Configure a WPA2 Enterprise with FreeRADIUS and AD integration on Ubuntu16.04 + Daloradius

Assuming:
172.100.99.100: FreeRADIUS IP address
mydomain.com: domain name
mydc.mydomain.com: domain controller
MYNTDOMAIN: ntdomainname

1. Install samba, winbind, krb5-user:

sudo apt install samba winbind krb5-user

2. Config samba by editing:

sudo nano /etc/samba/smb.conf:

...
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYNTDOMAIN

# need to add these
security = ads
password server = mydc.mydomain.com
realm = MYDOMAIN.COM
winbind use default domain = true
...

sudo nano /etc/krb5.conf:

[libdefaults]
default_realm = MYDOMAIN.COM
...
[realms]
MYDOMAIN.COM = {
kdc = mydc.mydomain.com
admin_server = mydc.mydomain.com
default_domain = mydomain.com
}
...
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
...

3. Restart samba service:

sudo systemctl restart smbd

4. Join domain (MYNTDOMAIN)

net join -U Administrator

5. Test samba AD authentication:

a. Using winbind:

wbinfo -a user%password

You will get the following message if everything is correct:

plaintext password authentication succeeded
challenge/response password authentication succeeded

b. Using ntlm_auth:

ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=user --password=password

Success message:

NT_STATUS_OK: Success (0x0)

6. Install freeradius 3.0.X:

sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt update
sudo apt install freeradius freeradius-config easy-rsa

7. Generate and config the server certificates with easy-rsa, remember to enter your server’s FQDN as common name when asked:

a. Generate the certs

sudo cp -R /usr/share/easy-rsa /etc/freeradius/certs/
cd /etc/freeradius/certs/easy-rsa
source vars
./clean-all
./build-ca
./build-key-server server
sudo cp keys/ca.crt /etc/freeradius/certs/
sudo cp keys/radius.* /etc/freeradius/certs/
sudo chown freerad /etc/freeradius/certs/server*
sudo chmod +r /etc/freeradius/certs/server*

b. Config FreeRADIUS to use those new certs:

sudo nano /etc/freeradius/mods-enable/eap

...
tls-config tls-common {
private_key_password =
#private_key_file = ${certdir}/server.pem

private_key_file = ${certdir}/server.key
...
#certificate_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.crt
...
#ca_file = ${cadir}/ca.pem

ca_file = ${cadir}/ca.crt
...

8. Grant permission for freerad user on winbind’s socket:

sudo usermod -a -G winbindd_priv freerad
sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

9. Tell FreeRADIUS to use ntlm_auth for MSCHAP by editing:

a.

sudo nano /etc/freeradius/modules/ntlm_auth:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"

b.

sudo nano /etc/freeradius/modules/mschap:

mschap {

...

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

…

c.

sudo nano /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel:

authenticate {
...
ntlm_auth
...

10. Configure RADIUS client, /etc/freeradius/clients.conf. For example:

client 172.25.1.10 {
secret = 123456
shortname = "MS A317"
nastype = meraki
}

11. Restart FreeRADIUS:

sudo systemctl restart freeradius

12. Test FreeRADIUS and MSCHAP:

radtest -t mschap user password localhost 0 testing123

The results will be like:

Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 172.100.99.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x163bc4c900360a08
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

13. Configure your Access Point (172.25.1.10) to use the FreeRADIUS server at 172.100.99.100 or any other IPs your network/s use.

EXTRA DALORADIUS

Start by updating your system packages to the latest version:

sudo apt-get update
sudo apt-get upgrade

Reboot system after doing an upgrade

sudo reboot

Once the system is up, begin the installation FreeRADIUS and Daloradius on your Ubuntu 18.04 / Ubuntu 16.04 system.

Step 1: Install Apache Web Server and PHP

Daloradius will require php and Apache web server to be installed on the host system.

Install Apache web server by running:

sudo apt-get install apache2

For installation of PHP on Ubuntu 18.04 and Ubuntu 16.04, run:

sudo apt-get install php libapache2-mod-php php-gd php-common php-mail \
php-mail-mime php-mysql php-pear php-db php-mbstring php-xml php-curl

Check the version of php installed:

$ php -v
PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies

Step 2: Install MariaDB and Create a database

Next is to install the MariaDB server and create a database for daloRADIUS. We have a comprehensive guide for installing MariaDB 10.x on Ubuntu

Install MariaDB 10.x on Ubuntu 18.04 and CentOS 7

Once installed and running, create a database for FreeRADIUS, this will be used at a later stage.

database name: radius
database user: radius
database user password: radiuspassword

If you have a dedicated database server, replace localhost with the IP of source FreeRadius Server.

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2180
Server version: 10.3.8-MariaDB-1:10.3.8+maria~bionic-log mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE radius;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> quit
Bye

Step 3: Configure FreeRADIUS

As of this writing, the default version of FreeRADIUS installed on Ubuntu 18.04 is v3.0. Install if from official Ubuntu apt repository using:

sudo apt-get install freeradius freeradius-mysql freeradius-utils

Among the packages installed are mysql module and utils package.

For Ubuntu 16.04 system, version 2.x is the package available from the official repository. To install version 3.0, add the Personal Package Archive (PPA) for the version 3 of FreeRADIUS.

sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt-get update

Install the following FreeRADIUS packages.

sudo apt-get install freeradius freeradius-mysql freeradius-utils

Import the freeradius MySQL database scheme:

mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Check tables created:

$ mysql -u root -p -e "use radius;show tables;"
Enter password: 
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+

Create a soft link for sql module under /etc/freeradius/3.0/mods-enabled/

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Configure SQL module and change the database connection parameters to suit your environment.

sudo vim /etc/freeradius/3.0/mods-enabled/sql

Your sql section should look similar to below.

sql {
driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "radiuspassword"

# Database table configuration for everything except Oracle
radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"

Then change group right of /etc/freeradius/3.0/mods-enabled/sql

sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql

Restart freeradius service:

sudo systemctl restart freeradius.service

Installing and Configuring Daloradius on Ubuntu 18.04 / Ubuntu 16.04

We need to install Daloradius to get FreeRADIUS web administration interface.

wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master/ daloradius

Change directory for configuration

cd daloradius

Configuring daloradius

Now import Daloradius mysql tables

mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Configure daloRADIUS database connection details:

cd ..
sudo mv daloradius /var/www/html/

Then change permissions for http folder and set the right permissions for the daloradius configuration file.

sudo chown -R www-data:www-data /var/www/html/daloradius/
sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

You should now modify the filedaloradius.conf.php to adjust the MySQL database information. Open the daloradius.conf.php and add the database username, password and db name.

sudo vim /var/www/html/daloradius/library/daloradius.conf.php

Especially relevant variables to configure are:

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

To be sure everything works, restart freeradius and apache2

sudo systemctl restart freeradius.service apache2

Open Admin link using your system IP address or domain name:

http://ip-address/daloradius/login.php