Univention Bugzilla – Bug 29465
Bereitstellung der RADIUS-Services mit UCS
Last modified: 2014-05-07 15:24:15 CEST
Die mit UCS@school implementierte Radius-Anbindung ist in ähnlicher Form auch als Standard-Service für UCS interessant (siehe auch Bug 3893). Die Pakete sollten direkt in UCS bereitgestellt werden und in UCS@school ggf. spezifisch für den Anwendungsfall erweitert werden. Mindestanforderungen in UCS: - Authentifikation an Radius-Fähigen WLAN-Access-Points über Benutzernamen/Passwort gegen das UCS-Radius - Definition der erlaubten Benutzer über UDM (vermutlich über eine/mehrere Gruppen die auf dem Radius-Server per UCR definiert sind?) Erweiterungswünsche (je nach Planung in eigene Bugs auslagern): - Authentifikation auch per Rechner- oder Benutzerzertifikat, idealer Weise mit PKI (bzw. mindestens den öffentlichen Zertifikaten) im LDAP - Authentifikation auch an LAN-Ports (hier vermutlich nur Rechner-Zertifikate)
*** Bug 3893 has been marked as a duplicate of this bug. ***
Im Forum angefragt.
Folgende Punkte sind für eine erste Version vorgesehen: - Black- and Whitelists für Endgeräte, die über das WLAN kommen, vermutlich reicht auch "Alle erlauben" oder "Whitelist". Für Blacklist fällt mir kein gutes Anwendungsszenario ein. Ich glaube aber, dass wir die Whitelists im LDAP brauchen, damit dasskaliert. - Anmeldung mit Benutzerkonto - Anmeldung mit Domänenkonto für Domänenclients - Einschränken von Benutzer (bzw. Gruppen) und Endgeräten über Checkbox am Benutzer / Geräte-Objekt. - Installation über App Center - Unterstützung anderer Radius-Implementierungen (also keine Installation auf UCS, sondern ein bestehendes Radius kann beispielsweise auf das UCS LDAP zugreifen)
Ken Blocker für das 3.2 Release.
(In reply to Stefan Gohmann from comment #3) > Folgende Punkte sind für eine erste Version vorgesehen: univention-radius built in errata3.2-1-scope. > - Black- and Whitelists für Endgeräte, die über das WLAN kommen, vermutlich > reicht auch "Alle erlauben" oder "Whitelist". Für Blacklist fällt mir kein > gutes Anwendungsszenario ein. Ich glaube aber, dass wir die Whitelists im > LDAP brauchen, damit dasskaliert. Can be activated via: radius/mac/whitelisting. If activated the stationId (MAC address) is searched in the directory and must be allowed (directly or via a group) access in addition to the user check. > - Anmeldung mit Benutzerkonto > - Anmeldung mit Domänenkonto für Domänenclients Via user/machine account > - Einschränken von Benutzer (bzw. Gruppen) und Endgeräten über Checkbox am > Benutzer / Geräte-Objekt. Extended Attribute "Radius"→"networkAccess" allows three states ALLOW (TRUE) DENY (FALSE) unspecified (empty) First the user/computer object is checked; if the attribute is unspecified the groups that contain the user/computer are checked. If any group has the attribute set to DENY access is denied. Otherwise if any group has the attribute set to ALLOW access is allowed. Otherwise every group every group is in is checked recursively. If all levels are unspecified access is denied by default. univention-radius-check-access can be used to receive an reasoning of the access for a MAC and/or username. > - Installation über App Center AppID "univention-radius"
(In reply to Janek Walkenhorst from comment #5) > > - Installation über App Center > AppID "univention-radius" Please rename the AppID to radius and the name of the app from "Univention RADIUS" to "RADIUS".
Created attachment 5864 [details] App icon Attached the preliminary icon file as svg.
Created attachment 5865 [details] App icon as png … and as .png file in 50x50.
As long as we don't have a chapter in the manual, we need at least a small wiki page. The page should describe the first steps. Other examples: http://wiki.univention.de/index.php?title=Xrdp http://wiki.univention.de/index.php?title=SAML_Identity_Provider
The RADIUS user tab contains a drop down with three values. I think it should be changed to two checkboxes, otherwise True|False or Wahr|Falsch sounds strange. Is it possible to show on the tab with setting has priority?
Radius should be available in the system service UMC module.
