• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

Setting up RADIUS between Sonicwall and Samba domain???

I'm looking for a way to setup authentication between a Sonicwall firewall and a Samba domain, but everything I've looked at seems to say that there is a difference in the 'language' that both speak and they can't really understand each other.

Does anyone know of a way that authentication could be setup so that you don't have to use one user account for everyone who is trying to use the VPN?
0
wlandymore
Asked:
wlandymore
  • 8
  • 3
1 Solution
 
stuknhawaiiCommented:
Can you use the local user database on the Sonicwall?
0
 
wlandymoreAuthor Commented:
That is an option to at least get it working, but as far as integrating with the current setup so that users would be deleted when they are removed from the directory, that wouldn't work.

I guess I'm looking for a way to integrate with as little maintenance as possible and the local user database would involve a lot more upkeep.
0
 
wlandymoreAuthor Commented:
If there is a device that integrates with Samba so we could have this functionality and take the VPN stuff right off Sonicwall then I would be okay with that. My problem is that I don't know what vendors are out there for the Linux side.... :)
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
wlandymoreAuthor Commented:
the only solution I could find for this was something like the Watchguard VPN gateway....

http://www.guardsite.com/SSL.asp?source=google&keyword=fireboxssl

The other ones I found did not integrate with our LDAP.....
0
 
NopiusCommented:
> the only solution I could find for this was something like the Watchguard VPN gateway

For the 1/10th of the cost of your Watchguard I could manage the integration of your SonicWall VPN to your LDAP :-)

FreeRADIUS has support of SonicWall vendor attributes and also is able to authorize users against LDAP server:

http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
http://wiki.freeradius.org/Rlm_ldap

You should also expand LDAP schema so that some RADIUS attributes would be mapped to LDAP addributes.

> The other ones I found did not integrate with our LDAP.....

What is a difference between your LDAP and other LDAPs?

Also check this PAQ: http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_22775328.html

BTW what SonicWall appliance do you use?
0
 
wlandymoreAuthor Commented:
It's a PRO 3060
0
 
NopiusCommented:
What version do you have and is it standard or enhanced?

I found administration manual for Sonic OS 2.1 enhanced edition. There is a 'RADIUS' authentication available there (Users->Settings->Authentication->RADIUS). I don't know do is it enhanced version only or not. If you have such menu, you may authenticate via RADIUS.

You mentioned you are using Samba with LDAP backend.

What you need is:
1) Install and RADIUS server
2) Configure RADIUS server to authenticate against LDAP backend, here is an example: http://lists.cistron.nl/pipermail/freeradius-users/2005-April/042652.html
3) Configure RADIUS (Clients.conf) and SonicWall (menu) to recognize each other (provide the same shared secret and correct peer IP addresses)
4) On SonicWall it's better to leave only 1 locally configured user (admin) and use 'Use RADIUS but also allow locally configured users'. It helps you when RADIUS server is down.
5) Test RADIUS connection from (SonicWall) menu.

Most difficult task here is configuring RADIUS. It depends on your LDAP.

But when done and user is deleted from LDAP, it will be rejected on SonicWall also.




0
 
wlandymoreAuthor Commented:
we're using the standard. However, you've given me a lot to work with here.

Thanks for the help.
0
 
wlandymoreAuthor Commented:
will this require an upgrade to the enhanced if it's going to work at all?
0
 
wlandymoreAuthor Commented:
The standard OS does have the users/settings/RADIUS where you can set the IP of a RADIUS server there with various other settings....
0
 
wlandymoreAuthor Commented:
I just talked to someone who tried this before and said that the reason it wouldn't work was that Sonicwall was using an encryption that was different from the encryption LDAP was using, making them incompatible.

He also said he was using FreeRadius in this case.

Any ideas?
0
 
NopiusCommented:
> will this require an upgrade to the enhanced if it's going to work at all?

No

> Sonicwall was using an encryption that was different from the encryption LDAP was using, making them incompatible.

That may be true. Probably he meant  password field encryption in LDAP.

If you use SonicWall to authenticate VPN clients, it uses XAUTH feature of IPSec to provide username and password. It may be PAP or CHAP password.
If it's a PAP password, there are no problems with LDAP.
If it's a CHAP password, you _should_ have cleartext password field in LDAP and read this link http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
That's an absolute 'must have' and no any other 'CHAP' based (or other one-way hash) mechanism can be used without cleartext password in LDAP regardless of what solution (even hardware based) you choose.

If you start your experiment with integration, I can help you. Which password mechanism is used in SonicWall becomes clear after you setup RADIUS and look into 'detail' logfile.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now