wlandymore
asked on
Setting up RADIUS between Sonicwall and Samba domain???
I'm looking for a way to setup authentication between a Sonicwall firewall and a Samba domain, but everything I've looked at seems to say that there is a difference in the 'language' that both speak and they can't really understand each other.
Does anyone know of a way that authentication could be setup so that you don't have to use one user account for everyone who is trying to use the VPN?
Does anyone know of a way that authentication could be setup so that you don't have to use one user account for everyone who is trying to use the VPN?
stuknhawaii
Can you use the local user database on the Sonicwall?
ASKER
That is an option to at least get it working, but as far as integrating with the current setup so that users would be deleted when they are removed from the directory, that wouldn't work.
I guess I'm looking for a way to integrate with as little maintenance as possible and the local user database would involve a lot more upkeep.
I guess I'm looking for a way to integrate with as little maintenance as possible and the local user database would involve a lot more upkeep.
ASKER
If there is a device that integrates with Samba so we could have this functionality and take the VPN stuff right off Sonicwall then I would be okay with that. My problem is that I don't know what vendors are out there for the Linux side.... :)
ASKER
the only solution I could find for this was something like the Watchguard VPN gateway....
http://www.guardsite.com/SSL.asp?source=google&keyword=fireboxssl
The other ones I found did not integrate with our LDAP.....
http://www.guardsite.com/SSL.asp?source=google&keyword=fireboxssl
The other ones I found did not integrate with our LDAP.....
> the only solution I could find for this was something like the Watchguard VPN gateway
For the 1/10th of the cost of your Watchguard I could manage the integration of your SonicWall VPN to your LDAP :-)
FreeRADIUS has support of SonicWall vendor attributes and also is able to authorize users against LDAP server:
http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
http://wiki.freeradius.org/Rlm_ldap
You should also expand LDAP schema so that some RADIUS attributes would be mapped to LDAP addributes.
> The other ones I found did not integrate with our LDAP.....
What is a difference between your LDAP and other LDAPs?
Also check this PAQ: https://www.experts-exchange.com/questions/22775328/SonicWall-How-to-Configure-a-VPN-Connection-w-Radius-Authentication.html
BTW what SonicWall appliance do you use?
For the 1/10th of the cost of your Watchguard I could manage the integration of your SonicWall VPN to your LDAP :-)
FreeRADIUS has support of SonicWall vendor attributes and also is able to authorize users against LDAP server:
http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
http://wiki.freeradius.org/Rlm_ldap
You should also expand LDAP schema so that some RADIUS attributes would be mapped to LDAP addributes.
> The other ones I found did not integrate with our LDAP.....
What is a difference between your LDAP and other LDAPs?
Also check this PAQ: https://www.experts-exchange.com/questions/22775328/SonicWall-How-to-Configure-a-VPN-Connection-w-Radius-Authentication.html
BTW what SonicWall appliance do you use?
ASKER
It's a PRO 3060
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
we're using the standard. However, you've given me a lot to work with here.
Thanks for the help.
Thanks for the help.
ASKER
will this require an upgrade to the enhanced if it's going to work at all?
ASKER
The standard OS does have the users/settings/RADIUS where you can set the IP of a RADIUS server there with various other settings....
ASKER
I just talked to someone who tried this before and said that the reason it wouldn't work was that Sonicwall was using an encryption that was different from the encryption LDAP was using, making them incompatible.
He also said he was using FreeRadius in this case.
Any ideas?
He also said he was using FreeRadius in this case.
Any ideas?
> will this require an upgrade to the enhanced if it's going to work at all?
No
> Sonicwall was using an encryption that was different from the encryption LDAP was using, making them incompatible.
That may be true. Probably he meant password field encryption in LDAP.
If you use SonicWall to authenticate VPN clients, it uses XAUTH feature of IPSec to provide username and password. It may be PAP or CHAP password.
If it's a PAP password, there are no problems with LDAP.
If it's a CHAP password, you _should_ have cleartext password field in LDAP and read this link http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
That's an absolute 'must have' and no any other 'CHAP' based (or other one-way hash) mechanism can be used without cleartext password in LDAP regardless of what solution (even hardware based) you choose.
If you start your experiment with integration, I can help you. Which password mechanism is used in SonicWall becomes clear after you setup RADIUS and look into 'detail' logfile.
No
> Sonicwall was using an encryption that was different from the encryption LDAP was using, making them incompatible.
That may be true. Probably he meant password field encryption in LDAP.
If you use SonicWall to authenticate VPN clients, it uses XAUTH feature of IPSec to provide username and password. It may be PAP or CHAP password.
If it's a PAP password, there are no problems with LDAP.
If it's a CHAP password, you _should_ have cleartext password field in LDAP and read this link http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F
That's an absolute 'must have' and no any other 'CHAP' based (or other one-way hash) mechanism can be used without cleartext password in LDAP regardless of what solution (even hardware based) you choose.
If you start your experiment with integration, I can help you. Which password mechanism is used in SonicWall becomes clear after you setup RADIUS and look into 'detail' logfile.