Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »


https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/


https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

In order to get FreeRADIUS working, the following files must be configured:

  • clients.conf
  • mods-available/mschap
  • mods-available/eap
  • users


Test AD
ldapsearch

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person


Test FreeRadius

radtest  

NTRadping


Integration
install

apt install freeradius-ldap

apt install winbind


Change configs
mods-available
clients.conf

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf


client 192.168.0.203 {
        secret                = testing123
        shortname             = 192.168.0.203
        nastype               = laptop
}

clients.conf
root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v  | grep -v "^[[:space:]]*$"
client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}



/etc/freeradius/3.0/radiusd.conf


ntlm_authmods-available/ntlm_auth

change the path to /usr/bin/ntlm_auth


ntlm_auth
exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
mschapmods-available/mschap


mschap original
root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap | grep "#" -v | grep -v "^[[:space:]]*$"
mschap {
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 86400
                cleanup_interval = 300
                idle_timeout = 600
        }
        passchange {
        }
}


eapmods-available/eap                     Protected EAP with allows to use MSCHAPv2

eap original
root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap | grep "#" -v | grep -v "^[[:space:]]*$"
eap {
        default_eap_type = md5
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        md5 {
        }
        leap {
        }
        gtc {
                auth_type = PAP
        }
        tls-config tls-common {
                private_key_password = whatever
                private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                ca_file = /etc/ssl/certs/ca-certificates.crt
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                cipher_server_preference = no
                disable_tlsv1_1 = yes
                disable_tlsv1 = yes
                tls_min_version = "1.2"
                tls_max_version = "1.2"
                ecdh_curve = "prime256v1"
                cache {
                        enable = no
                        store {
                                Tunnel-Private-Group-Id
                        }
                }
                verify {
                }
                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = "http://127.0.0.1/ocsp/"
                }
        }
        tls {
                tls = tls-common
        }
        ttls {
                tls = tls-common
                default_eap_type = md5
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
}
root@RadiusApacheDS:~#


ldap modulemods-available/ldap

more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'


Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio


sites-available filesites-available/default

/etc/freeradius/3.0/sites-available/default

hash:  # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.


>> iner-tunnel filename

>> site-name filename




inner tunnel
sites-available/inner-tunnel

inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.




/etc/freeradius/3.0/ldap.attrmap

in this file you map LDAP attributes to RADIUS dictionary attributes.







radtestradtest and mysql query

radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%


radtest testuser1 password1 localhost 1812 testing123

radtest -t mschap
root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
        User-Name = "jlktest01"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 192.168.0.21
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x5994e32b86e5e3a1
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~#




  • No labels