07InstanceFreeRadiusAD - amagerard/Freeradius GitHub Wiki
RedHat/FreeRadius
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | Samba-AD |
7. Instance Freeradius-ad.
7.1 Principle.
Freeradius needs a domain controller (thot) for user authentication.
Freeradius must be joined to dw.learn.lan.
Domain controller (thot) is samba ad server for dw.learn.lan.
Reminder :
This procedure is based on this example.
Ip freeradius: 192.168.50.41
Ip SambaAD thot : 192.168.40.47
Ip dns1 : 192.168.90.41
Ip mail : 192.168.60.50
Domain controller : dw.learn.lan
Servers name:
freeradius.ol26modk.com
dns1.ol26modk.com
mail.ol26modk.com
See AD synoptic.
7.2 SambaAD.
Samba-AD is a GPLv3 licensed opensource software that
reproduces the behavior of Microsoft Active Directory (2012R2 schemas and 2008R2 functional level).
(https://samba.tranquil.it/doc/en/).
SambaAD must have the same time as freeradius.
Time server pool:systemctl status chronyd | grep source
Time zone: timedatectl
The dns of SambaAD will be redirected to dns1.
Your domain controller server should be ready to continue.
Read install SambaAD
7.3 Redirector thot.learn.lan from DNS1.
Pdns-recursor is a service that redirects DNS requests for:
ol26modk.comdomain to the DNS1 server.- The
dw.Learn.landomain to the SambaAD server. - Other domain to 1.1.1.1.
The pdns-recursor service is on DNS1.
Read install Powerdns
Read install Pdns-Recursor
Open a terminal console on DNS1.
Stop the pdns and pdns-recursor services.
systemctl stop pdns
systemctl stop pdns-recursor
Open a terminal console in root on dns1.
vi /etc/pdns-recursor/recursor.conf
Add this line:forward-zones +=dw.learn.lan=192.168.40.47:53.
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
forward-zones=ol26modk.com=127.0.0.1:8669, 50.168.192.in-addr.arpa=127.0.0.1:8669, 90.168.192.in-addr.arpa=127.0.0.1:8669
## If you have AD domain server.
forward-zones +=dw.learn.lan=192.168.40.47:53
Start the pdns and pdns-recursor services.
systemctl start pdns
systemctl start pdns-recursor
Check from the DNS1 server the name of thot.dw.learn.lan.
nslookup thot.dw.learn.lan
Server: 192.168.90.41
Address: 192.168.90.41#53
Non-authoritative answer:
Name: thot.dw.learn.lan
Address: 192.168.40.47
7.4 Add user system dadrad.
groupadd dadrad
useradd -g dadrad -s /bin/false -d /etc/freeradius-ad dadrad
Give permissions for dadrad.
setfacl -m u:dadrad:rx /etc/pki/tls/private/freeradius.key
setfacl -m u:dadrad:rx /etc/pki/tls/certs/freeradius.crt
setfacl -m u:dadrad:rx /etc/pki/tls/private/CA.key
setfacl -m u:dadrad:rx /etc/pki/tls/certs/CA.crt
7.5 Freeradius-ad installation.
Copy /etc/raddb to /etc/freeradius-ad.
cp -R /etc/raddb/* /etc/freeradius-ad/
chgrp -R dadrad /etc/freeradius-ad
7.6 Configuration.
vi /etc/freeradius-ad/radiusd.conf
prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/freeradius-ad
raddbdir = ${sysconfdir}/freeradius-ad
radacctdir = ${logdir}/radacct
name = freeradius-ad
user = dadrad
group = dadrad
Create the directory for the logs.
mkdir /var/log/freeradius-ad
mkdir /var/log/freeradius-ad/radacct
touch /var/log/freeradius-ad/radius.log
chown -R dadrad:dadrad /var/log/freeradius-ad
chmod 0755 /var/log/freeradius-ad
7.7 Create a freeradius-ad service.
7.7.1 Create the /run/freeradius-ad folder at startup.
vi /usr/lib/tmpfiles.d/freeradius-ad.conf
#Type Path Mode UID GID Age Argument
d /run/freeradius-ad 0775 root dadrad - -
You must restart to activate
"/usr/lib/tmpfiles.d/freeradius-ad.conf"
reboot
Copy the service radiusd.service to freeradius-ad.service.
