FreeRADIUS

From Michael's Information Zone
Jump to navigation Jump to search

Purpose

RADIUS server for WPA Enterprise authentication

Install

Amazon Linux 2

[1][2]

  • Set DNS servers to DCs to be used
  • Set Chrony sources to use the DCs, comment out the Amazon pools.
  • Set static IP, add to Windows DNS.
  • Install FreeRadius packages.
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
  • Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.

PAM Auth

  • Uncomment pam module from /etc/raddb/sites-enabled/default
  • Create symlink for pam module
sudo ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
  • Update /etc/raddb/users by adding the default auth type to PAM. It is also common practice to uncomment the disabled group.
DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT Auth-Type := PAM

NTLM Auth

  • Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type.
DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

#DEFAULT Auth-Type := ntlm_auth
  • No specific change needed in /etc/raddb/sites-enabled/default
  • Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  • uncomment the following
                ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
                ntlm_auth_username = "username: %{mschap:User-Name}"
                ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"

Create a clean smb.conf file and add the following

[global]
workgroup = yourdomain
security = ads
password server = yourdomain.tld
realm = yourdomain.tld

Client Config

  • Add your client, in this case I added a subnet where the access points reside.
client wifi {
        ipaddr = 192.168.1.0/24
        secret = somesecret
        require_message_authenticator = no
        nas_type = other
}
  • Start Winbind
sudo systemctl status winbind.service

sssd

  • I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
sudo yum -y install sssd realmd adcli samba-common-tools
sudo realm join -U domain_admin yourdomain.net
sudo realm permit -g wifiaccess