https://wikiblog.freeradiusstevedong.orgcom/guide/freeradiuspost/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-integration-howto
In order to get FreeRADIUS working, the following files must be configured:
- clients.conf
- mods-available/mschap
- mods-available/eap
- users
...
ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person
...
NTRadping
Image Removed
...
NAS or Radius clients
( no mysql DB )
/etc/freeradius/3.0/clients.conf
...
specific-group-of-users-to-authenticate-in-debian-10/
https://bory-diallo.over-blog.com/2020/10/freeradius-ldap-sur-ubuntu-18.html
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
In order to get FreeRADIUS working, the following files must be configured:
- clients.conf
- mods-available/mschap
- mods-available/eap
- users
| Test AD |
|
|---|
| ldapsearch | ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person
|
| Test FreeRadius |
|
|---|
| radtest |
| NTRadping
Image Added |
| Integration |
|
|---|
| install | apt install freeradius-ldap apt install winbind
|
| Change configs |
|
|---|
| mods-available |
|
| clients.conf |
|
|---|
NAS or Radius clients ( no mysql DB ) | /etc/freeradius/3.0/clients.conf
client 192.168.0.203 {
secret = testing123
shortname = 192.168.0.203
nastype = laptop
}
| Code Block |
|---|
| title | clients.conf |
|---|
| collapse | true |
|---|
| root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v | grep -v "^[[:space:]]*$"
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
} |
|
|
|
| /etc/freeradius/3.0/radiusd.conf
|
| ntlm_auth | mods-available/ntlm_auth |
|---|
| change the path to /usr/bin/ntlm_auth
| Code Block |
|---|
| title | ntlm_auth |
|---|
| collapse | true |
|---|
| exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
} |
|
| mschap | mods-available/mschap |
|---|
| old |
| Code Block |
|---|
| title | mschap original |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
} |
|
| uncomment and change | change the path to ntlm_auth: /usr/bin/ntlm_auth
| Code Block |
|---|
| title | mschap mods |
|---|
| collapse | true |
|---|
| ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00
} --nt-response=%{%{mschap:NT-Response}:-00}"
|
|
| eap | mods-available/eap Protected EAP with allows to use MSCHAPv2 |
|---|
|
| Code Block |
|---|
| title | eap original |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
disable_tlsv1_1 = yes
disable_tlsv1 = yes
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
|
secret=testing123shortname=192.168.0.203nastype=laptop}
| Code Block |
|---|
|
| title | clients.conf |
|---|
| collapse | true |
|---|
|
root@Radius01:~#more/etc/freeradius/3.0/clients.conf|grep"#"-v|grep-v"^[[:space:]]*$"clientlocalhost{ipaddr=127.0.0.1proto=*secret=testing123require_message_authenticator=nolimit{url = "http://127.0.0.1/ocsp/"
|
max_connections=16lifetime=0idle_timeout30}clientlocalhost_ipv6{ipv6addr=::1secret=testing123}/etc/freeradius/3.0/radiusd.conf
| mschap | mods-available/mschap |
|---|
| Code Block |
|---|
| title | mschap original |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap { default_eap_type = md5
pool {copy_request_to_tunnel = no
startuse_tunneled_reply = ${thread[pool].start_servers}no
minvirtual_server = ${thread[pool].min_spare_servers}"inner-tunnel"
}
max =peap ${thread[pool].max_servers}
sparetls = ${thread[pool].max_spare_servers}tls-common
usesdefault_eap_type = 0mschapv2
retry_delaycopy_request_to_tunnel = 30no
lifetimeuse_tunneled_reply = 86400no
cleanupvirtual_intervalserver = "inner-tunnel"
300 }
idle_timeoutmschapv2 ={
600 }
}
root@RadiusApacheDS:~# |
|
| chnage | eap { default_eap_type = mschapv2
|
| Restart |
|
|---|
| systemctl
passchange {
}
} | eap | mods-available/eap Protected EAP with allows to use MSCHAPv2restart freeradius
|
|---|
|
|
| sites-available file | sites-available/default |
|---|
| /etc/freeradius/3.0/sites-available/default hash: # filesd AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP
LDAP option is not commented out.
