I am attempting to setup a freeradius server to authenticate against a web service. The reason for this is that there is a complicated workflow involving account status and mac address. The workflow seemed out of place to be in freeradius. So my user names, and encrypted passwords are stored remotely to the radius server. Everything works fine using radclient to test. When I started using the the Access Point, I learned it only communicates with the radius server via eap-tls. This means that the User-Password argument is not available for my script.
Is there a way to have eap auth check for user authentication against my script? By this i mean, can i get the password to send to my secondary service?
Alternately, is there a way to get the User-Password from the encrypted eap-message data?
Access points don't usually place restrictions on the EAP type. The device connecting to the AP negotiates an EAP type with FreeRADIUS. If it's using EAP-TLS it's probably a windows machine that hasn't been configured to do anything different.
Investigate EAP flavours to find out which ones are available. If you have EAP-TTLS-PAP you can send the plaintext password from the wireless client, and user it to authenticate against the web service.
In FreeRADIUS v3.0.x there's a rlm_rest module, which can perform basic auth on behalf of the user, with very little configuration.
Related
I have a FreeRadius server set up that authenticates users through the PAM (SSSD for AD authentication + MFA via Google Authenticator).
It works well but when I configured it on my firewall I received a message like that :
When authenticating user xxx from 'ip from domain controller', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS.
I don't understand what this message exactly means. How can I secure the info between my FW/SSH console and the radius server and between the radius server and the domain controller ?
Can I still use PAM with PEAP/EAP-TTLS ? Is it just a mean to secure the network transaction or is it an authentication model ?
Thank you for your help.
The pam_radius plugin always uses pap, and the radius client with pam does not exist with PEAP/EAP-TTLS/EAP-TLS. PAP is less secure because it displays password in plain text. For security reasons you can either have a VPN which may need external hardware or have a TLS proxy like stunnel or nginx at the PAM -radius client and protect the radius packets with TLS. I will go for 2nd option as it is free and freeradius server can be configured to use radsec connection, but ofcourse you will now manage the certificates
I recently built a lab environment which I want to test 802.1x features on our network facility, Freeradius as the alternative radius server in this lab, we don't use users file, we want FR to us MS AD 2016 as external user source, prefered PEAP+mschapv2.
In my test, I followed this site [http://deployingradius.com/documents/configuration/active_directory.html] and the following test is confirmed.
Prefered authentication method, PEAP + mschapv2, config ntlm_auth module to get NTkey from MS AD for autheticcation, this working fine, In lab I installed FR in ubuntu, but I realize in our production environment, we use FreeRadius in pfsense OS, so it looks impossible because pfsense doesn't provide samba and krb packages.
use LDAP bind against AD for authentication, this is tested both worked both in FR in ubuntu and pfsense, however again, this is limit to EAP-ttls + PAP authentication method, not preferred auth method.
so, my confusion, with requirement of PEAP,MSCHAP, is there a third way of getting Freeradius working with AD in pfsense OS without samba/krb support in pfsense? To be precise, I'm thinking that MS AD store NT-hashed pw instead of plain text pw, FR LDAP module cann't retrieve NT-Hash Password from AD for auth without samba support, am I right?
In Hyperledger composer rest api (composer-rest-server) are secure with Enabling authentication for the REST server. but in http://localhost:3000/explorer, All sensitive data is not encryption. Could i use cryptography or other approach to encrypt and decrypt like Zero Knowledge Proof to prevent data privacy (sensitive data)?
And I see Securing the REST server using HTTPS and TLS, when i run command composer-rest-server -c alice1#my-network -t and then open browser https://localhost:3000/explorer, but I don't know how to use it?
Thank you in advance!
Firstly, you would use TLS between the REST client and REST server - see https://hyperledger.github.io/composer/latest/integrating/securing-the-rest-server and general/useful info on TLS with diagrams here
You would really need to set up authentication (known user identities that are using it) with TLS like discussed here then connect to the authentication path for your application to authenticate the user using the REST APIs https://localhost:3000/auth/github: ((or whatever the authPath is for your implemented strategy)) and then interactions/ data in transit between client and server will be encrypted.
Once the REST server is up and running and TLS enabled - you will authenticate at your REST client as the user in question: once authenticated, that user gets an access token or similar. In terms of Composer and the deployed business network / smart contract - that user will (already) have been issued a business network card - that includes the user's blockchain identity (key/cert) and contain connection info/metadata (ie how to connect to the deployed/runtime business network out on the Fabric network). This access may be programmatically, from an application client that's using REST APIs (ie the app user that's logged in to the app, has been assigned this business network card) or indeed - a user is using the REST API client in a browser for example (eg. he/she would import it into their Wallet in the REST client then that would be the default identity in the REST API session, and which interacts / signs transactions that update the business network (create asset, update asset etc), as REST API operations to the REST Server (over TLS) that interacts with the Fabric network (over TLS).
I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.
Any way to test OAuth integration to google without having to have a port forwarding rule in my router back to my development Mac?
Background:
Developing Ruby on Rails web app that will request data from Google Calendar API via OAuth
Using Rails "OAuth Plugin" for this purpose
Developing on MacBook which is running my dev environment
Google needs (as part of OAuth) to make a callback back to my local dev environment
Can't seem to think of a way to test with Google without having to set a Port forwarding rule in my site's router back to my Macbook?
This threw me for a loop too. I actually went through the work of setting it up on a public IP even though I didn't have to in the end.
But yes, your comment is correct. The callback URL is passed on to Google during the redirect then after you've been authenticated with Google, Google will redirect you back to the callback URL providing an authorization code as a parameter.
The only server to server communication that happens is exchanging the authorization code for access and refresh tokens. This typically happens on the callback page. But since it's initiated by your server and not Google, no special open ports are required.