See InstanceDefault chapter 4.1.
cp /opt/freeradius/redhat/radiusd.service /usr/lib/systemd/system/freeradius-ad.service
Edit the file.
vi /usr/lib/systemd/system/freeradius-ad.service
[Service]
Type=forking
WatchdogSec=0
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/radiusd
# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryLimit=2G
RuntimeDirectory=radiusd radiusd/tmp
RuntimeDirectoryMode=0775
User=dadrad
Group=dadrad
PIDFile=/run/freeradius-ad/freeradius-ad.pid
#ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/radiusd -d /etc/freeradius-ad -l /var/log/freeradius-ad/radius.log
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/radiusd -d /etc/freeradius-ad -l /var/log/freeradius-ad/radius.log
ExecReload=/bin/kill -HUP $MAINPID
# Don't elevate privileges after starting
NoNewPrivileges=true
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#
# This list of capabilities may not be exhaustive, and needs
# further testing. Please uncomment, test, and report any issues.
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
# Private /tmp that isn't shared by other processes
PrivateTmp=true
# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true
# don't load new kernel modules
ProtectKernelModules=true
# don't tune kernel parameters
ProtectKernelTunables=true
# Only allow native system calls
SystemCallArchitectures=native
# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius-ad/
# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius-ad/
[Install]
WantedBy=multi-user.target
7.7.2 Change ports of sites-available/default.
Replace the port 0 by 3812 and accounting port 0 by 3813.
Replace all "-ldap" by "#-ldap" and "-sql" by "#-sql".
vi /etc/freeradius-ad/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 3812
}
# This second "listen" section is for listening on the accounting
listen {
ipaddr = *
# ipv6addr = ::
port = 3813
type = acct
limit {
}
}
....
# The ldap module reads passwords from the LDAP database.
#-ldap
....
# See "Authorization Queries" in mods-available/sql
# -sql
....
# See "Accounting queries" in mods-available/sql
# -sql
....
# See "Authentication Logging Queries" in mods-available/sql
# -sql
....
# log failed authentications in SQL, too.
# -sql
7.7.3 Change port of sites-available/inner-tunnel.
vi /etc/freeradius-ad/sites-available/inner-tunnel
Replace the port 18120 by 38120.
Replace all "-ldap" by "#-ldap" and "-sql" by "#-sql".
Instead of "use_tunneled_reply", change this "if (0)" to an "if (1)".
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 38120
type = auth
}
....
# The ldap module reads passwords from the LDAP database.
# -ldap
....
# See "Authorization Queries" in `mods-config/sql/main/$driver/queries.conf`
# -sql
....
# See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
# -sql
....
# log failed authentications in SQL, too.
# -sql
....
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
if (1) {
....
Restart the server.
reboot or init 6
7.8 Join to domain controller.
The prerequisite to join a server in an AD domain is to put the AD server in DNS.
This is not possible because there are 3 MySQL, LDAP and AD instances on the freeradius server.
The domain by default is ol26modk.com manage by the dns1 server.
The pdns-recursor service on the dns1 server attributes the good server for every domain.
dw.learn.lanis the SambaAd server192.168.40.47,ol26modk.comis the dns1 server192.168.90.41,- the other domain is the Cloudflare
1.1.1.1.
From the freeradius server.
cat /etc/resolv.conf
# Generated by NetworkManager
search ol26modk.com
nameserver 192.168.90.41
nslookup dns1.ol26modk.com
Server: 192.168.90.41
Address: 192.168.90.41#53
Non-authoritative answer:
Name: dns1.ol26modk.com
Address: 192.168.90.41
nslookup thot.dw.learn.lan
Server: 192.168.90.41
Address: 192.168.90.41#53
Non-authoritative answer:
Name: thot.dw.learn.lan
Address: 192.168.40.47
nslookup cloudflare.com
Server: 192.168.90.41
Address: 192.168.90.41#53
Non-authoritative answer:
Name: cloudflare.com
Address: 104.16.132.229
7.8.1 Installation.
dnf install krb5-workstation samba samba-winbind-clients samba-winbind samba-client
Add dadrad to the wbpriv group.
usermod -aG wbpriv dadrad
The procedure follows this wiki.
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
7.8.2 Samba.
Edit the file smb.conf.
Modify or add only the lines.
vi /etc/samba/smb.conf
[global]
workgroup = DW.LEARN
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
##================ Share Definitions =============
winbind use default domain = no
password server = thot.dw.learn.lan
realm = dw.learn.lan
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
writable = yes
inherit acls = Yes
7.8.3 Krb5.
Edit the file krb5.conf.
Modify or add only the lines.
Respect capital and tiny.
vi /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_realm = DW.LEARN.LAN
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DW.LEARN.LAN = {
kdc = thot.dw.learn.lan:88
admin_server = thot.dw.learn.lan:749
default_domain = dw.learn.lan
}
[domain_realm]
.dw.learn.lan = DW.LEARN.LAN
dw.learn.lan = DW.LEARN.LAN
[kdc]
profile = /var/kerberos/krb5ikdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
7.8.4 Nsswitch.
cp /etc/nsswitch.conf /etc/nsswitch.conf_ori
Edit the file nsswitch.conf.
