Difference between revisions of "FreeRADIUS"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
</pre> | </pre> | ||
*Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done. | *Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done. | ||
+ | ===PAM Auth=== | ||
*Uncomment pam module from /etc/raddb/sites-enabled/default | *Uncomment pam module from /etc/raddb/sites-enabled/default | ||
*Create symlink for pam module | *Create symlink for pam module | ||
Line 24: | Line 25: | ||
DEFAULT Auth-Type := PAM | DEFAULT Auth-Type := PAM | ||
</pre> | </pre> | ||
+ | ===NTLM Auth=== | ||
+ | *Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type. | ||
+ | <pre> | ||
+ | DEFAULT Group == "disabled", Auth-Type := Reject | ||
+ | Reply-Message = "Your account has been disabled." | ||
+ | |||
+ | #DEFAULT Auth-Type := ntlm_auth | ||
+ | </pre> | ||
+ | *No specific change needed in /etc/raddb/sites-enabled/default | ||
+ | *Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following. | ||
+ | <pre> | ||
+ | ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" | ||
+ | </pre> | ||
+ | *uncomment the following | ||
+ | <pre> | ||
+ | ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" | ||
+ | ntlm_auth_username = "username: %{mschap:User-Name}" | ||
+ | ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" | ||
+ | </pre> | ||
+ | Create a clean smb.conf file and add the following | ||
+ | <pre> | ||
+ | [global] | ||
+ | workgroup = yourdomain | ||
+ | security = ads | ||
+ | password server = yourdomain.tld | ||
+ | realm = yourdomain.tld | ||
+ | </pre> | ||
+ | |||
+ | ===Client Config=== | ||
*Add your client, in this case I added a subnet where the access points reside. | *Add your client, in this case I added a subnet where the access points reside. | ||
<pre> | <pre> | ||
Line 35: | Line 65: | ||
*Start Winbind | *Start Winbind | ||
<pre> | <pre> | ||
− | sudo systemctl | + | sudo systemctl enable --now winbind.service |
</pre> | </pre> | ||
====sssd==== | ====sssd==== |
Latest revision as of 15:33, 6 July 2021
Contents
Purpose
RADIUS server for WPA Enterprise authentication
Install
Amazon Linux 2
- Set DNS servers to DCs to be used
- Set Chrony sources to use the DCs, comment out the Amazon pools.
- Set static IP, add to Windows DNS.
- Install FreeRadius packages.
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
- Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
PAM Auth
- Uncomment pam module from /etc/raddb/sites-enabled/default
- Create symlink for pam module
sudo ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
- Update /etc/raddb/users by adding the default auth type to PAM. It is also common practice to uncomment the disabled group.
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
NTLM Auth
- Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type.
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." #DEFAULT Auth-Type := ntlm_auth
- No specific change needed in /etc/raddb/sites-enabled/default
- Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
- uncomment the following
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
Create a clean smb.conf file and add the following
[global] workgroup = yourdomain security = ads password server = yourdomain.tld realm = yourdomain.tld
Client Config
- Add your client, in this case I added a subnet where the access points reside.
client wifi { ipaddr = 192.168.1.0/24 secret = somesecret require_message_authenticator = no nas_type = other }
- Start Winbind
sudo systemctl enable --now winbind.service
sssd
- I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
sudo yum -y install sssd realmd adcli samba-common-tools sudo realm join -U domain_admin yourdomain.net sudo realm permit -g wifiaccess