http://wiki.univention.de/index.php?title=RADIUS
Some issues: - Please add UCR variable descriptions, at least for radius/mac/whitelisting - is_false or is_true should be used in the conffiles, alternatively create a cleanup bug for it: conffiles/etc/freeradius/modules/mschap conffiles/etc/freeradius/modules/ldap conffiles/etc/freeradius/eap.conf conffiles/etc/freeradius/sites-available/inner-tunnel conffiles/etc/freeradius/sites-available/default conffiles/etc/freeradius/ldap.attrmap - debian/univention-radius.postinst: hostname="$(univention-config-registry get hostname)" This should be moved to the join script. Otherwise it will be a problem in an appliance setup. - The documentation should become part of the manual: Bug #34574 - I think we should also add a description for the installation and configuration of Windows and/or Android to the wiki page (no certificate based authentication) - The wiki page should mention /usr/bin/univention-radius-check-access - We should create an UMC module for the access point registration: Bug #34573 - Please add a service in UMC system services: http://docs.univention.de/developer-reference-3.2.html#ucr:services - Other tests: Installation: OK Group filtering: OK User filtering: OK Mac filtering: OK - Missing tests: UCS@school update single master: UCS@school update multi environment:
*** Bug 30737 has been marked as a duplicate of this bug. ***
(In reply to Stefan Gohmann from comment #13) > UCS@school update single master: My @school test failed. I've installed the radius app which updated the old radius package. After that I created a class School1-1a and added the user stefan to the class. I've added an internet rule 'foo' and connected this rule with the group School1-1a: root@master201:~# ucr search --brief proxy/filter/ proxy/filter/domain/whitelisted/1: www.univention.de proxy/filter/groupdefault/School1-1a: foo proxy/filter/redirecttarget: http://master201.deadlock201.local/blocked-by-squid.html proxy/filter/setting/Kein Internet/filtertype: whitelist-block proxy/filter/setting/Unbeschränkt/filtertype: blacklist-pass proxy/filter/setting/foo/filtertype: whitelist-block proxy/filter/setting/foo/priority: 5 proxy/filter/setting/foo/wlan: true proxy/filter/usergroup/Domain Users School1: stefan proxy/filter/usergroup/School1-1a: stefan proxy/filter/usergroup/schueler-school1: stefan root@master201:~# But the user doesn't get access: root@master201:~# /usr/bin/univention-radius-check-access --username=stefan DENY 'uid=stefan,cn=schueler,cn=users,ou=School1,dc=deadlock201,dc=local' 'uid=stefan,cn=schueler,cn=users,ou=School1,dc=deadlock201,dc=local' -> DENY 'cn=schueler-school1,cn=groups,ou=School1,dc=deadlock201,dc=local' -> DENY 'cn=School1-1a,cn=klassen,cn=schueler,cn=groups,ou=School1,dc=deadlock201,dc=local' -> DENY 'cn=Domain Users School1,cn=groups,ou=School1,dc=deadlock201,dc=local' -> 'cn=schueler-school1,cn=groups,ou=School1,dc=deadlock201,dc=local' -> 'cn=School1-1a,cn=klassen,cn=schueler,cn=groups,ou=School1,dc=deadlock201,dc=local' -> 'cn=Domain Users School1,cn=groups,ou=School1,dc=deadlock201,dc=local' Thus access is DENIED. root@master201:~# How is the connection between the UCR settings and the extended attribute at the user tab? IP of the test system: 10.210.73.229.
univention-radius (1.0.0-4): Moved hostname dependent code from postinst to join script. New network access policy: UCS@school UCRV are now checked in conjunction with LDAP attributes (instead of instead of), either one can allow access. Updated u-radius-check-access to also trace UCS@school UCRV evaluation. StationID checking now applies to UCS@school as well. Added description for UCRV radius/mac/whitelisting. Added service definition and patched freeradius to respect freeradius/autostart. Updated Wiki documentation. (In reply to Stefan Gohmann from comment #13) > - is_false or is_true should be used in the conffiles, alternatively create > a cleanup bug for it: > conffiles/etc/freeradius/modules/mschap > conffiles/etc/freeradius/modules/ldap > conffiles/etc/freeradius/eap.conf > conffiles/etc/freeradius/sites-available/inner-tunnel > conffiles/etc/freeradius/sites-available/default > conffiles/etc/freeradius/ldap.attrmap → Bug #34504
That looks much better. I've added some more points to the Wiki page: http://wiki.univention.de/index.php?title=RADIUS&action=historysubmit&diff=10971&oldid=10962 Some issues that should be changed: - reading the Wiki page and switching to the example changes the language from English to German - the Windows 7 example page writes about UCS@school I think we should include a documentation about the Windows 8 configuration in English. A documentation for Android would also be nice.
(In reply to Stefan Gohmann from comment #17) > Some issues that should be changed: > > - reading the Wiki page and switching to the example changes the language > from English to German > > - the Windows 7 example page writes about UCS@school > > I think we should include a documentation about the Windows 8 configuration > in English. A documentation for Android would also be nice. <http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Windows_8> <http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Android_4.3>
AppCenter ini updated.
The articles look good. I've made some updates. Please have a look: <http://wiki.univention.de/index.php?title=RADIUS&action=historysubmit&diff=11004&oldid=10997> <http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Windows_8&action=historysubmit&diff=11005&oldid=10999> <http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Android_4.3&action=historysubmit&diff=11006&oldid=10998> The jenkins tests were also successful: <http://jenkins.knut.univention.de:8080/view/App%20Center/job/UCS%203.2%20App%20Autotest%20MultiEnv/126/#showFailuresLink>
(In reply to Stefan Gohmann from comment #20) > The articles look good. I've made some updates. Please have a look: They are good.
Advisory added: 2014-04-25-univention-radius.yaml
YAML: OK UCS tests: OK UCS@school tests: OK
http://errata.univention.de/ucs/3.2/98.html
http://errata.univention.de/ucs/3.2/108.html