Modify or add only the lines.
vi /etc/nsswitch.conf
# In order of likelihood of use to accelerate lookup.
passwd: files winbind systemd
shadow: files winbind
group: files winbind systemd
hosts: files dns myhostname
services: files winbind
netgroup: files winbind
automount: files winbind
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: files dns
protocols: files winbind
publickey: files
rpc: files
7.8.5 Start services.
systemctl enable --now smb
systemctl enable --now nmb
7.8.6 Hosts.
Edit the file hosts.
vi /etc/hosts
#127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost
192.168.50.41 freeradius.dw.learn.lan freeradius.ol26modk.com freeradius
7.8.7 Firewall.
ufw allow OUT CIFS
ufw allow OUT 'Kerberos Full'
ufw reload
ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.20.0/29
1812,1813/tcp (RADIUS 1812) ALLOW IN Anywhere
1812,1813/udp (RADIUS 1812) ALLOW IN Anywhere
2812,2813/tcp (RADIUS 2812) ALLOW IN Anywhere
2812,2813/udp (RADIUS 2812) ALLOW IN Anywhere
3812,3813/tcp (RADIUS 3812) ALLOW IN Anywhere
3812,3813/udp (RADIUS 3812) ALLOW IN Anywhere
80,443/tcp (WWW Full) ALLOW OUT Anywhere
25/tcp (SMTP) ALLOW OUT Anywhere
53 (DNS) ALLOW OUT Anywhere
67,68/udp (DHCP) ALLOW OUT Anywhere
123/udp (NTP2) ALLOW OUT Anywhere
465/tcp (SMTP SSL) ALLOW OUT Anywhere
587/tcp (SMTP TLS) ALLOW OUT Anywhere
993/tcp (IMAP SSL) ALLOW OUT Anywhere
143/tcp (IMAP TLS) ALLOW OUT Anywhere
3306/tcp (MYSQL) ALLOW OUT Anywhere
389 ALLOW OUT Anywhere
137,138/udp (CIFS) ALLOW OUT Anywhere
139,445/tcp (CIFS) ALLOW OUT Anywhere
88,749/tcp (Kerberos Full) ALLOW OUT Anywhere
464/udp (Kerberos Full) ALLOW OUT Anywhere
3812,3813/tcp (RADIUS 3812) ALLOW OUT Anywhere
3812,3813/udp (RADIUS 3812) ALLOW OUT Anywhere
1812,1813/tcp (RADIUS 1812) ALLOW OUT Anywhere
1812,1813/udp (RADIUS 1812) ALLOW OUT Anywhere
2812,2813/tcp (RADIUS 2812) ALLOW OUT Anywhere
2812,2813/udp (RADIUS 2812) ALLOW OUT Anywhere
Restart the server.
reboot or init 6
7.8.8 Join to domain.
Before you begin, please check the DNS resolution of the domain controller.
nslookup thot.dw.learn.lan
Join freeradius in the dw.learn.lan domain.
- samba ad server ( it's not Microsoft)
- domain : dw.learn.lan
- user: administrator
net join -U administrator
Using short domain name -- DW.LEARN
Joined 'FREERADIUS' to dns domain 'dw.learn.lan'
If you have an error message.
DNS update failed: NT_STATUS_UNSUCCESSFUL
My solution is manually created freeradius in the samba-ad dns.
samba-tool dns add thot dw.learn.lan freeradius A 192.168.50.41 -Uadministrator
Now:
net join -U administrator
Password for [DW.LEARN\administrator]:
Using short domain name -- DW.LEARN
Joined 'FREERADIUS' to dns domain 'dw.learn.lan'
Winbind allows a Linux machine with installed samba to make a link between them and an active directory controller.
systemctl enable --now winbind
From a computer joined to the domain dw.learn.lan.
Open Active Directory Users and Computers.
Search OU Computers.
You have FREERADIUS.
Open DNS.
Search in thot.dw.learn.lan and Forward Lookup Zones dw.learn.lan.
You have freeradius Host(A) 192.168.40.41.
That means everything is ok.
7.9 Verification after joining the domain.
The wbinfo program queries and returns information created and used by the winbindd.
Check users and groups list.
wbinfo -u
wbinfo -g
From a computer joined to the domain dw.learn.lan.
Open Active Directory Users and Computers.
Add a user.
Username : teacher password :Anibal2!
From Freeradius server.
Check users.
Username : teacher password :Anibal2!
Watch out for special characters like this "!" .
You have to put a "\" before.
wbinfo -a [email protected]%Anibal2\!
plaintext password authentication succeeded
challenge/response password authentication succeeded
Kinit is used to obtain and cache Kerberos ticket-granting tickets.
kinit [email protected]
If no answer, that means it's good.
kinit -f --> user reminder.
klist --> list the tickets.
kdestroy - -> list empty.
