Page Comparison

https://wikiblog.freeradiusstevedong.orgcom/guide/freeradiuspost/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-integration-howto

In order to get FreeRADIUS working, the following files must be configured:

clients.conf
mods-available/mschap
mods-available/eap
users

...

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person

...

NTRadping

Image Removed

...

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf

...

specific-group-of-users-to-authenticate-in-debian-10/

https://bory-diallo.over-blog.com/2020/10/freeradius-ldap-sur-ubuntu-18.html

https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

In order to get FreeRADIUS working, the following files must be configured:

clients.conf
mods-available/mschap
mods-available/eap
users

root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v | grep -v "^[[:space:]]*$" client localhost {

Test AD

ldapsearch

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person

Test FreeRadius

radtest

NTRadping

Image Added

Integration

install

apt install freeradius-ldap

apt install winbind

Change configs

mods-available

clients.conf

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf

client 192.168.0.203 {
        secret                = testing123
        shortname             = 192.168.0.203
        nastype               = laptop
}

Code Block

title	clients.conf
collapse	true

root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v  | grep -v "^[[:space:]]*$"
client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}

/etc/freeradius/3.0/radiusd.conf

ntlm_auth

mods-available/ntlm_auth

change the path to /usr/bin/ntlm_auth

Code Block

title	ntlm_auth
collapse	true

exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

mschap

mods-available/mschap

old

Code Block

title	mschap original
collapse	true

root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 86400
                cleanup_interval = 300
                idle_timeout = 600
        }
        passchange {
        }
}

uncomment and change

change the path to ntlm_auth: /usr/bin/ntlm_auth

Code Block

title	mschap mods
collapse	true

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00
} --nt-response=%{%{mschap:NT-Response}:-00}"

eap

mods-available/eap Protected EAP with allows to use MSCHAPv2

Code Block

title	eap original
collapse	true

root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
        default_eap_type = md5
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        md5 {
        }
        leap {
        }
        gtc {
                auth_type = PAP
        }
        tls-config tls-common {
                private_key_password = whatever
                private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                ca_file = /etc/ssl/certs/ca-certificates.crt
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
                disable_tlsv1_1 = yes
                disable_tlsv1 = yes
                tls_min_version = "1.2"
                tls_max_version = "1.2"
                ecdh_curve = "prime256v1"
                cache {
                        enable = no
                        store {
                                Tunnel-Private-Group-Id
                        }

secret

=

testing123

   verify {

shortname

=

192.168.0.203

nastype

      ocsp {

=

laptop }

Code Block

title	clients.conf
collapse	true

                enable = no

ipaddr

=

127.0.0.1

proto

=

*

     override_cert_url = yes

secret

=

testing123

require_message_authenticator

=

no

limit

{

url = "http://127.0.0.1/ocsp/"

max_connections

=

16

}
        }

lifetime

=

tls

0

idle_timeout

tls =

30

tls-common
        }

}

client

localhost_ipv6

{

    ttls {

ipv6addr

=

::1

    tls = tls-common

secret

=

testing123

}

/etc/freeradius/3.0/radiusd.conf

mschapmods-available/mschap

Code Block

title	mschap original
collapse	true

root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap { default_eap_type = md5
                pool {copy_request_to_tunnel = no
                startuse_tunneled_reply = ${thread[pool].start_servers}no
                minvirtual_server = ${thread[pool].min_spare_servers}"inner-tunnel"
        }
       max =peap ${thread[pool].max_servers}
                sparetls = ${thread[pool].max_spare_servers}tls-common
                usesdefault_eap_type = 0mschapv2
                retry_delaycopy_request_to_tunnel = 30no
                lifetimeuse_tunneled_reply = 86400no
                cleanupvirtual_intervalserver = 300"inner-tunnel"
        }
       idle_timeout =mschapv2 600{
        }
        passchange {
        }
}

eapmods-available/eap Protected EAP with allows to use MSCHAPv2eap original

Code Block
title	} root@RadiusApacheDS:~#

chnage

eap

{

default_eap_type = mschapv2

Restart

systemctl restart freeradius

sites-available filesites-available/default

/etc/freeradius/3.0/sites-available/default

hash: # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.

