Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/

https://wiki.bory-diallo.over-blog.com/2020/10/freeradius-ldap-sur-ubuntu-18.html

https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

...

  • clients.conf
  • mods-available/mschap
  • mods-available/eap
  • users


more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'

Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio

Test AD
ldapsearch

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person


Test FreeRadius

radtest  

NTRadping


Integration
install

apt install freeradius-ldap

apt install winbind


Change configs
mods-available
clients.conf

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf


client 192.168.0.203 {
        secret                = testing123
        shortname             = 192.168.0.203
        nastype               = laptop
}

Code Block
titleclients.conf
collapsetrue
root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v  | grep -v "^[[:space:]]*$"
client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}





/etc/freeradius/3.0/radiusd.conf


ntlm_authmods-available/ntlm_auth

change the path to /usr/bin/ntlm_auth


Code Block
titlentlm_auth
collapsetrue
exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}


mschapmods-available/mschap
old




Code Block
titlemschap original
collapsetrue
root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 86400
                cleanup_interval = 300
                idle_timeout = 600
        }
        passchange {
        }
}
eapmods-available/eap                     Protected EAP with allows to use MSCHAPv2


uncomment and change

change the path to ntlm_auth: /usr/bin/ntlm_auth


Code Block
title
eap original
mschap mods
collapsetrue
root@RadiusApacheDS:~#
 
more
 
/etc/freeradius/3.0/mods-available/eap
 
|
 
grep
 
"#"
 
-v
 
|
 
grep -v "^[[:space:]]*$" eap { default_eap_type = md5 timer_expire = 60
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00
} --nt-response=%{%{mschap:NT-Response}:-00}"


eapmods-available/eap                     Protected EAP with allows to use MSCHAPv2


Code Block
titleeap original
collapsetrue
root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
        ignore_unknowndefault_eap_typestype = nomd5
        cisco_accounting_username_bugtimer_expire = no60
        max_ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        md5 {
        }
        leap {
        }
        gtc {
                auth_type = PAP
        }
        tls-config tls-common {
                private_key_password = whatever
                private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                ca_file = /etc/ssl/certs/ca-certificates.crt
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
                disable_tlsv1_1 = yes
                disable_tlsv1 = yes
                tls_min_version = "1.2"
                tls_max_version = "1.2"
                ecdh_curve = "prime256v1"
                cache {
                        enable = no
                        store {
                                Tunnel-Private-Group-Id
                        }
                }
                verify {
                }
                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }
        tls {
                tls = tls-common
        }
        ttls {
                tls = tls-common
                default_eap_type = md5
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
}
root@RadiusApacheDS:~#


chnage
ldap modulemods-available/ldap
sites-available filesites-available/default

 eap  

       { 

       default_eap_type = mschapv2


Restart

systemctl restart freeradius


sites-available filesites-available/default

/etc/freeradius/3.0/sites-available/default

hash:  # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.


>> iner-tunnel filename

>> site-name filename


Code Block
titledefault
collapsetrue
root@RadiusApacheDS:~# more /etc/freeradius/3.0/sites-enabled/default  | grep "#" -v | grep -v "^[[:space:]]*$"
server default {
listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}
listen {
        ipaddr = *
        port = 0
        type = acct
        limit {
        }
}
listen {
        type = auth
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
}
listen {
        ipv6addr = ::
        port = 0
        type = acct
        limit {
        }
}
authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        -sql
        -ldap
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
}
session {
}
post-auth {
        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        update {
                &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }
        Post-Auth-Type Challenge {
        }
}
pre-proxy {
}
post-proxy {
        eap
}
}
root@RadiusApacheDS:


changes

file

# The ldap module reads passwords from the LDAP database.
ldap                     ##### remove the minus sign or "-"  #########


Auth-Type LDAP {
     ldap
}


ln or symbolic link

ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
inner tunnelsites-available/inner-tunnel

inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.


Restart

systemctl restart freeradius




ldap modulemods-available/ldap

more /etc/freeradius/3.0/sitesmods-available/default

hash:  # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.

>> iner-tunnel filename

>> site-name filename

inner tunnel
sites-available/inner-tunnel

inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'


Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio





/etc/freeradius/3.0/ldap.attrmap

in this file you map LDAP attributes to RADIUS dictionary attributes.



radtestradtest and mysql query

radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%


radtest testuser1 password1 localhost 1812 testing123


Code Block
titleradtest -t mschap
collapsetrue
root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
        User-Name = "jlktest01"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 192.168.0.21
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x5994e32b86e5e3a1
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~#






...