https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/
...
- clients.conf
- mods-available/mschap
- mods-available/eap
- users
| Test AD |
|
|---|
| ldapsearch | ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person
|
| Test FreeRadius |
|
|---|
| radtest |
| NTRadping
|
| Integration |
|
|---|
| install | apt install freeradius-ldap apt install winbind
|
| Change configs |
|
|---|
| mods-available |
|
| clients.conf |
|
|---|
NAS or Radius clients ( no mysql DB ) | /etc/freeradius/3.0/clients.conf
client 192.168.0.203 {
secret = testing123
shortname = 192.168.0.203
nastype = laptop
}
| Code Block |
|---|
| title | clients.conf |
|---|
| collapse | true |
|---|
| root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v | grep -v "^[[:space:]]*$"
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
} |
|
|
|
| /etc/freeradius/3.0/radiusd.conf
|
| ntlm_auth | mods-available/ntlm_auth |
|---|
| change the path to /usr/bin/ntlm_auth
| Code Block |
|---|
| title | ntlm_auth |
|---|
| collapse | true |
|---|
| exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
} |
|
| mschap | mods-available/mschap |
|---|
| old |
| Code Block |
|---|
| title | mschap original |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
} |
|
| uncomment and change | change the path to ntlm_auth: /usr/bin/ntlm_auth
| Code Block |
|---|
| title | mschap mods |
|---|
| collapse | true |
|---|
| ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00
} --nt-response=%{%{mschap:NT-Response}:-00}"
|
|
| eap | mods-available/eap Protected EAP with allows to use MSCHAPv2 |
|---|
|
| Code Block |
|---|
| title | eap original |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
disable_tlsv1_1 = yes
disable_tlsv1 = yes
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
root@RadiusApacheDS:~# |
|
| chnage | eap { default_eap_type = mschapv2
|
| Restart |
|
|---|
| systemctl restart freeradius
|
|
|
| sites-available file | sites-available/default |
|---|
| /etc/freeradius/3.0/sites-available/default hash: # filesd AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP
LDAP option is not commented out.
>> iner-tunnel filename >> site-name filename
| Code Block |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/sites-enabled/default | grep "#" -v | grep -v "^[[:space:]]*$"
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
root@RadiusApacheDS: |
|
| changes | file # The ldap module reads passwords from the LDAP database.
ldap ##### remove the minus sign or "-" #########
Auth-Type LDAP {
ldap
}
|
| ln or symbolic link |
|
|---|
| ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap |
| inner tunnel | sites-available/inner-tunnel |
|---|
| inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.
|
| Restart |
|
|---|
| systemctl restart freeradius
|
|
|
|
|
| ldap module | mods-available/ldap |
|---|
| more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost' port = 10389 identity = 'uid=admin,ou=system'
password = secret base_dn = 'dc=example,dc=com'
Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio
|
|
|
|---|
| /etc/freeradius/3.0/ldap.attrmap in this file you map LDAP attributes to RADIUS dictionary attributes. |
|
|
| radtest | radtest and mysql query |
|---|
| radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%
radtest testuser1 password1 localhost 1812 testing123
| Code Block |
|---|
| title | radtest -t mschap |
|---|
| collapse | true |
|---|
| root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
User-Name = "jlktest01"
MS-CHAP-Password = "password"
NAS-IP-Address = 192.168.0.21
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x5994e32b86e5e3a1
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~# |
|
|
|
|
|
...