>> iner-tunnel filename

>> site-name filename

Code Block

title	default
collapse	true

root@RadiusApacheDS:~# more /etc/freeradius/3.0/modssites-availableenabled/eapdefault  | grep "#" -v | grep -v "^[[:space:]]*$"
eap
server default {
listen {
        default_eap_type = md5auth
        timer_expireipaddr = 60*
        ignore_unknown_eap_typesport = no0
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}limit {
            md5 { max_connections = 16
     }         leaplifetime {= 0
       }       idle_timeout = gtc30
{        }
}
listen {
     auth_type = PAP ipaddr = *
     }   port = 0
   tls-config tls-common {   type = acct
        limit {
 private_key_password = whatever     }
}
listen {
        private_key_filetype = /etc/ssl/private/ssl-cert-snakeoil.keyauth
        port = 0
     certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
  limit {
              ca_file = /etc/ssl/certs/ca-certificates.crt
 max_connections = 16
              dh_filelifetime = ${certdir}/dh 0
              idle_timeout = 30
        }
ca_path}
=listen ${cadir}
        ipv6addr = ::
        cipher_listport = "DEFAULT"0
        type = acct
       cipher_server_preference =limit no{
        }
}
authorize {
    disable_tlsv1_1 = yes  filter_username
        preprocess
     disable_tlsv1 = yes chap
        mschap
      tls_min_version = "1.2"digest
        suffix
       tls_max_version = "1.2"eap {
                ecdh_curveok = return
"prime256v1"        }
        cachefiles
{        -sql
        -ldap
       enable =expiration
no        logintime
        pap
}
authenticate {
    store {   Auth-Type PAP {
                pap
        }
 Tunnel-Private-Group-Id       Auth-Type CHAP {
               } chap
        }
      }  Auth-Type MS-CHAP {
            verify {   mschap
        }
    }    mschap
        digest
   ocsp {    eap
}
preacct {
        preprocess
        enableacct_unique
= no       suffix
        files
}
accounting {
     override_cert_url = yes detail
        unix
        -sql
     url = "http://127.0.0.1/ocsp/"
 exec
        attr_filter.accounting_response
}
session {
}
post-auth {
}         }
        tlsif (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                tlsupdate =reply tls-common{
        }         ttls {      &User-Name !* ANY
        tls = tls-common         }
       default_eap_type =}
md5        update {
       copy_request_to_tunnel = no       &reply: += &session-state:
       use_tunneled_reply =}
no        -sql
        virtual_serverexec
= "inner-tunnel"       remove_reply_message_if_eap
 }         peapPost-Auth-Type REJECT {
 
              tls = tls-commonsql
                defaultattr_eapfilter.access_typereject
= mschapv2               eap
 copy_request_to_tunnel = no                 use_tunneled_reply = noremove_reply_message_if_eap
        }
         virtual_server = "inner-tunnel"Post-Auth-Type Challenge {
        }
}
pre-proxy {
}
post-proxy {
      mschapv2 { eap
}
      }
}
root@RadiusApacheDS:~#

ldap module

}
root@RadiusApacheDS:

changes

file

# The ldap module reads passwords from the LDAP database.
ldap ##### remove the minus sign or "-" #########

Auth-Type LDAP {
ldap
}

ln or symbolic link

ln -s /etc/freeradius/3.0/mods-available/ldap more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'

Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio

sites-available filesites-available/default-enabled/ldapinner tunnelsites-available/inner-tunnel

inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.

Restart

systemctl restart freeradius

ldap modulemods-available/ldap

more /etc/freeradius/3.0/sitesmods-available/default

hash: # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.

>> iner-tunnel filename

>> site-name filename

inner tunnel

sites-available/inner-tunnel

inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'

Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio

/etc/freeradius/3.0/ldap.attrmap

in this file you map LDAP attributes to RADIUS dictionary attributes.

radtestradtest and mysql query

radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%

radtest testuser1 password1 localhost 1812 testing123

Code Block

title	radtest -t mschap
collapse	true

root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
        User-Name = "jlktest01"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 192.168.0.21
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x5994e32b86e5e3a1
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~#

...

Versions Compared

Old Version 21

New Version Current

Key