freeradius active directory integration

https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/

https://bory-diallo.over-blog.com/2020/10/freeradius-ldap-sur-ubuntu-18.html

https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

In order to get FreeRADIUS working, the following files must be configured:

clients.conf
mods-available/mschap
mods-available/eap
users

Test AD
ldapsearch	ldapsearch -h localhost -p 10389 -D "uid=admin,ou=system" -w secret -b dc=example,dc=com objectclass=person
Test FreeRadius
	radtest
	NTRadping
Integration
install	apt install freeradius-ldap apt install winbind
Change configs
mods-available
clients.conf
NAS or Radius clients ( no mysql DB )	/etc/freeradius/3.0/clients.conf client 192.168.0.203 { secret = testing123 shortname = 192.168.0.203 nastype = laptop } clients.conf Expand source root@Radius01:~# more /etc/freeradius/3.0/clients.conf \| grep "#" -v \| grep -v "^[[:space:]]$" client localhost { ipaddr = 127.0.0.1 proto = secret = testing123 require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = testing123 }

	/etc/freeradius/3.0/radiusd.conf
ntlm_auth	mods-available/ntlm_auth
	change the path to /usr/bin/ntlm_auth ntlm_auth Expand source exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" }
mschap	mods-available/mschap
old	mschap original Expand source root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/mschap \| grep "#" -v \| grep -v "^[[:space:]]*$" mschap { pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { } }
uncomment and change	change the path to ntlm_auth: /usr/bin/ntlm_auth mschap mods Expand source ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00 } --nt-response=%{%{mschap:NT-Response}:-00}"
eap	mods-available/eap Protected EAP with allows to use MSCHAPv2
	eap original Expand source root@RadiusApacheDS:~# more /etc/freeradius/3.0/mods-available/eap \| grep "#" -v \| grep -v "^[[:space:]]*$" eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = whatever private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ca_file = /etc/ssl/certs/ca-certificates.crt dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no disable_tlsv1_1 = yes disable_tlsv1 = yes tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "prime256v1" cache { enable = no store { Tunnel-Private-Group-Id } } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } root@RadiusApacheDS:~#
chnage	eap { default_eap_type = mschapv2
Restart
	`systemctl restart freeradius`

sites-available file	sites-available/default
	/etc/freeradius/3.0/sites-available/default hash: # filesd AUTHORIZATION: MSCHAP mschap option is not commented out. mschap protocol will be used in authentication requests from LDAP user accounts. AUTHENTICATION: LDAP LDAP option is not commented out. >> iner-tunnel filename >> site-name filename default Expand source root@RadiusApacheDS:~# more /etc/freeradius/3.0/sites-enabled/default \| grep "#" -v \| grep -v "^[[:space:]]$" server default { listen { type = auth ipaddr = port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } root@RadiusApacheDS:
changes	file # The ldap module reads passwords from the LDAP database. ldap ##### remove the minus sign or "-" ######### Auth-Type LDAP { ldap }
ln or symbolic link
	ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
inner tunnel	sites-available/inner-tunnel
	inner-tunnel is a virtual server and handles only inner tunnel requests for EAP-TTLS and PEAP types.
Restart
	`systemctl restart freeradius`


ldap module	mods-available/ldap
	more /etc/freeradius/3.0/mods-available/ldap \| grep "#" -v \| grep -v "^[[:space:]]*$" ldap { server = 'localhost' port = 10389 identity = 'uid=admin,ou=system' password = secret base_dn = 'dc=example,dc=com' Example of ldapsearch: Apache Directory Server or ApacheDS and Apache Studio

	/etc/freeradius/3.0/ldap.attrmap in this file you map LDAP attributes to RADIUS dictionary attributes.

radtest	radtest and mysql query
	radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password% radtest testuser1 password1 localhost 1812 testing123 radtest -t mschap Expand source root@Radius01:~# radtest -t mschap jlktest01 password localhost 1812 testing123 Sent Access-Request Id 50 from 0.0.0.0:50229 to 127.0.0.1:1812 length 135 User-Name = "jlktest01" MS-CHAP-Password = "password" NAS-IP-Address = 192.168.0.21 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password" MS-CHAP-Challenge = 0x5994e32b86e5e3a1 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091b423619160f3eabb8ca73a5bbc55aa77d2573352b6d568 Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:50229 length 61 MS-CHAP-Error = "\000E=691 R=1 C=530983f93e405934 V=2" (0) -: Expected Access-Accept got Access-Reject root@Radius01:~#