Find the answer to your Linux question:
Results 1 to 9 of 9
Hi All, I need a help to develop an authentication mechanism to my organization's product-> Its a Router (which has stripped version of Linux Kernel 2.6.26). Could you please guide ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2011
    Posts
    5

    Post Linux Authentication with Windows Active Directory (Win 2k3/Win2k8)...


    Hi All,

    I need a help to develop an authentication mechanism to my organization's product-> Its a Router (which has stripped version of Linux Kernel 2.6.26).

    Could you please guide me what to do as an initial task.

    It would be great and appreciable for the help to me to develop this.

    It's Interesting too.

    Thanks,
    Eshwar.

  2. #2
    Just Joined!
    Join Date
    Dec 2009
    Location
    California
    Posts
    98
    Why would you "develop" something when it already exists. I'd use radius authentication (see freeradius), then just put the pam files in place on the linux system and you are done (search for radius authentication for linux).

  3. #3
    Just Joined!
    Join Date
    Dec 2011
    Posts
    5
    Thank you for the response Abarclay,

    The Requirement is for Windows Active directory (not the Radius authentication server) Administrator should be able to login to the Router box and do the configuration.
    Since the box has stripped version of Linux (2.6.26), I need to take the source code from opensource and put the code in code repository then integrate the newly added code to existing make file and then compile.

    For our Router Box - 90% clients are asking for Windows Active Directory Domain user login support. This led me to ask for Win Active Directory Domains's related authentication for this box.

    With the current state of Router box, It does not have the DNS configuration. we use $ping <IP add>. If we use $ping <google.com> <== this does not work.

    Please give me the Ideas on which modules are need to download and integrate so that my Router box is able to authenticate by the Domain (active directory: DOMAIN\Administrator) Administrator is able to login.

    Thanks on advance.
    Your suggestions helps me in development.

    Thanks,
    Eshwar.
    Last edited by eshwarmedagam; 12-18-2011 at 08:18 AM. Reason: Scentance formation

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    500
    Every router I've seen lately is configured through a web browser. You just open the ip address of the router in the browser, and log in as you would on any website, using a username and password. It's not necessary to use Windows to do that. I'm not exactly sure what "Windows Active Directory Domain user login support" is, nor why it would be required.

  6. #5
    Just Joined!
    Join Date
    Dec 2009
    Location
    California
    Posts
    98
    I understand what the original poster is requesting. Most enterprise customers don't want to be "in the username and password business". They all ready have an enterprise group that maintains accounts, so having to create them on the individual devices would be onerous (if not impossible).

    Still, I was assuming that the company where the router was being deployed would have other networking equipment that required authentication. Every piece out there will support radius, so having your
    router support radius seemed appropriate.

    The way freeradius would work is that you have it use an LDAP repository to authenticate. Active Directory supports LDAP, so Active Directory would be your username and password repository. Chances are, you don't want everyone with an AD account to have access to the router, so you'd use a group (also maintained in AD) to define who is allowed access to the router.

    I have built this setup a few times however, I always used openldap as my repository and not AD. It should just work, though.

    Assuming the customer has no need/desire to support a radius server (all my fortune 2000 companies already have one), then configuring linux to authenticate via kerberos (AD supports kerberos) seems pretty straight forward.
    Authenticating Linux against Active Directory

    The fact that you don't have DNS is completely irrelevant. You'd just have to replace every hostname with an IP address.

    One thing to keep in mind, however, is the chicken and egg problem. If this "router" is fundamental to the network infrastructure and you need to make a config change when everything (including the active directory) is unreachable (something like an IP range change), then you should make sure there is at least one local account that you can login when there is no connectivity to the AD server.

    Hope this helps,
    Andy

  7. #6
    Just Joined!
    Join Date
    Dec 2011
    Posts
    5
    Thank you Abarclay,

    I appreciate you understanding on the requirement.
    url: Authenticating Linux against Active Directory

    This is what I am exactly looking for. Kerberos as an authentication protocol using "LDAP server as Windows Active Directory (Windows 2003 Server R2 / Windows 2008 Server)".
    ---
    Your understanding on:
    ==> "Active Directory supports LDAP, so Active Directory would be your username and password repository. Chances are, you don't want everyone with an AD account to have access to the router, so you'd use a group (also maintained in AD) to define who is allowed access to the router."
    ---
    Yes, in Active Directory does have the following components:
    1. Domain (ex: mycompany.com)
    2. DNS Server (for resolving *.com to IP addresses)
    2. Computers (under: mycompany.com)
    3. Groups Management (under: mycompany.com)
    Under this, a. IT Group (Who has the Admimistrators of the Domain : mycompany.com)
    b. HR Group (non Administrators of the Domain, only users with limited access in the Domain)
    c. ect..... So... on.... Groups...
    4. Users and Groups (under: mycompany.com)
    5. Password repository
    For All these the users are authenticated using two Protocols
    a. NTLM (which is Microsoft's proprietary Auth' protocol )
    b. Kerberos (Opensource: implemented by MIT)
    ---------------------------------------------------------------------------------
    Here for me, if Radius would have been the requirement, it would have been easier for me as you have explained.

    Totally I have to bring in the source code :"LDAP PAM" Library and "Kerberos" from Open source and integrate it with existing source and make the Router box authenticated by the mycompany.com 's (Active Directory's ) IT Administrators ONLY.
    ---------------------------------------------------------------------------------

    Reg' your Comment:
    ===> "The fact that you don't have DNS is completely irrelevant. You'd just have to replace every hostname with an IP address."

    The router box does have specialized shell command prompt not the "bash" or "sh" shell prompt (which is usually defaul cmd prompt). This is just to restrict the user not to give full access to the router. This shell prompt does have only few limited commands.

    This box does not have DNS configuration. The C library (in the box) should have the support for resolving the *.com's to it IP address. This on I found it yesterday.
    To be in the part of this development: the first thing I need to do is : Give the DNS capability to my Router box. Then only My box is able to resolve the mycompany.com and other host name.com's to its corresponding IP addresses.

    I checked in my Router the command
    $net util ping google.com
    Request timed out.

    Please give me any other help in implementing this.

    Thanks,
    Eshwar
    Last edited by eshwarmedagam; 12-19-2011 at 05:39 AM. Reason: Spelling mistake

  8. #7
    Banned
    Join Date
    Dec 2011
    Posts
    1
    Every router I've seen lately is configured through a web browser.

  9. #8
    Just Joined!
    Join Date
    Dec 2011
    Posts
    5
    Hi All...

    Please need your Ideas on implementing this... Your Ideas helps me in implementing this requirement.
    Thanks,
    Eshwar.

  10. #9
    Just Joined!
    Join Date
    Dec 2011
    Posts
    5
    Hi everybody...

    Linux boys need to look into this.
    Please help me in implementing this.

    Thanks,
    Eshwar.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •