Bug 29465 - Bereitstellung der RADIUS-Services mit UCS
Bereitstellung der RADIUS-Services mit UCS
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 3.0
Other Linux
: P5 enhancement (vote)
: UCS 3.2-1-errata
Assigned To: Janek Walkenhorst
Stefan Gohmann
:
: 3893 30737 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-29 14:41 CET by Ingo Steuwer
Modified: 2014-05-07 15:24 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments
App icon (9.06 KB, image/svg+xml)
2014-04-10 11:18 CEST, Alexander Kläser
Details
App icon as png (5.17 KB, image/png)
2014-04-10 11:19 CEST, Alexander Kläser
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2012-11-29 14:41:44 CET
Die mit UCS@school implementierte Radius-Anbindung ist in ähnlicher Form auch als Standard-Service für UCS interessant (siehe auch Bug 3893).

Die Pakete sollten direkt in UCS bereitgestellt werden und in UCS@school ggf. spezifisch für den Anwendungsfall erweitert werden.

Mindestanforderungen in UCS:

- Authentifikation an Radius-Fähigen WLAN-Access-Points über Benutzernamen/Passwort gegen das UCS-Radius
- Definition der erlaubten Benutzer über UDM (vermutlich über eine/mehrere Gruppen die auf dem Radius-Server per UCR definiert sind?)

Erweiterungswünsche (je nach Planung in eigene Bugs auslagern):

- Authentifikation auch per Rechner- oder Benutzerzertifikat, idealer Weise mit PKI (bzw. mindestens den öffentlichen Zertifikaten) im LDAP
- Authentifikation auch an LAN-Ports (hier vermutlich nur Rechner-Zertifikate)
Comment 1 Jan Christoph Ebersbach univentionstaff 2012-12-04 10:26:52 CET
*** Bug 3893 has been marked as a duplicate of this bug. ***
Comment 2 Tim Petersen univentionstaff 2013-01-22 12:02:44 CET
Im Forum angefragt.
Comment 3 Stefan Gohmann univentionstaff 2013-06-11 21:19:36 CEST
Folgende Punkte sind für eine erste Version vorgesehen:

- Black- and Whitelists für Endgeräte, die über das WLAN kommen, vermutlich
reicht auch "Alle erlauben" oder "Whitelist". Für Blacklist fällt mir kein
gutes Anwendungsszenario ein. Ich glaube aber, dass wir die Whitelists im
LDAP brauchen, damit dasskaliert.

- Anmeldung mit Benutzerkonto

- Anmeldung mit Domänenkonto für Domänenclients

- Einschränken von Benutzer (bzw. Gruppen) und Endgeräten über Checkbox am 
Benutzer / Geräte-Objekt. 

- Installation über App Center

- Unterstützung anderer Radius-Implementierungen (also keine Installation auf UCS, sondern ein bestehendes Radius kann beispielsweise auf das UCS LDAP zugreifen)
Comment 4 Stefan Gohmann univentionstaff 2013-09-30 15:14:07 CEST
Ken Blocker für das 3.2 Release.
Comment 5 Janek Walkenhorst univentionstaff 2014-03-25 17:16:51 CET
(In reply to Stefan Gohmann from comment #3)
> Folgende Punkte sind für eine erste Version vorgesehen:
univention-radius built in errata3.2-1-scope.

> - Black- and Whitelists für Endgeräte, die über das WLAN kommen, vermutlich
> reicht auch "Alle erlauben" oder "Whitelist". Für Blacklist fällt mir kein
> gutes Anwendungsszenario ein. Ich glaube aber, dass wir die Whitelists im
> LDAP brauchen, damit dasskaliert.
Can be activated via: radius/mac/whitelisting.
If activated the stationId (MAC address) is searched in the directory and must be allowed (directly or via a group) access in addition to the user check.

> - Anmeldung mit Benutzerkonto
> - Anmeldung mit Domänenkonto für Domänenclients
Via user/machine account

> - Einschränken von Benutzer (bzw. Gruppen) und Endgeräten über Checkbox am 
> Benutzer / Geräte-Objekt.
Extended Attribute "Radius"→"networkAccess" allows three states ALLOW (TRUE) DENY (FALSE) unspecified (empty)

First the user/computer object is checked; if the attribute is unspecified the groups that contain the user/computer are checked. If any group has the attribute set to DENY access is denied. Otherwise if any group has the attribute set to ALLOW access is allowed. Otherwise every group every group is in is checked recursively. If all levels are unspecified access is denied by default.

univention-radius-check-access can be used to receive an reasoning of the access for a MAC and/or username.

