computing environment.

Enter the Following Commands to Install and Test FreeRADIUS

tar -zxvf freeradius-1.0.2.tar.gz

(extract with gunzip and tar)

./configure

make

make install (run this command as root)

radiusd or (start RADIUS server)

radiusd -X (start RADIUS server in debug mode)

radtest test test localhost 0 testing123

(test RADIUS server)

If radtest receives a response, the FreeRADIUS server is up and running. Note: Another free tool, NTRadPing, can be used to test authentication and authorization requests from Windows clients. NTRadPing displays detailed responses such as attribute values sent back from the RADIUS server.

Configure the FreeRADIUS Server

Configuring the RADIUS server involves configuring the server, the client, and the user (both for authentication and authorization).

LDAP is an open standard that defines a method for accessing and updating information in an X.500-like directory. LDAP can be used to keep user information in a central location to avoid having to store identical user information on each system. LDAP is also used to maintain and access information in a consistent and controlled manner. LDAP simplifies user administration tasks by managing users in a central directory. Because LDAP lacks interoperability with a RADIUS client, a RADIUS server is configured to authenticate users against LDAP.

Configuring the Server

FreeRADIUS configuration files are usually stored in the /etc/raddb folder.

1. Enter the following commands to modify the radiusd.conf file global settings. log_auth = yes (log authentication requests to the log file) log_auth_badpass = no (don’t log passwords if request rejected) log_auth_goodpass = no (don’t log passwords if request accepted)

2. Enter the following commands to modify LDAP Settings.

modules {

ldap {

server = “ldaptest.extremenetworks.com”

basedn = “o=ldaptestdemo,dc=extremenetworks,dc=com”

filter = “(cn=%{Stripped-User-Name:-%{User-Name}})”

base_filter = “(objectclass=radiusprofile)”

start_tls = no

dictionary_mapping =

${raddbdir}/ldap.attrmap

authtype = ldap

ldap_connections_number = 5

timeout = 4

timelimit = 3

net_timeout = 1

}

}

3. Use the following commands to Uncomment LDAP from the authorize section.

authorize { preprocess chap mschap suffix ldap eap files }

4. Use the following commands to Uncomment LDAP from the authenticate section.

authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix ldap eap




Configuring the Attribute Mappings

Attributes are configured in /etc/freeradius/ladp.attrmap. This file maps the RADIUS Attribute to an LDAP Attribute. Because Samba has NT/LM password hashes, the default mapping for LM-Password and NT-Password must be changed.

Use the following commands to configure attribute mappings.

checkItem User-Password userPassword

checkItem LMPassword sambaLMPassword

checkItem NTPassword sambaNTPassword

replyItem Tunnel-Type radiusTunnelType

replyItem Tunnel-Medium-Type radiusTunnelMediumType

replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

Configuring the Client

Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. Either group the NAS by IP subnet or list the NAS by hostname or IP address.

Use the following commands to configure the client using the second method.

client 192.168.1.1 { secret = extreme1 shortname = ldap-demo}

Configuring the Authentication Method

The authentication method is configured in /etc/raddb/eap.conf. The authentication method used by FreeRADIUS is the Protected EAP (PEAP) method. To activate PEAP, a TLS tunnel is required to encrypt communication between supplicant and RADIUS server. This means that server certificates are required. Use the following commands to configure the authenti-cation method.

peap { default_eap_type = mschapv2 } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes }

Start the RADIUS Service

Use the following command to start radiusd in foreground with debugging enabled ( useful for troubleshooting).

radiusd –X –f



Install OpenLDAP

OpenLDAP software is an open source implementation of LDAP and can be obtained at http://www.openldap.org.

Use the following procedure to install OpenLDAP packages.

1. Verify the Red Hat Linux installed releases. The release number is stored in the /etc/redhat-release file.

2. Verify the version of OpenLDAP currently installed by entering the rpm -qa | grep openldap command at the Linux prompt. # rpm -qa |grep openldap openldap-2.3.xx-x openldap-clients-2.3.xx-x openldap-servers-2.3.xx-x

3. If a default Red Hat Linux installation was used, there is at least one OpenLDAP Red Hat Package Manager (RPM) installed. The LDAP RPMs can either be found on the Red Hat CD or download from one of the following RPM download sources.

www.rpmfind.net Search on openldap and select the RPM based on the distribution www.redhat.com Select Download, and then search on openldap

4. After downloading the RPMs to the Linux server, change to the download directory and start the installation using the rpm command.