Authenticates users using NT/LM authentication.
ntlm_auth --request-nt-key --domain=DW.LEARN --username=teacher --password=Anibal2\!
. (0x0)
7.10 Mods-available.
Edit the eap file.
Resume the configuration of the default instance.
vi /etc/freeradius-ad/mods-available/eap
# users then cannot use ANY other authentication method.
#
eap {
default_eap_type = peap
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
private_key_file = /etc/pki/tls/private/freeradius.key
certificate_file = /etc/pki/tls/certs/freeradius.crt
ca_file = /etc/pki/tls/certs/CA.crt
random_file = /dev/urandom
ca_path = /etc/pki/tls/certs
# EAP-TTLS -- Tunneled TLS
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
# EAP-PEAP
#
peap {
copy_request_to_tunnel = yes
use_tunneled_reply = yes
Edit the mschap file.
Authorized users must belong to the freeradius group.
You need to know the SID of group freeradius.
From a computer joined to the domain dw.learn.lan.
Open Active Directory Users and Computers.
Add a goup freeradius.
Add member freeradius for teacher user.
Username : teacher password :Anibal2!
Open administrator powershell.
The command to find the SID of the freeradius group is:
Get-WmiObject -Query "SELECT * FROM Win32_group where name = 'freeradius'"|foreach-object { $_.sid}
S-1-5-21-420514156-3432241956-2849451653-1107
vi /etc/freeradius-ad/mods-available/mschap
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
## It's only one line
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of='S-1-5-21-420514156-3432241956-2849451653-1107'"
7.11 Check if there are any other errors.
To this step, freeradius-ad must not announce an error.
If there are errors, review the configuration.
systemctl stop freeradius-ad
radiusd -d /etc/freeradius-ad -l /var/log/freeradius-ad/radius.log -X
Ctrl+C exit.
If it's good.
systemctl enable --now freeradius-ad
systemctl status freeradius-ad
Check the ports.
netstat -tunlp | grep radiusd
udp 0 0 127.0.0.1:38120 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:53552 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:3812 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:3813 0.0.0.0:* 2575/radiusd
7.12 Nas.
The nas is a device that makes its authentication request to freereadius.
In my example, it's a dd-wrt wifi router.
We need a secret key shared between nas and freeradius.
First change all "secret" by another password.
cat /etc/freeradius-ad/clients.conf| grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-ad/clients.conf
Put a "#" in front of the Ipv6 configurations.
vi /etc/freeradius-ad/clients.conf
# IPv6 Client
##client localhost_ipv6 {
## ipv6addr = ::1
## secret = 3bd45df3-3bd45df3
##}
Add a new "nas" at the end of the file.
vi /etc/freeradius-ad/clients.conf
client linksys2 {
#ip du linksys2.
ipaddr = 192.168.5.1
# Shared key.
secret = ABjA#3r3bAB6n
}
7.13 Proxy.
First change all "secret" by another password.
cat /etc/freeradius-ad/proxy.conf| grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-ad/proxy.conf
Replace port 1812 by 3812.
vi /etc/freeradius-ad/proxy.conf
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 3812
Add a new realm.
vi /etc/freeradius-ad/proxy.conf
Add at the end of proxy.conf file.
realm dw.learn.lan {
type = radius
authhost = LOCAL
accthost = LOCAL
}
Delete example.com.
Put a "#" in front.
vi /etc/freeradius-ad/proxy.conf
## realm example.com {
## auth_pool = my_auth_failover
## }
7.14 Logs.
vi /etc/freeradius-ad/radiusd.conf
Change only these lines.
log {
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
Read the logs under conditions of opening a wifi session.
tail -200 /var/log/freeradius-ad/radius.log
Auth: (2) Login OK: [teacher/<via Auth-Type = mschap>] (from client localhost port 3812)
7.15 Check user AD connection.
-
dc1.
Active Directory.
User: teacher
Password: Anibal2!
Group: freeradius -
Freeradius server.
1-Open a terminal console.
systemctl stop freeradius-ad
radiusd -d /etc/freeradius-ad -l /var/log/freeradius-ad/radius.log -X
2-Open another terminal console.
radtest -t mschap teacher "Anibal2!" localhost:3812 0 3bd45df3-3bd45df3
Sent Access-Request Id 119 from 0.0.0.0:44386 to 127.0.0.1:3812 length 133
User-Name = "teacher"
MS-CHAP-Password = "Anibal2!"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Anibal2!"
MS-CHAP-Challenge = 0xf296027caa8fc703
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000006af1d7dfdbfeb0ff715aa861952dedde8f7e23afc05698b
Received Access-Accept Id 119 from 127.0.0.1:3812 to 127.0.0.1:44386 length 84
MS-CHAP-MPPE-Keys = 0x00000000000000001f0cff0f254bb5967eacdab6bb59b621
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4