Difference between revisions of "FreeRADIUS"

From Michael's Information Zone
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
*Install FreeRadius packages.
 
*Install FreeRadius packages.
 
<pre>
 
<pre>
sudo yum -y install freeradius freeradius-utils
+
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
 
</pre>
 
</pre>
 
*Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
 
*Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
 +
===PAM Auth===
 
*Uncomment pam module from /etc/raddb/sites-enabled/default
 
*Uncomment pam module from /etc/raddb/sites-enabled/default
 
*Create symlink for pam module
 
*Create symlink for pam module
Line 24: Line 25:
 
DEFAULT Auth-Type := PAM
 
DEFAULT Auth-Type := PAM
 
</pre>
 
</pre>
 +
===NTLM Auth===
 +
*Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type.
 +
<pre>
 +
DEFAULT Group == "disabled", Auth-Type := Reject
 +
                Reply-Message = "Your account has been disabled."
 +
 +
#DEFAULT Auth-Type := ntlm_auth
 +
</pre>
 +
*No specific change needed in /etc/raddb/sites-enabled/default
 +
*Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following.
 +
<pre>
 +
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
 +
</pre>
 +
*uncomment the following
 +
<pre>
 +
                ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
 +
                ntlm_auth_username = "username: %{mschap:User-Name}"
 +
                ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
 +
</pre>
 +
Create a clean smb.conf file and add the following
 +
<pre>
 +
[global]
 +
workgroup = yourdomain
 +
security = ads
 +
password server = yourdomain.tld
 +
realm = yourdomain.tld
 +
</pre>
 +
 +
===Client Config===
 
*Add your client, in this case I added a subnet where the access points reside.
 
*Add your client, in this case I added a subnet where the access points reside.
 
<pre>
 
<pre>
Line 32: Line 62:
 
         nas_type = other
 
         nas_type = other
 
}
 
}
 +
</pre>
 +
*Start Winbind
 +
<pre>
 +
sudo systemctl enable --now winbind.service
 
</pre>
 
</pre>
 
====sssd====
 
====sssd====
 +
*I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
 
<pre>
 
<pre>
 
sudo yum -y install sssd realmd adcli samba-common-tools
 
sudo yum -y install sssd realmd adcli samba-common-tools
sudo realm join -U <domain admin account> yourdomain.net
+
sudo realm join -U domain_admin yourdomain.net
 +
sudo realm permit -g wifiaccess
 
</pre>
 
</pre>

Latest revision as of 15:33, 6 July 2021

Purpose

RADIUS server for WPA Enterprise authentication

Install

Amazon Linux 2

[1][2]

  • Set DNS servers to DCs to be used
  • Set Chrony sources to use the DCs, comment out the Amazon pools.
  • Set static IP, add to Windows DNS.
  • Install FreeRadius packages.
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
  • Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.

PAM Auth

  • Uncomment pam module from /etc/raddb/sites-enabled/default
  • Create symlink for pam module
sudo ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
  • Update /etc/raddb/users by adding the default auth type to PAM. It is also common practice to uncomment the disabled group.
DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT Auth-Type := PAM

NTLM Auth

  • Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type.
DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

#DEFAULT Auth-Type := ntlm_auth
  • No specific change needed in /etc/raddb/sites-enabled/default
  • Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  • uncomment the following
                ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
                ntlm_auth_username = "username: %{mschap:User-Name}"
                ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"

Create a clean smb.conf file and add the following

[global]
workgroup = yourdomain
security = ads
password server = yourdomain.tld
realm = yourdomain.tld

Client Config

  • Add your client, in this case I added a subnet where the access points reside.
client wifi {
        ipaddr = 192.168.1.0/24
        secret = somesecret
        require_message_authenticator = no
        nas_type = other
}
  • Start Winbind
sudo systemctl enable --now winbind.service

sssd

  • I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
sudo yum -y install sssd realmd adcli samba-common-tools
sudo realm join -U domain_admin yourdomain.net
sudo realm permit -g wifiaccess