Author Archives: manu

Squid transparent AD authentication

This article describes how to make transparent squid authentication against active directory.
Prerequisite: your linux box has joined the domaine, see article: Debian active directory authentication

Just remember to check your DNS config in resolv.conf:

domain unknown.local
search unknown.local
nameserver 10.10.22.30
nameserver 10.10.22.100

Make a reverse check with

# dig -x <nameserver ip>

Ensute time is correct

# ntpdate <windows DC>

Generate keytab file:

# kinint administrateur
# msktutil -c -b "CN=COMPUTERS" -s HTTP/serverproxy.unknown.local -k /etc/the.keytab --computer-name serverproxy --upn HTTP/serverproxy.unknown.local --server dc.unknown.local --enctypes 28

keytab file must be readable from processes that will use it, for example squid.
In case of errors you can check if you got a ticket after kinit:

# klist

You can also check if the keytab was successfully generated with servers

# klist -k /etc/the.keytab

Ensure keytab is renewed, put in cron:

00 4  *   *   *     msktutil --auto-update --verbose --computer-name serverproxy | logger -t msktutil

Squid configuration:

### Authentification automatique via Kerberos
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/serverproxy.unknown.local@UNKNOWN.LOCAL
auth_param negotiate children 20 startup=30
auth_param negotiate keep_alive off

Include variables before starting squid, you can put it in /etc/profile

KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME

In the browser you must configure the proxy with it’s FQDN:

serverproxy.unknown.local

iproute2 multiple gateway

Workstation has ip 172.16.11.12 and gateway 172.16.11.254

Linux router has 4 nics with the following IP:
172.16.11.254 eth1
172.16.22.254 eth2
100.64.0.254 eth3
195.101.99.99 eth0
The default gw to reach internet is 195.101.99.99
Internet can also be reache through 100.64.0.254

All the traffic coming to the linux router uses the default gw 195.101.99.99 eth0 to reach internet.

Now we want to make an exception for workstation 172.16.11.12.
Instead of using 195.101.99.99 eth0 to go on internet we want to use now 100.64.0.254 eth3.

Add routing table 4G with priority 200:

echo 200 4G >> /etc/iproute2/rt_tables

Specify routes in this table, next hop of interface 100.64.0.254 wich is 100.64.0.1

ip route add 172.16.11.0/24 dev eth1 table 4G
ip route add 172.16.22.0/24 dev eth2 table 4G
ip route add default via 100.64.0.1 table 4G

Now specify the client (here 172.16.11.12) that will use these settings:

ip rule add from 172.16.11.12 table 4G

Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client 10.0.0.254 {
secret = PASSTEST
nastype = cisco
shortname = Switch_test
}

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST

radius server LNXSRV
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
key PASSTEST

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.