Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »


https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

In order to get FreeRADIUS working, the following files must be configured:

  • clients.conf
  • mods-available/mschap
  • mods-available/eap
  • users


Test AD
ldapsearch

ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person


Test FreeRadius

radtest  

NTRadping


Integration
installapt install freeradius-ldap
Change configs
mods-available
clients.conf

NAS or Radius clients

( no mysql DB )

/etc/freeradius/3.0/clients.conf


client 192.168.0.203 {
        secret                = testing123
        shortname             = 192.168.0.203
        nastype               = laptop
}

clients.conf
root@Radius01:~# more /etc/freeradius/3.0/clients.conf | grep "#" -v  | grep -v "^[[:space:]]*$"
client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}



/etc/freeradius/3.0/radiusd.conf


mschap


eap




ldap module

more /etc/freeradius/3.0/mods-available/ldap | grep "#" -v | grep -v "^[[:space:]]*$"
ldap {
server = 'localhost'

port = 10389

identity = 'uid=admin,ou=system'
password = secret

base_dn = 'dc=example,dc=com'


Example of ldapsearch:

Apache Directory Server or ApacheDS and Apache Studio


sites-available file

/etc/freeradius/3.0/sites-available/default

hash:  # filesd

AUTHORIZATION: MSCHAP
mschap option is not commented out.
mschap protocol will be used in authentication requests from LDAP user accounts.

AUTHENTICATION: LDAP
LDAP option is not commented out.


>> iner-tunnel filename

>> site-name filename







inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.




/etc/freeradius/3.0/ldap.attrmap

in this file you map LDAP attributes to RADIUS dictionary attributes.







radtestradtest and mysql query

radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%


radtest testuser1 password1 localhost 1812 testing123

radtest -t mschap
root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123
Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135
        User-Name = "jlktest01"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 192.168.0.21
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x5994e32b86e5e3a1
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2"
(0) -: Expected Access-Accept got Access-Reject
root@Radius01:~#




  • No labels