> - Installation über App Center
AppID "univention-radius"
Comment 6 Stefan Gohmann univentionstaff 2014-04-10 11:00:01 CEST
(In reply to Janek Walkenhorst from comment #5)
> > - Installation über App Center
> AppID "univention-radius"

Please rename the AppID to radius and the name of the app from "Univention RADIUS" to "RADIUS".
Comment 7 Alexander Kläser univentionstaff 2014-04-10 11:18:15 CEST
Created attachment 5864 [details]
App icon

Attached the preliminary icon file as svg.
Comment 8 Alexander Kläser univentionstaff 2014-04-10 11:19:36 CEST
Created attachment 5865 [details]
App icon as png

… and as .png file in 50x50.
Comment 9 Stefan Gohmann univentionstaff 2014-04-14 06:53:34 CEST
As long as we don't have a chapter in the manual, we need at least a small wiki page. The page should describe the first steps.

Other examples:
 http://wiki.univention.de/index.php?title=Xrdp
 http://wiki.univention.de/index.php?title=SAML_Identity_Provider
Comment 10 Stefan Gohmann univentionstaff 2014-04-14 08:07:59 CEST
The RADIUS user tab contains a drop down with three values. I think it should be changed to two checkboxes, otherwise True|False or Wahr|Falsch sounds strange.

Is it possible to show on the tab with setting has priority?
Comment 11 Stefan Gohmann univentionstaff 2014-04-16 17:04:16 CEST
Radius should be available in the system service UMC module.
Comment 12 Janek Walkenhorst univentionstaff 2014-04-16 17:41:47 CEST
http://wiki.univention.de/index.php?title=RADIUS
Comment 13 Stefan Gohmann univentionstaff 2014-04-17 08:01:08 CEST
Some issues:

- Please add UCR variable descriptions, at least for 
  radius/mac/whitelisting

- is_false or is_true should be used in the conffiles, alternatively create a cleanup bug for it:
conffiles/etc/freeradius/modules/mschap
conffiles/etc/freeradius/modules/ldap
conffiles/etc/freeradius/eap.conf
conffiles/etc/freeradius/sites-available/inner-tunnel
conffiles/etc/freeradius/sites-available/default
conffiles/etc/freeradius/ldap.attrmap

- debian/univention-radius.postinst:
 hostname="$(univention-config-registry get hostname)"
This should be moved to the join script. Otherwise it will be a problem in an appliance setup.

- The documentation should become part of the manual: Bug #34574

- I think we should also add a description for the installation and configuration of Windows and/or Android to the wiki page (no certificate based authentication)

- The wiki page should mention /usr/bin/univention-radius-check-access

- We should create an UMC module for the access point registration: Bug #34573

- Please add a service in UMC system services:
  http://docs.univention.de/developer-reference-3.2.html#ucr:services

- Other tests:
  Installation: OK
  Group filtering: OK
  User filtering: OK
  Mac filtering: OK

- Missing tests:
  UCS@school update single master: 
  UCS@school update multi environment:
Comment 14 Stefan Gohmann univentionstaff 2014-04-17 08:01:29 CEST
*** Bug 30737 has been marked as a duplicate of this bug. ***
Comment 15 Stefan Gohmann univentionstaff 2014-04-17 08:48:31 CEST
(In reply to Stefan Gohmann from comment #13)
>   UCS@school update single master: 

My @school test failed. I've installed the radius app which updated the old radius package. After that I created a class School1-1a and added the user stefan to the class. 

I've added an internet rule 'foo' and connected this rule with the group School1-1a:

root@master201:~# ucr search --brief proxy/filter/
proxy/filter/domain/whitelisted/1: www.univention.de
proxy/filter/groupdefault/School1-1a: foo
proxy/filter/redirecttarget: http://master201.deadlock201.local/blocked-by-squid.html
proxy/filter/setting/Kein Internet/filtertype: whitelist-block
proxy/filter/setting/Unbeschränkt/filtertype: blacklist-pass
proxy/filter/setting/foo/filtertype: whitelist-block
proxy/filter/setting/foo/priority: 5
proxy/filter/setting/foo/wlan: true
proxy/filter/usergroup/Domain Users School1: stefan
proxy/filter/usergroup/School1-1a: stefan
proxy/filter/usergroup/schueler-school1: stefan
root@master201:~#