# rpm -ivh openldap*

5. Verify that the OpenLDAP RPMs have been installed with the rpm -qa | grep openldap command at the Linux prompt.

# rpm -qa | grep openldap openldap-2.3.xx-x openldap-clients-2.3.xx-x openldap-servers-2.3.xx-x

Configure OpenLDAP

Once the build is complete, the slapd and slurpd daemons are located in /usr/local/libexec. The config files are in /etc/openldap and ready to start the main server daemon, slapd.

Configuring Slapd for StartupBefore slapd can be started, /etc/openldap/slapd.conf must be edited to indicate where to store data and who is allowed access to the data.

Use the following commands to configure slapd for startup.

Change Suffix - Change rootDN - Used slappasswd to generate rootpw - Added rootpw entry.

database (use default) suffix “dc=xxxxxx,dc=org” rootdn “cn=xxxx,dc=xxxxxx,dc=org” rootpw {SSHA}c5PemO1KWqz0254r4rnFVmxKA/evs4Hu directory /var/lib/ldap allow bind_v2 pidfile /var/run/slapd.pid



Adding New Schemas

The radius schema and samba schema for PEAP authentication must be included into the slapd.conf file. After modifying the file, the LDAP server must be restarted to load the new schemas.

Use the following commands to add new schemas.

cp /usr/share/doc/freeradius-1.0.1/RADIUS-LDAPv3.schema /etc/openldap/schema/ cp /usr/share/doc/samba-3.0.10/LDAP/samba.schema /etc/openldap/schema

Use the following commands to modify slapd.conf

include/etc/openldap/schema/RADIUS-LDAPv3.schema include/etc/openldap/schema/samba.schema

Populating LDAP Database with Organization and User Entries

Use the following commands to make the user entry in the LDAP directory (slapd.conf).

dn: uid=newperson3,o=ldaptestdemo,dc=extremenetworks,dc=com objectClass: top objectClass: person objectClass: radiusprofile (Defined in the RADIUS-LDAPv3 schema) objectClass: sambaSamAccount sn: ldaptestdemo uid: newperson3 (This username given in the Odyssey client) cn: newperson3 radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 2 (Value of the VLAN tag) sambaNTPassword: A3A685F89364D4A5182B028FBE79AC38 sambaLMPassword: C23413A8A1E7665FC2265B23734E0DAC userPassword:: e1NIQX00MXZzNXNYbTRPaHNwUjBFUU9raWdxbldySW89 sambaSID: S-1-0-0-28976

The samba-related attributes may already be populated in the LDAP server if there is an LDAP-enabled samba infrastructure in place.

Note: If the samba related entries are not present, then the values for sambaNTPassword and sambaNMPPassword can be created by running the mkntpwd command.

cd /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/mkntpwd make ./mkntpwd –L <password> (provides value for sambaLMPassword attribute) ./mkntpwd –N <password> (provides value for sambaNTPassword attribute)



Add Vendor-Specific Attributes to RADIUS and LDAP Server

Configuring the RADIUS Dictionary

To add Extreme Networks VSAs, enter the following commands to modify the dictionary file in /etc/raddb.

ATTRIBUTE Extreme-CLI-Authorization 201 integer ExtremeATTRIBUTE Extreme-Shell-Command 202 string ExtremeATTRIBUTE Extreme-Netlogin-Vlan 203 string ExtremeATTRIBUTE Extreme-Netlogin-Url 204 string ExtremeATTRIBUTE Extreme-Netlogin-Url-Desc 205 string ExtremeATTRIBUTE Extreme-Netlogin-Only 206 integer ExtremeATTRIBUTE Extreme-User-Location 208 string ExtremeATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer ExtremeATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string ExtremeATTRIBUTE Extreme-Security-Profile 212 string Extreme

VALUE Extreme-CLI-Authorization Disabled 0VALUE Extreme-CLI-Authorization Enabled 1VALUE Extreme-Netlogin-Only Disabled 0VALUE Extreme-Netlogin-Only Enabled 1

Configuring Additional Attributes Mappings

Attributes are configured in /etc/freeradius/ladp.attrmap.

## Attributes for Extreme Networks Vendor-Specific RADIUS replyItem Extreme-Security-Profile radiusExtremeSecurityProfilereplyItem Extreme-Netlogin-Vlan-Tag radiusExtremeNetloginVlanTagreplyItem Extreme-Netlogin-Extended-Vlan radiusExtremeNetloginExtendedVlan

Modifying RADIUS Schema

Additional attributes for RADIUS must be configured to extend the RADIUS-LDAP-V3.schema under the

/etc/openldap directory.

