https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/
https://wiki.freeradius.org/guide/bory-diallo.over-blog.com/2020/10/freeradius-ldap-sur-ubuntu-18.html
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
...
- clients.conf
- mods-available/mschap
- mods-available/eap
- users
Test AD |
|
---|
ldapsearch | ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person
|
Test FreeRadius |
|
---|
| radtest |
| NTRadping
|
Integration |
|
---|
install | apt install freeradius-ldap apt install winbind
|
Change configs |
|
---|
mods-available |
|
clients.conf |
|
---|
NAS or Radius clients ( no mysql DB ) | /etc/freeradius/3.0/clients.conf
client 192.168.0.203 {
secret = testing123
shortname = 192.168.0.203
nastype = laptop
}
Code Block |
---|
title | clients.conf |
---|
collapse | true |
---|
| root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v | grep -v "^[[:space:]]*$"
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
} |
|
|
|
| /etc/freeradius/3.0/radiusd.conf
|
mschapntlm_auth | mods-available/mschap/ntlm_auth |
---|
| change the path to /usr/bin/ntlm_auth
mschap originalroot@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap pool{ start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
} |
|
mschap | mods-available/mschap |
---|
old |
Code Block |
---|
title | mschap original |
---|
collapse | true |
---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
pool {
max start = ${thread[pool].maxstart_servers}
sparemin = ${thread[pool].maxmin_spare_servers}
usesmax = 0${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
} |
| eap | mods-available/eap Protected EAP with allows to use MSCHAPv2
|
---|
uncomment and change | change the path to ntlm_auth: /usr/bin/ntlm_auth
eap originalroot@RadiusApacheDS:~#more/etc/freeradius/3.0/mods-available/eap|grep"#"-v|grep -v "^[[:space:]]*$"
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = nontlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00
} --nt-response=%{%{mschap:NT-Response}:-00}"
|
|
eap | mods-available/eap Protected EAP with allows to use MSCHAPv2 |
---|
|
Code Block |
---|
title | eap original |
---|
collapse | true |
---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
ciscodefault_accountingeap_username_bugtype = nomd5
maxtimer_sessionsexpire = ${max_requests}60
md5 {
ignore_unknown_eap_types = no
}
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
disable_tlsv1_1 = yes
disable_tlsv1 = yes
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
root@RadiusApacheDS:~# |
|
ldap module | mods-available/ldap |
---|
|
more chnage | eap { default_eap_type = mschapv2
|
Restart |
|
---|
| systemctl restart freeradius
|
|
|
sites-available file | sites-available/default |
---|
| /etc/freeradius/3.0/modssites-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$" ldap { server = 'localhost' port = 10389 identity = 'uid=admin,ou=system' password = secret base_dn = 'dc=example,dc=com' Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio |
sites-available file | sites-available/default |
---|
default hash: # filesd AUTHORIZATION: MSCHAP mschap option is not commented out. mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP LDAP option is not commented out.
>> iner-tunnel filename >> site-name filename
Code Block |
---|
| root@RadiusApacheDS:~# more /etc/freeradius/3.0/sites- | available/defaulthash: # filesd AUTHORIZATION: MSCHAP mschap option is not commented out. mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP LDAP option is not commented out. >> iner-tunnel filename >> site-name filename |
inner tunnel | sites-available/inner-tunnel |
---|
inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.enabled/default | grep "#" -v | grep -v "^[[:space:]]*$"
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
root@RadiusApacheDS: |
|
changes | file # The ldap module reads passwords from the LDAP database. ldap ##### remove the minus sign or "-" #########
Auth-Type LDAP { ldap }
|
ln or symbolic link |
|
---|
| ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap |
inner tunnel | sites-available/inner-tunnel |
---|
| inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.
|
Restart |
|
---|
| systemctl restart freeradius
|
|
|
|
|
ldap module | mods-available/ldap |
---|
| more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$" ldap { server = 'localhost' port = 10389 identity = 'uid=admin,ou=system' password = secret base_dn = 'dc=example,dc=com'
Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio
|
|
|
---|
| /etc/freeradius/3.0/ldap.attrmap in this file you map LDAP attributes to RADIUS dictionary attributes. |
|
|
radtest | radtest and mysql query |
---|
| radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%
radtest testuser1 password1 localhost 1812 testing123
Code Block |
---|
title | radtest -t mschap |
---|
collapse | true |
---|
| root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
User-Name = "jlktest01"
MS-CHAP-Password = "password"
NAS-IP-Address = 192.168.0.21
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x5994e32b86e5e3a1
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~# |
|
|
|
|
|
...