WPA2 Enterprise with FreeRADIUS and AD integration on Ubuntu16.04
So you don't want to use the RADIUS feature of your MS Windows server, do you? Here you go, FreeRADIUS, an open-sourced project that will please you.
Assuming:
1. Install samba, winbind, krb5-user:
sudo apt install samba winbind krb5-user
2. Config samba by editing:
a. /etc/samba/smb.conf:
...
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYNTDOMAIN
# need to add these
security = ads
password server = mydc.mydomain.com
realm = MYDOMAIN.COM
winbind use default domain = true
...
b. /etc/krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.COM
...
[realms]
MYDOMAIN.COM = {
kdc = mydc.mydomain.com
admin_server = mydc.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
3. Restart samba service:
sudo systemctl restart smbd
4. Join domain (MYNTDOMAIN)
net join -U Administrator
5. Test samba AD authentication:
a. Using winbind:
wbinfo -a <user>%<password>
You will get the following message if everything is correct:
plaintext password authentication succeeded
challenge/response password authentication succeeded
or
b. Using ntlm_auth:
ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=<user> --password=<password>
Success message:
NT_STATUS_OK: Success (0x0)
6. Install freeradius 3.0.X:
sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt update
sudo apt install freeradius freeradius-config easy-rsa
7. Generate and config the server certificates with easy-rsa, remember to enter your server's FQDN as common name when asked:
a. Generate the certs
sudo cp -R /usr/share/easy-rsa /etc/freeradius/certs/
cd /etc/freeradius/certs/easy-rsa
source vars
./clean-all
./build-ca
./build-key-server server
sudo cp keys/ca.crt /etc/freeradius/certs/
sudo cp keys/radius.* /etc/freeradius/certs/
sudo chown freerad /etc/freeradius/certs/server*
sudo chmod +r /etc/freeradius/certs/server*
b. Config FreeRADIUS to use those new certs:
sudo nano /etc/freeradius/mods-enable/eap
...
tls-config tls-common {
private_key_password =
#private_key_file = ${certdir}/server.pem
private_key_file = ${certdir}/server.key
...
#certificate_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.crt
...
#ca_file = ${cadir}/ca.pem
ca_file = ${cadir}/ca.crt
8. Grant permission for freerad user on winbind's socket:
sudo usermod -a -G winbindd_priv freerad
sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
9. Tell FreeRADIUS to use ntlm_auth for MSCHAP by editing:
a. /etc/freeradius/modules/ntlm_auth:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
b. /etc/freeradius/modules/mschap:
mschap {
c. /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel:
authenticate {
...
ntlm_auth
...
10. Configure RADIUS client, /etc/freeradius/clients.conf. For example:
client 172.25.1.10 {
secret = 123456
shortname = "MS A317"
nastype = meraki
}
11. Re start FreeRADIUS:
sudo systemctl restart freeradius
12. Test FreeRADIUS and MSCHAP:
radtest -t mschap <user> <password> localhost 0 testing123
The results will be like:
Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 172.100.99.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x163bc4c900360a08
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
13. Configure your Access Point (172.25.1.10) to use the FreeRADIUS server at 172.100.99.100:
I leave this part for you because It depends on your AP vendor
14. Try to connect to your wifi network using your AD account and enjoy.
Reference:
http://deployingradius.com/documents/configuration/active_directory.html
https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
http://serverfault.com/questions/508723/samba-authentication-of-user-with-wbinfo-a
Update 31 Mar 2017: sometimes I have to restart freeradius to make it work.
Assuming:
- 172.100.99.100: FreeRADIUS IP address
- mydomain.com: domain name
- mydc.mydomain.com: domain controller
- MYNTDOMAIN: nt domain name
1. Install samba, winbind, krb5-user:
sudo apt install samba winbind krb5-user
2. Config samba by editing:
a. /etc/samba/smb.conf:
...
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYNTDOMAIN
# need to add these
security = ads
password server = mydc.mydomain.com
realm = MYDOMAIN.COM
winbind use default domain = true
...
b. /etc/krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.COM
...
[realms]
MYDOMAIN.COM = {
kdc = mydc.mydomain.com
admin_server = mydc.mydomain.com
default_domain = mydomain.com
}
...
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
...
3. Restart samba service:
sudo systemctl restart smbd
4. Join domain (MYNTDOMAIN)
net join -U Administrator
5. Test samba AD authentication:
a. Using winbind:
wbinfo -a <user>%<password>
You will get the following message if everything is correct:
plaintext password authentication succeeded
challenge/response password authentication succeeded
or
b. Using ntlm_auth:
ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=<user> --password=<password>
Success message:
NT_STATUS_OK: Success (0x0)
6. Install freeradius 3.0.X:
sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt update
sudo apt install freeradius freeradius-config easy-rsa
7. Generate and config the server certificates with easy-rsa, remember to enter your server's FQDN as common name when asked:
a. Generate the certs
sudo cp -R /usr/share/easy-rsa /etc/freeradius/certs/
cd /etc/freeradius/certs/easy-rsa
source vars
./clean-all
./build-ca
./build-key-server server
sudo cp keys/ca.crt /etc/freeradius/certs/
sudo cp keys/radius.* /etc/freeradius/certs/
sudo chown freerad /etc/freeradius/certs/server*
sudo chmod +r /etc/freeradius/certs/server*
b. Config FreeRADIUS to use those new certs:
sudo nano /etc/freeradius/mods-enable/eap
...
tls-config tls-common {
private_key_password =
#private_key_file = ${certdir}/server.pem
private_key_file = ${certdir}/server.key
...
#certificate_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.crt
...
#ca_file = ${cadir}/ca.pem
ca_file = ${cadir}/ca.crt
...
8. Grant permission for freerad user on winbind's socket:
sudo usermod -a -G winbindd_priv freerad
sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
9. Tell FreeRADIUS to use ntlm_auth for MSCHAP by editing:
a. /etc/freeradius/modules/ntlm_auth:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
b. /etc/freeradius/modules/mschap:
mschap {
...
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
...
c. /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel:
authenticate {
...
ntlm_auth
...
10. Configure RADIUS client, /etc/freeradius/clients.conf. For example:
client 172.25.1.10 {
secret = 123456
shortname = "MS A317"
nastype = meraki
}
11. Re start FreeRADIUS:
sudo systemctl restart freeradius
12. Test FreeRADIUS and MSCHAP:
radtest -t mschap <user> <password> localhost 0 testing123
The results will be like:
Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 172.100.99.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x163bc4c900360a08
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
13. Configure your Access Point (172.25.1.10) to use the FreeRADIUS server at 172.100.99.100:
I leave this part for you because It depends on your AP vendor
14. Try to connect to your wifi network using your AD account and enjoy.
Reference:
http://deployingradius.com/documents/configuration/active_directory.html
https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
http://serverfault.com/questions/508723/samba-authentication-of-user-with-wbinfo-a
Update 31 Mar 2017: sometimes I have to restart freeradius to make it work.
Comments
Post a Comment