Use the following commands to modify the RADIUS schema.

attributetype ( 1.3.6.1.4.1.3317.4.3.1.61 NAME ‘radiusExtremeSecurityProfile’ DESC ‘’ EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.3317.4.3.1.62 NAME ‘radiusExtremeNetloginVlanTag’ DESC ‘’ EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.3317.4.3.1.63 NAME ‘radiusExtremeNetloginExtendedVlan’ DESC ‘’ EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )



Restarting the LDAP Server

Use the following syntax to use to stop and start LDAP services.

service ldap restart

For phone authentication (which uses EAP-based md5 authentication) the password is stored in cleartext in the UserPassword field for the phone entries in LDAP.

Configure the Switch

This configuration applies to Summit® X450e switches but can also be used for other Extreme Networks switches that support 802.1x. Refer to the software configuration guide of the switch for details.

Use the following commands to activate the switch for 802.1X port-based authentication.

create vlan voice create vlan data create vlan ldap configure voice tag 10 configure data tag 20 configure ldap ipaddress 192.168.1.1/24 enable ipforwarding

create vlan nvlan en netlogin dot1x en netlogin port 13-24 dot1x configure radius netlogin primary server 192.168.1.2 1812 client-ip 192.168.1.1 vr VR-Default configure radius netlogin primary shared-secret extreme1

enable radius netlogin enable netlogin dot1x

To make the port able to run the scripts, when told to do so by RADIUS/LDAP:

configure upm event user-authenticate profile a-avaya ports 1-23

LDAP UID entries:In the ldap phone uid details, use the following to execute a script:

Extreme-Security-Profile

To make the port to be added tagged in the voice vlan:

Extreme-Netlogin-Extended-Vlan = TVoice (use UData for a PC)

NOTE: The fields required for authentication depend on the end-station; XP uses EAP-PEAP and must have encrypt-ed fields for the UID password. Avaya phones authenticate with MD-5 and must have an unencrypted field in LDAP.

Scripts:This a-avaya script tells the phone to configure itself in the voice VLAN, and to send tagged frames. The script also informs the phone of the fileserver and callserver.



create upm profile a-avaya create log entry Starting_UPM_Script_AUTH-AVAYA set var callServer 10.147.12.12 set var fileServer 10.147.10.3 set var voiceVlan voice set var CleanupProfile CleanPort set var sendTraps false # create log entry Starting_UPM_AUTH-AVAYA_Port_$EVENT.USER_PORT #********************************************************* # adds the detected port to the device “unauthenticated” profile port list #********************************************************* create log entry Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT #configure upm event user-unauthenticated profile CleanupProfile ports $EVENT.USER_PORT #********************************************************* # Configure the LLDP options that the phone needs #********************************************************* configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan $voiceVlan

configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tagged configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities #*************************************************************** # Configure the POE limits for the port based on the phone requirement #*************************************************************** # If port is PoE capable, uncomment the following line configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi #configure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT

create log entry UPM_Script_A-AVAYA_Finished_Port_$EVENT.USER_PORT

NOTE: This script refers specifically to Avaya but it should be applicable to any LLDP-enabled phone.

Configure the Supplicant

Figure 2 illustrates the configuration of a Windows XP supplicant. No additional installation is required. For enhanced security, install the FreeRADIUS server CA certificate (the CA that signed the certinstalled in eap.conf).

Use the following procedure to configure the Supplicant.

1. Open the network configuration panel and select the network card and enter the properties.

Figure 2: Configuration for a Windows XP Supplicant


2. Select the Authentication tab. See Figure 3.

Figure 3: Authentication Tab

3. Enable 802.1x and disable authenticate as computer. Choose EAP type of PEAP and click on Properties. See Figure 4.

Figure 4: Protected EAP Properties Window



4. Unselect the Validate server certificate and select Secured password (EAP-MSCHAP v2) as the authentication method. Click Configure. See Figure 5.

www.extremenetworks.com email: [email protected]

Corporateand North AmericaExtreme Networks, Inc.3585 Monroe Street Santa Clara, CA 95051 USAPhone +1 408 579 2800

Europe, Middle East, Africaand South AmericaPhone +31 30 800 5100

Asia PacificPhone +852 2517 1123

JapanPhone +81 3 5842 4011

© 2007 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo and Summit are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names and marks are the property of their respective owners.Specifications are subject to change without notice.

1370_01 10/07 Using the Universal Port in a Lightweight Directory Access Protocol (LDAP) Environment Technical Brief

Figure 5: EAP MSCHAPv2 Window

5. Unselect the checkbox.

tbldapenviron_1370.pdf

Documents