>> iner-tunnel filename >> site-name filename
| Code Block |
|---|
| title | eap originaldefault |
|---|
| collapse | true |
|---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/modssites-availableenabled/eapdefault | grep "#" -v | grep -v "^[[:space:]]*$"
server eapdefault {
listen {
default_eap_type = md5
timer_expire = 60 type = auth
ignore_unknown_eap_typesipaddr = no*
cisco_accounting_username_bugport = no0
max_sessions =limit ${max_requests}
md5 { max_connections = 16
} leap { lifetime = 0
} gtc { idle_timeout = 30
}
}
listen {
auth_type = PAP ipaddr = *
} port = tls-config tls-common {0
type = acct
private_key_password =limit whatever{
}
}
listen {
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key type = auth
port = 0
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem limit {
ca_file = /etc/ssl/certs/ca-certificates.crt max_connections = 16
dh_file = ${certdir}/dh
lifetime = 0
caidle_pathtimeout = ${cadir}30
}
}
listen {
cipher_list ipv6addr = "DEFAULT"::
port = 0
cipher_server_preference type = acct
no limit {
}
}
authorize disable_tlsv1_1{
= yes filter_username
preprocess
disable_tlsv1 = yes chap
mschap
tls_min_version = "1.2" digest
suffix
tls_max_version = "1.2" eap {
ecdh_curve = "prime256v1" ok = return
}
cache { files
-sql
-ldap
enable = no expiration
logintime
pap
}
storeauthenticate {
Auth-Type PAP {
pap
Tunnel-Private-Group-Id }
Auth-Type CHAP {
} chap
}
} Auth-Type MS-CHAP {
verify { mschap
}
mschap
ocsp {digest
eap
}
preacct {
preprocess
enable = no acct_unique
suffix
files
}
accounting {
override_cert_url = yes detail
unix
-sql
url = "http://127.0.0.1/ocsp/" exec
attr_filter.accounting_response
}
session {
}
post-auth {
} tls {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
tls = tls-common update reply {
} ttls { &User-Name !* ANY
tls = tls-common }
default_eap_type = md5 }
update {
copy_request_to_tunnel = no &reply: += &session-state:
use_tunneled_reply =}
no -sql
virtual_serverexec
= "inner-tunnel" remove_reply_message_if_eap
} peapPost-Auth-Type REJECT {
tls = tls-commonsql
defaultattr_eapfilter.access_typereject
= mschapv2 eap
copy_request_to_tunnel = no remove_reply_message_if_eap
use_tunneled_reply = no }
Post-Auth-Type Challenge {
virtual_server = "inner-tunnel" }
}
pre-proxy {
}
post-proxy {
mschapv2 {eap
}
}
}
root@RadiusApacheDS:~# |
| ldap module | more
|
| changes | file # The ldap module reads passwords from the LDAP database.
ldap ##### remove the minus sign or "-" #########
Auth-Type LDAP {
ldap
}
|
| ln or symbolic link |
|
|---|
| ln -s /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'port = 10389 identity = 'uid=admin,ou=system'
password = secret base_dn = 'dc=example,dc=com' Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio | sites-available file | /etc/freeradius/3.0/sites-available/default hash: # filesd AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP
LDAP option is not commented out. >> iner-tunnel filename >> site-name filename inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types./etc/freeradius/3.0/mods-enabled/ldap |
| inner tunnel | sites-available/inner-tunnel |
|---|
| inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.
|
| Restart |
|
|---|
| systemctl restart freeradius
|
|
|
|
|
| ldap module | mods-available/ldap |
|---|
| more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost' port = 10389 identity = 'uid=admin,ou=system'
password = secret base_dn = 'dc=example,dc=com'
Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio
|
|
|
|---|
| /etc/freeradius/3.0/ldap.attrmap in this file you map LDAP attributes to RADIUS dictionary attributes. |
|
|
| radtest | radtest and mysql query |
|---|
| radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%
radtest testuser1 password1 localhost 1812 testing123
| Code Block |
|---|
| title | radtest -t mschap |
|---|
| collapse | true |
|---|
| root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
User-Name = "jlktest01"
MS-CHAP-Password = "password"
NAS-IP-Address = 192.168.0.21
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x5994e32b86e5e3a1
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~# |
|
|
|
|
|
...