Configure a WPA2 Enterprise with FreeRADIUS and AD integration on Ubuntu16.04 + Daloradius
Assuming: 172.100.99.100: FreeRADIUS IP address mydomain.com: domain name mydc.mydomain.com: domain controller MYNTDOMAIN: ntdomainname
1. Install samba, winbind, krb5-user:
sudo apt install samba winbind krb5-user
2. Config samba by editing:
sudo nano /etc/samba/smb.conf:
... [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = MYNTDOMAIN # need to add these security = ads password server = mydc.mydomain.com realm = MYDOMAIN.COM winbind use default domain = true ...
sudo nano /etc/krb5.conf:
[libdefaults] default_realm = MYDOMAIN.COM ... [realms] MYDOMAIN.COM = { kdc = mydc.mydomain.com admin_server = mydc.mydomain.com default_domain = mydomain.com } ... [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM ...
3. Restart samba service:
sudo systemctl restart smbd
4. Join domain (MYNTDOMAIN)
net join -U Administrator
5. Test samba AD authentication:
a. Using winbind:
wbinfo -a user%password
You will get the following message if everything is correct:
plaintext password authentication succeeded challenge/response password authentication succeeded
or
b. Using ntlm_auth:
ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=user --password=password
Success message:
NT_STATUS_OK: Success (0x0)
6. Install freeradius 3.0.X:
sudo add-apt-repository ppa:freeradius/stable-3.0 sudo apt update sudo apt install freeradius freeradius-config easy-rsa
7. Generate and config the server certificates with easy-rsa, remember to enter your server’s FQDN as common name when asked:
a. Generate the certs
sudo cp -R /usr/share/easy-rsa /etc/freeradius/certs/ cd /etc/freeradius/certs/easy-rsa source vars ./clean-all ./build-ca ./build-key-server server sudo cp keys/ca.crt /etc/freeradius/certs/ sudo cp keys/radius.* /etc/freeradius/certs/ sudo chown freerad /etc/freeradius/certs/server* sudo chmod +r /etc/freeradius/certs/server*
b. Config FreeRADIUS to use those new certs:
sudo nano /etc/freeradius/mods-enable/eap
... tls-config tls-common { private_key_password = #private_key_file = ${certdir}/server.pem private_key_file = ${certdir}/server.key ... #certificate_file = ${certdir}/server.pem certificate_file = ${certdir}/server.crt ... #ca_file = ${cadir}/ca.pem ca_file = ${cadir}/ca.crt ...
8. Grant permission for freerad user on winbind’s socket:
sudo usermod -a -G winbindd_priv freerad sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
9. Tell FreeRADIUS to use ntlm_auth for MSCHAP by editing:
a.
sudo nano /etc/freeradius/modules/ntlm_auth:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
b.
sudo nano /etc/freeradius/modules/mschap:
mschap {
...
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
…
c.
sudo nano /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel:
authenticate { ... ntlm_auth ...
10. Configure RADIUS client, /etc/freeradius/clients.conf. For example:
client 172.25.1.10 {
secret = 123456
shortname = "MS A317"
nastype = meraki
}
11. Restart FreeRADIUS:
sudo systemctl restart freeradius
12. Test FreeRADIUS and MSCHAP:
radtest -t mschap user password localhost 0 testing123
The results will be like:
Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 172.100.99.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x163bc4c900360a08
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
13. Configure your Access Point (172.25.1.10) to use the FreeRADIUS server at 172.100.99.100 or any other IPs your network/s use.
EXTRA DALORADIUS
Start by updating your system packages to the latest version:
sudo apt-get update sudo apt-get upgrade
Reboot system after doing an upgrade
sudo reboot
Once the system is up, begin the installation FreeRADIUS and Daloradius on your Ubuntu 18.04 / Ubuntu 16.04 system.
Step 1: Install Apache Web Server and PHP
Daloradius will require php and Apache web server to be installed on the host system.