But the user doesn't get access:
root@master201:~# /usr/bin/univention-radius-check-access --username=stefan
DENY 'uid=stefan,cn=schueler,cn=users,ou=School1,dc=deadlock201,dc=local'
'uid=stefan,cn=schueler,cn=users,ou=School1,dc=deadlock201,dc=local'
-> DENY 'cn=schueler-school1,cn=groups,ou=School1,dc=deadlock201,dc=local'
-> DENY 'cn=School1-1a,cn=klassen,cn=schueler,cn=groups,ou=School1,dc=deadlock201,dc=local'
-> DENY 'cn=Domain Users School1,cn=groups,ou=School1,dc=deadlock201,dc=local'
-> 'cn=schueler-school1,cn=groups,ou=School1,dc=deadlock201,dc=local'
-> 'cn=School1-1a,cn=klassen,cn=schueler,cn=groups,ou=School1,dc=deadlock201,dc=local'
-> 'cn=Domain Users School1,cn=groups,ou=School1,dc=deadlock201,dc=local'
Thus access is DENIED.
root@master201:~#

How is the connection between the UCR settings and the extended attribute at the user tab?

IP of the test system: 10.210.73.229.
Comment 16 Janek Walkenhorst univentionstaff 2014-04-22 18:14:31 CEST
univention-radius (1.0.0-4):

Moved hostname dependent code from postinst to join script.

New network access policy: UCS@school UCRV are now checked in conjunction with LDAP attributes (instead of instead of), either one can allow access.

Updated u-radius-check-access to also trace UCS@school UCRV evaluation.

StationID checking now applies to UCS@school as well.

Added description for UCRV radius/mac/whitelisting.

Added service definition and patched freeradius to respect freeradius/autostart.

Updated Wiki documentation.
(In reply to Stefan Gohmann from comment #13)
> - is_false or is_true should be used in the conffiles, alternatively create
> a cleanup bug for it:
> conffiles/etc/freeradius/modules/mschap
> conffiles/etc/freeradius/modules/ldap
> conffiles/etc/freeradius/eap.conf
> conffiles/etc/freeradius/sites-available/inner-tunnel
> conffiles/etc/freeradius/sites-available/default
> conffiles/etc/freeradius/ldap.attrmapBug #34504
Comment 17 Stefan Gohmann univentionstaff 2014-04-23 08:36:43 CEST
That looks much better.

I've added some more points to the Wiki page:
 http://wiki.univention.de/index.php?title=RADIUS&action=historysubmit&diff=10971&oldid=10962


Some issues that should be changed:

- reading the Wiki page and switching to the example changes the language from English to German

- the Windows 7 example page writes about UCS@school

I think we should include a documentation about the Windows 8 configuration in English. A documentation for Android would also be nice.
Comment 18 Janek Walkenhorst univentionstaff 2014-04-24 17:25:04 CEST
(In reply to Stefan Gohmann from comment #17)
> Some issues that should be changed:
>
> - reading the Wiki page and switching to the example changes the language
> from English to German
> 
> - the Windows 7 example page writes about UCS@school
> 
> I think we should include a documentation about the Windows 8 configuration
> in English. A documentation for Android would also be nice.

<http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Windows_8>
<http://wiki.univention.de/index.php?title=Configuring_WiFi_Access_via_RADIUS_for_Android_4.3>
Comment 19 Janek Walkenhorst univentionstaff 2014-04-24 17:31:42 CEST
AppCenter ini updated.
Comment 21 Janek Walkenhorst univentionstaff 2014-04-25 10:36:39 CEST
(In reply to Stefan Gohmann from comment #20)
> The articles look good. I've made some updates. Please have a look:
They are good.
Comment 22 Janek Walkenhorst univentionstaff 2014-04-25 12:48:30 CEST
Advisory added: 2014-04-25-univention-radius.yaml
Comment 23 Stefan Gohmann univentionstaff 2014-04-25 13:20:13 CEST
YAML: OK

UCS tests: OK

UCS@school tests: OK
Comment 24 Moritz Muehlenhoff univentionstaff 2014-04-25 13:49:51 CEST
http://errata.univention.de/ucs/3.2/98.html
Comment 25 Moritz Muehlenhoff univentionstaff 2014-05-07 15:24:15 CEST
http://errata.univention.de/ucs/3.2/108.html