Archive for August, 2015

RADIUS authentication against LDAP or Active Directory

Tuesday, August 25th, 2015

This is a short guide on how to do a setup-and-forget for RADIUS authentication against LDAP or Active Directory services.

Software installation

Since I had previous success with CentOS 6 and radius server (small time investment into setup and configuration, it worked since then without any noticeable hiccup), that is what will also be used for this occasion.

Install basic RADIUS packages:

Install LDAP driver:

This is the diff of changes to /etc/raddb configuration files that was performed, in order to get authentication against LDAP working:

Short summary, what you need to do:

  • configure connection to LDAP server (bind credentials, search filter)
  • enable LDAP authentication and authorization
  • define client that is allowed to use this radius service

Start the RADIUS service daemon:

And that is it.

Test your new service

You can use this oneliner to check whether authentication against LDAP server via RADIUS service actually works. This is how you do it:

Output of successful authentication attempt looks like this:

Look for “Access-Accept” message, as it signifies successful authentication.

Enable radius service start at boot

You will sleep better if you do not forget to do this, so here is the command:)

cPanel EasyApache YUM error: couldn’t create autoTLSkey mapping

Saturday, August 15th, 2015

If you ever encounter this error while running EasyApache (v3) on cPanel server:

This is the solution:

I have a hunch that was is IPv6 related, but can not confirm it ATM. Funny thing though: If I ran the exact same command in the shell by copy-pasting it and prepending it with “yum “, it worked flawlessly.

MikroTik – how to generate SSL certificate and enable HTTPS

Tuesday, August 11th, 2015

I am quite fascinated with what MikroTik has produced so far. So much functionality for normal price, and no licensing extortion practices – once you buy the HW, upgrades come for free. There are license levels, but usually your hardware will stumble before you will reach these limits (number of VPN tunnels, for example). The other thing that I value is stability. Since trying out MikroTik devices, I have not even bothered looking at other options for home use (Do you remember the practice of choosing home routers/wifi hotspots by checking the DD-WRD website/database whether particular item can be flashed or not?:)

Since their primary management interface is called WinBox, and since I am a desktop Linux user, no dice here (well, I might be mistaken). So I mainly use CLI and WebFig. But it turned out that creating and singing certificates in WebFig is totally unintuitive, this is my braindump on how to do it in CLI as fast as possible.

As it turns out, you need to create CA certificate. Then, you can either use this CA certificate directly as HTTPS certificate, but Chrome will reject it with error NET::ERR_CERT_INVALID and will not even offer you an option to continue to “unsafe place”.
Therefore CA must be used to sign regular certificate that is then used for HTTPS communication. Let me show you how I do it in the following steps:

1. Create CA certificate first:

2. Sign the CA certificate:

3. Now create a regular certificate for HTTPS access:

4. Sign it with CA from steps 1&2:

OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):

5. And finally, assign the new certificate to HTTPS service:

And that is it.

The unfortunate thing is: once set up, you can login, but web interface STILL does not work in Chrome. I’ve noted similar issue with HP switches where Firefox just works too.

Credits:

Thanks goes to Garðar Arnarsson to point out missing “key-usage=tls-server” in step #3 which fixes Chrome TLS issue. Thanks also for reaching out to me and pointing out that Captcha was not working!