Install Apache web server by running:
sudo apt-get install apache2
For installation of PHP on Ubuntu 18.04 and Ubuntu 16.04, run:
sudo apt-get install php libapache2-mod-php php-gd php-common php-mail \ php-mail-mime php-mysql php-pear php-db php-mbstring php-xml php-curl
Check the version of php installed:
$ php -v PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
Step 2: Install MariaDB and Create a database
Next is to install the MariaDB server and create a database for daloRADIUS. We have a comprehensive guide for installing MariaDB 10.x on Ubuntu
Install MariaDB 10.x on Ubuntu 18.04 and CentOS 7
Once installed and running, create a database for FreeRADIUS, this will be used at a later stage.
database name: radius database user: radius database user password: radiuspassword
If you have a dedicated database server, replace localhost with the IP of source FreeRadius Server.
$ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2180 Server version: 10.3.8-MariaDB-1:10.3.8+maria~bionic-log mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE radius; Query OK, 1 row affected (0.000 sec) MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword"; Query OK, 0 rows affected (0.000 sec) MariaDB [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> quit Bye
Step 3: Configure FreeRADIUS
As of this writing, the default version of FreeRADIUS installed on Ubuntu 18.04 is v3.0. Install if from official Ubuntu apt repository using:
sudo apt-get install freeradius freeradius-mysql freeradius-utils
Among the packages installed are mysql module and utils package.
For Ubuntu 16.04 system, version 2.x is the package available from the official repository. To install version 3.0, add the Personal Package Archive (PPA) for the version 3 of FreeRADIUS.
sudo add-apt-repository ppa:freeradius/stable-3.0 sudo apt-get update
Install the following FreeRADIUS packages.
sudo apt-get install freeradius freeradius-mysql freeradius-utils
Import the freeradius MySQL database scheme:
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
Check tables created:
Create a soft link for sql module under /etc/freeradius/3.0/mods-enabled/
ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Configure SQL module and change the database connection parameters to suit your environment.
sudo vim /etc/freeradius/3.0/mods-enabled/sql
Your sql section should look similar to below.
sql { driver = "rlm_sql_mysql" dialect = "mysql" # Connection info: server = "localhost" port = 3306 login = "radius" password = "radiuspassword" # Database table configuration for everything except Oracle radius_db = "radius" } # Set to ‘yes’ to read radius clients from the database (‘nas’ table) # Clients will ONLY be read on server startup. read_clients = yes # Table to keep radius client info client_table = "nas"
Then change group right of /etc/freeradius/3.0/mods-enabled/sql
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
Restart freeradius service:
sudo systemctl restart freeradius.service
Installing and Configuring Daloradius on Ubuntu 18.04 / Ubuntu 16.04
We need to install Daloradius to get FreeRADIUS web administration interface.
wget https://github.com/lirantal/daloradius/archive/master.zip unzip master.zip mv daloradius-master/ daloradius
Change directory for configuration
cd daloradius
Configuring daloradius
- Now import Daloradius mysql tables
mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql mysql -u root -p radius < contrib/db/mysql-daloradius.sql
- Configure daloRADIUS database connection details:
cd .. sudo mv daloradius /var/www/html/
Then change permissions for http folder and set the right permissions for the daloradius configuration file.
sudo chown -R www-data:www-data /var/www/html/daloradius/ sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
You should now modify the filedaloradius.conf.php
to adjust the MySQL database information. Open the daloradius.conf.php and add the database username, password and db name.
sudo vim /var/www/html/daloradius/library/daloradius.conf.php
Especially relevant variables to configure are:
CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME
To be sure everything works, restart freeradius and apache2
sudo systemctl restart freeradius.service apache2
Open Admin link using your system IP address or domain name:
http://ip-address/daloradius/login.php
A page like this will appear:
Default login details are:
Username: administrator
Password: radius
Share:
Post a Comment
You must be logged in to post a comment.