Difference between revisions of "FreeRADIUS"

From Michael's Information Zone
Jump to navigation Jump to search
Line 12: Line 12:
 
</pre>
 
</pre>
 
*Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
 
*Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
 +
===PAM Auth===
 
*Uncomment pam module from /etc/raddb/sites-enabled/default
 
*Uncomment pam module from /etc/raddb/sites-enabled/default
 
*Create symlink for pam module
 
*Create symlink for pam module
Line 24: Line 25:
 
DEFAULT Auth-Type := PAM
 
DEFAULT Auth-Type := PAM
 
</pre>
 
</pre>
 +
===NTLM Auth===
 +
 +
===Client Config===
 
*Add your client, in this case I added a subnet where the access points reside.
 
*Add your client, in this case I added a subnet where the access points reside.
 
<pre>
 
<pre>

Revision as of 15:28, 6 July 2021

Purpose

RADIUS server for WPA Enterprise authentication

Install

Amazon Linux 2

[1][2]

  • Set DNS servers to DCs to be used
  • Set Chrony sources to use the DCs, comment out the Amazon pools.
  • Set static IP, add to Windows DNS.
  • Install FreeRadius packages.
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
  • Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.

PAM Auth

  • Uncomment pam module from /etc/raddb/sites-enabled/default
  • Create symlink for pam module
sudo ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
  • Update /etc/raddb/users by adding the default auth type to PAM. It is also common practice to uncomment the disabled group.
DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT Auth-Type := PAM

NTLM Auth

Client Config

  • Add your client, in this case I added a subnet where the access points reside.
client wifi {
        ipaddr = 192.168.1.0/24
        secret = somesecret
        require_message_authenticator = no
        nas_type = other
}
  • Start Winbind
sudo systemctl status winbind.service

sssd

  • I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
sudo yum -y install sssd realmd adcli samba-common-tools
sudo realm join -U domain_admin yourdomain.net
sudo realm permit -g wifiaccess