Versions Compared

Old Version 17

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version 18

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

...

  • clients.conf
  • mods-available/mschap
  • mods-available/eap
  • users


Test AD
ldapsearch

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person


Test FreeRadius

radtest  

NTRadping


Integration
installapt install freeradius-ldap
Change configs
mods-available
clients.conf

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf


client 192.168.0.203 {
        secret                = testing123
        shortname             = 192.168.0.203
        nastype               = laptop
}

Code Block
titleclients.conf
collapsetrue
root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v  | grep -v "^[[:space:]]*$"
client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}





/etc/freeradius/3.0/radiusd.conf


mschapmods-available/mschap


Code Block
titlemschap original
collapsetrue
root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 86400
                cleanup_interval = 300
                idle_timeout = 600
        }
        passchange {
        }
}




eap




ldap module

more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'


Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio


sites-available file

/etc/freeradius/3.0/sites-available/default

hash:  # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.


>> iner-tunnel filename

>> site-name filename







inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.




/etc/freeradius/3.0/ldap.attrmap

in this file you map LDAP attributes to RADIUS dictionary attributes.







radtestradtest and mysql query

radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%


radtest testuser1 password1 localhost 1812 testing123


Code Block
titleradtest -t mschap
collapsetrue
root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
        User-Name = "jlktest01"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 192.168.0.21
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x5994e32b86e5e3a1
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~#






...