Packetfence: authenticate using mschapv2 with OpenLDAP

Packetfence is an Open Source Network Access Control server. It is open, free, and very advanced.
On the other hand, it has been quite a challenge for me to set it up. They also provide a virtual machine based ZEN, which stand for Zero Effort NAC, but I chose to install it manually on Debian.

Based on Freeradius, it should be able to integrate easily with Microsoft Active Directory for dot1x, but again, I chose to not use AD, but OpenLDAP. This part has been difficult, since it is not that well documented.

 

Enable LDAP auth source

Setting up an LDAP Authentication Source on the web gui is not enought. You’ll also need to manually enter your LDAP connection settings in /usr/local/raddb/mods-available/ldap (this step is well documented on the above mentioned link), and create a soft link to /usr/local/raddb/mods-enabled:

cd /usr/local/pf/raddb
ln -s mods-available/ldap mods-enabled/ldap

Next, you’ll need to “activate” LDAP as an authorization source. Edit /usr/local/pf/conf/radiusd/packetfence-tunnel and uncomment “-ldap” in the authorization section:

#
# The ldap module reads passwords from the LDAP database.
-ldap

Just below that line, you’ll need to add these lines:

-ldap
update control {
    MS-CHAP-Use-NTLM-Auth := No
}

Without “MS-CHAP-Use-NTLM-Auth := No”, Freeradius will use the ntlm_auth module, which is needed for Active Directory (as far as I know) and does not work for OpenLDAP.

Restart radius:

service packetfence-radiusd-auth restart


Use plain-text passwords in OpenLDAP

This may sound unsecure, but it is a requirement for Freeradius to work with OpenLDAP. I highly recommend to use ldaps instead of plain ldap, and if you use any gui such as phpldapadmin, you’ll also want to set up https.

 

Create a new connection profile

As a last step, you need to create a new connection profile under Configuration > Policies and Access Control > Connection Profiles.

The new profile should contain one or more dot1x related filters, I used “Connection Type : Ethernet-EAP” and “Connection Type: Wireless-802.11-EAP”.

 

Troubleshooting

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
tail -f /usr/local/pf/logs/radius.log

 

Sources:

  • Packetfence doc
  • freeradius mailing list
  • https://sourceforge.net/p/packetfence/mailman/message/36433000/


			

One Reply to “Packetfence: authenticate using mschapv2 with OpenLDAP”

  1. i am wondering if this will work for ad/ldap without ntlm authentication (on my network ntlm auth on ad is disabled by nps). will write back after testing

Leave a Reply

Your email address will not be published. Required fields are marked *