September 4, 2007 at 2:34 pm #40758
Ripping my hair out here.
Has anyone managed to get Zeroshell to authenticate with their Active Directory domain, that could give me some pointers. We have hundreds of users and I want them to be able to use their AD account to let them through the zeroshell portal.
I have set up the trust between Zeroshell and the AD Domain, that seems to be fine.
Im not quite sure of the next bit – the Kerberos Priciple – do I create a new account in AD that matches one from the Zeroshell Realm ?
ANy help would be really appreciated.September 9, 2007 at 6:24 am #45808
The easier way to get work the Captive Portal authenticating the users of a Microsoft Active Directory domain is to add the domain as “External Kerberos 5 Realm”.
In this manner, you have not to add the shared Kerberos keys to establish the trust relationship.
In any case, either you configure an “External Kerberos 5 Realm” or a “Trusted Kerberos 5 Realm”, you don’t need to create the user principals in the Zeroshell’s Kerberos KDC.
Don’t forget that Zeroshell must be able to locate the Active Directory Kerberos 5 KDC. In order to make this possible, you just have to add, in the section [Kerberos 5]->[Realms], the Active Directory realm and the IP or FQDN hostname of at least one of the Active Directory domain controller (any domain controller runs a Kerberos KDC). This step is not needed if the DNS is correctly configured and you have set the option “Use the DNS to discovery Realms and KDC servers not ” to yes in the [Kerberos 5]->[Realms] section. In this case, Zeroshell uses the SRV service locator resource, automatically configured in the Active Directory’s DNS, to get the KDC’s IP address.
Fulvio RicciardiSeptember 12, 2007 at 9:00 am #45809
Thanks for your Help Fulvio
I got it working. I was actually setting it up right with regards Kerberos, but has a couple of network issues.
Resolved now and working great.
Thanks for this software !October 6, 2007 at 12:47 am #45810
How to add “External Kerberos 5 Realm” from the Zeroshell administration page because by default zeroshell add local authentication.
thanks in advanced.
zabulusOctober 6, 2007 at 10:43 am #45811
From the section [Captive Portal]->[Authentication], you should click on the button [+] in the Authorized Domains frame. In the form that appears, type the domain name and select the flag “External Kerberos 5 Realm”. Don’t forget to configure the realm in the section [Kerberos 5]->[Realms] or if you prefer enable the DNS discovery of the Kerberos V realms.
FulvioOctober 8, 2007 at 7:16 pm #45812
ok, “solved” the problem.
Works perfectly thank you!October 20, 2007 at 9:39 am #45813
Not sure I have much to add here. I administer an AD2000 network and wanted to get the zeroshell to autheticate from Keberos. I created slave zones of the forward and reverse parts of the AD dns servers on the local dns server, and then set the keberos domain. It works rather well, except that it gives everyone with an account on the AD access to the wireless lan, something which at times I don’t want.
If you have active directeroy, then each server is also a Radius server. With version beta6 you can create a proxy radius server entry under Radius and then use it as a database against which to autheticate your users. The advantage in AD2000 is that you can restrict those with access to your wireless lan by membership of a user group.
My only problem is that users had been told to login using the firstname.lastname@example.org form of their username, which works fine with Keberos, but not with radius, which prefers username. I switched back to Keberos because a lot of our users were not getting thru using radius. Just a matter of user education…
I have to say that ZeroShell is a wonderful piece of software, that does what NoCat does in a far more effective way. Support for mac address bypass, and opening preauth ports for those wanting to use our proxy servers has made a major difference, and the takeup on our WLAN has been much better this year. It also supports No-Nat routing, which is quite important for network access, as well as auditing Internet usage.October 21, 2007 at 7:00 am #45814
My only problem is that users had been told to login using the email@example.com form of their username, which works fine with Kerberos, but not with radius, which prefers username. I switched back to Kerberos because a lot of our users were not getting thru using radius. Just a matter of user education…
You can solve in this manner:
1) When you add the proxy RADIUS domain you should disable the No Strip flag. In this modality the FreeRadius configured in Zeroshell, automatically strips the @domain from the username and sends the request to the IAS of Active Directory.
2)If you want that the form of the username without @domain also works you have to set your RADIUS domain as Default domain (select it and Press the [D] button).
FulvioApril 13, 2011 at 7:41 am #45815
i’d tried ZeroShell and play with it for almost 3 months now, my setting was 2 NIC and bridged, behind router, (my intention using Zeroshell was just for wifi clients), and i’m new in this forum 🙂
my question is, i want all clients to be authenticated through AD before they can use internet, so i’ve been read through this post and tried to follow…but i couldn’t make it work, i was stuck at Kerberos 5 External.
Could you give me any solution for this?…
also one more thing, how could i split wifi client for not being access my local resources?.
Any help would be much appreciated.
Thank you.April 13, 2011 at 7:44 pm #45816
Every Microsoft Active Directory domain controller acts as KDC Kerberos 5 for users and services authentication. Therefore you just have to:
1) Configure Zeroshell to contact al least a domain controller for the authentication by adding the realm kerberos 5 (it’s the same of the AD domain) and the IP of the server in the section [Kerberos 5][Realms]
2) Add in the [Captive Portal][Authentication] the AD Domain as [Authorized Domains] using external Kerberos 5 KDC
Notice that the first step is useless if you use DNS KDC auto discovery.
Also this is easy to get because every domain controller is an authoritative DNS for the AD domain. Hence you just have to add at least a domain controller as DNS Forwarder of Zeroshell (section [DNS][Forwarders]. In the section [Kerberos 5][Realm] put to yes the “Use the DNS to discovery Realms and KDC servers not configured “.
Fulvio RicciardiApril 13, 2011 at 11:12 pm #45817
Thanks for your response,
i did tried what you’d told, but i don’t know why is still not “talking” to AD, what i did:
– Kerberos 5 -> realms -> my domain realm(mydomain.com.au) + KDC my domain IP address.
– Captive Portal -> Authentication -> Authorized Domain -> MyDomain.com.au
Those setting doesn’t work, and i even tried to put MyDomain.com.au IP Address in DNS as master zone and forwarder(not sure i did right for this section).
i did tried to check using DNS Lookup and it does found the server.
Thank you.March 6, 2012 at 12:04 pm #45818
The two types of authentication are Mutual Authentication and NTLM. Mutual Authentication requires both the server and the client to identify them. NTLM only requires the client to be validated by the server.
Two types of authentication are Mutual Authentication and NTLM Authentication.
Mutual Authentication is a security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection. Identity can be proved through a trusted third party and use shared secrets, as in Kerberos v5, or through cryptographic means, as with a public key infrastructure.
NTLM authentication supports three methods of challenge/response authentication:
LAN Manager (LM)
This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 or later can connect in share level security mode to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.
NTLM version 1
This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 or later can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.
NTLM version 2
This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 or later connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 or later connect to servers running Windows NT in a Active Directory domain.July 4, 2013 at 6:20 am #45819
I’m probably being a bit thick here but I already have my realm in the list of realms as I added it when creating the profile, however it has the KDC as local and I cannot alter this, neither can I remove the realm.November 6, 2014 at 8:48 am #45820
I set this feature in my server and work very nice but when the clients authenticated with kerberos 5 realm , the redirection to the target dos not work.
in the popup windows i can see the user authenticated and connected but the client have not the connection to the network and internet.
are there any problem in setting?
You must be logged in to reply to this topic.