Has anyone tried ClearOS?

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
With the "small" issue I had with the FreeRADIUS server, I am looking to build an authentication server for the STH lab. At some point soon we are going to need to support more than 2-3 users.

I really want an admin GUI (e.g. something I can make edits from my phone if needed). I also want to have RADIUS as it is supported by just about everything we have in the lab.

I tried daloRadius but that went... poorly. The base installation has a ton of steps and it fails for me on some step every time. Likely user error but it is to the point I want to try something else.

I saw ClearOS and it looks really interesting. It seems like they want to make a Windows Server alternative based on Linux. I just downloaded community edition and want to give it a shot tomorrow. Has anyone tried ClearOS recently? Is it worth the time?
 

capn_pineapple

Active Member
Aug 28, 2013
356
80
28
Sounds like a stunningly positive review @Patrick </sarcasm>

I looked it a while back and decided to stick with my SophosUTM9 installation. Take a look at FreeRadius.
I also believe you're using pfSense for your firewalls so FreeRadius plugs into that quite nicely. I think there were some behind the scenes improvements for it in 2.3 too.
 

Jon Massey

Active Member
Nov 11, 2015
340
82
28
34
Yes, but back when it was called ClarkConnect and I was running it on a PIII 700MHz, so my memories might be a bit rusty!
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
Sounds like a stunningly positive review @Patrick </sarcasm>

I looked it a while back and decided to stick with my SophosUTM9 installation. Take a look at FreeRadius.
I also believe you're using pfSense for your firewalls so FreeRadius plugs into that quite nicely. I think there were some behind the scenes improvements for it in 2.3 too.
Now that I have it working :)

That is actually what I am strongly considering now. Using pfSense as my FreeRadius server.
 

TuxDude

Well-Known Member
Sep 17, 2011
615
336
63
I used ClarkConnect for quite a few years, and some of the earlier ClearOS versions as well though not the current version - I've replaced every ClarkConnect/ClearOS box I ever setup with a pfSense one by now though. IMHO they're too focused on being the center of a small Windows shop for a few versions now.
 
  • Like
Reactions: mason736

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
I used ClarkConnect for quite a few years, and some of the earlier ClearOS versions as well though not the current version - I've replaced every ClarkConnect/ClearOS box I ever setup with a pfSense one by now though. IMHO they're too focused on being the center of a small Windows shop for a few versions now.
Yea and there are really odd things that I saw with it. One is that the web UI is really slow. It is installed on 6x E5-2699 V3 cores and the web UI is slow (mind you I can download from the data center at just under a 100Mbit/s rate.

The main feature I wanted, the directory server they like to highlight the app (right side) but there are simple things missing, like, what port number is the directory server listening on? How do I change that? I have a bind password but no bind user name option.
upload_2016-4-13_8-45-24.png
 

TuxDude

Well-Known Member
Sep 17, 2011
615
336
63
I haven't spent a ton of time with it yet - but I've started using FreeIPA for a directory and have been happy with it so far.
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
What I am trying to solve for:

Have the ability for folks to get into the STH lab. Either to do reviews/ guides or as a subscription (subsidized by budgets at work hopefully).

So they need:
1. VPN access - user gets authenticated - likely in pfSense
2. Access to IPMI for reboots/ OS installs - IPMI generally supports LDAP and RADIUS
3. (Hopefully) a switch setup that puts folks on their own private VLAN based on 1.
4. Potentially access to Linux desktops with the same credentials
5. Killer is if there was a provisioning tool available that could wipe machines after someone stops using it.

It started out easy enough to do for William, myself and a few others, but if it scales, I need to get this setup properly. Frankly, very little time to do it on my end.
 

canta

Well-Known Member
Nov 26, 2014
1,028
198
63
39
was this clarkconnect?
I remember "green" theme on clarkconnect...
 

apnar

Member
Mar 5, 2011
109
17
18
For auth component I'll third FreeIPA. You'll get LDAP and Kerberos (as well as DNS, NTP, cert management, OTP) out of the box. Reasonably easy to add RADIUS with FreeRADIUS tied to it. Gives you a decent web gui but also everything can be done command line. Works well for Single Sign-On on Linux boxes and can even tie in windows boxes using pGina.
 

JustinH

Active Member
Jan 21, 2015
124
76
28
44
Singapore
What I am trying to solve for:

Have the ability for folks to get into the STH lab. Either to do reviews/ guides or as a subscription (subsidized by budgets at work hopefully).

So they need:
1. VPN access - user gets authenticated - likely in pfSense
2. Access to IPMI for reboots/ OS installs - IPMI generally supports LDAP and RADIUS
3. (Hopefully) a switch setup that puts folks on their own private VLAN based on 1.
4. Potentially access to Linux desktops with the same credentials
5. Killer is if there was a provisioning tool available that could wipe machines after someone stops using it.

It started out easy enough to do for William, myself and a few others, but if it scales, I need to get this setup properly. Frankly, very little time to do it on my end.
For point 5, have a look at ManageIQ. It's say it's still a bit rough around the edges, but the automation stuff in it is geared for this type of scenario.
 

MvL

Member
Jan 7, 2011
33
0
6
Netherlands
@MvL I thought the install process was very dated. One example is that some basic virtualization drivers were not installed by default. GUI performance was nowhere near what I would expect given the hardware. GUI was pretty hard to navigate. The directory server was missing a bunch of pretty basic functionality. More info here: Has anyone tried ClearOS? but I spent a few hours playing with it and ultimately was extremely disappointed and deleted the VM.
So you mis a couple of drivers for virtualization? If you want I can pass on what your problems are. I run ClearOS on KVM (unRAID) at the moment but I do not experience a slow webui.

There is documentation on the site of ClearOS. Maybe it helps to solve your problem with the directory server.

ClearOS 7 User Guide

Directory Server
 

fractal

Active Member
Jun 7, 2016
312
69
28
29
Necro, necro. Ok, @Patrick what did you settle on?

I just upgraded the firmware on my Archer C7 since the factory version didn't like my daughters iPad and had to reconfigure it and though to my self ... self, is there a better place to store logon credentials? And, since the AP supports Radius authentication, I started looking into it.

I too tried daloRadius, the .ovf version. I had to edit the .ovf file to get it to load into vmware but the idea of using a package that hasn't been maintained in 5 yrs scared me almost as much as its UI.

I found the package for freeRadius in pfSense and it looks a bit cleaner. Though, I am not sure how I feel about running a real SQL to a USB stick. Fortunately I had a pfSense box on a thin client box acting as my NTP box for my garmin GPS.

So, in short, what did you decide? I am leaning towards dropping pfSense on a VM to do nothing other than Radius if I can figure out how to back it up.
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
I was surprised that pfSense was the best option at the time.
 

dswartz

Active Member
Jul 14, 2011
393
33
28
I used pfsense for several years. Currently using sophos UTM (free home version up to 50 IP addresses...)
 

dswartz

Active Member
Jul 14, 2011
393
33
28
I used clearos way back when it was clarkconnect. I always felt like it was too heavy-weight, and the GUI seemed clunky to me...
 

Nnyan

Active Member
Mar 5, 2012
124
32
28
I also tried it during the clarkconnect days, I don't have any notes from that time so I can't remember why it didn't "stick". Simplewall looks pretty cool but it seems dead (chat doesn't work and no one responds to emails). Depending on where/how you download it from their website you can get a -0.0.1 or a -1.1.1 version. Didn't want to waste my time with something that isn't being developed.