FreeRADIUS
Contents
Purpose
RADIUS server for WPA Enterprise authentication
Install
Amazon Linux 2
- Set DNS servers to DCs to be used
- Set Chrony sources to use the DCs, comment out the Amazon pools.
- Set static IP, add to Windows DNS.
- Install FreeRadius packages.
sudo yum -y install freeradius freeradius-utils samba-winbind-clients
- Update /etc/raddb/radiusd.conf user and group from radiusd to root. Though I have done this with another radius server running google auth, I think there should be a better option. More research should be done.
PAM Auth
- Uncomment pam module from /etc/raddb/sites-enabled/default
- Create symlink for pam module
sudo ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
- Update /etc/raddb/users by adding the default auth type to PAM. It is also common practice to uncomment the disabled group.
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
NTLM Auth
- Edit /etc/raddb/mods-config/files/authorize, uncomment DEFAULT Group and comment out the default auth type.
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." #DEFAULT Auth-Type := ntlm_auth
- No specific change needed in /etc/raddb/sites-enabled/default
- Update /etc/raddb/mods-enabled/mschap by commenting out existing ntlm_auth line and add the following.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
- uncomment the following
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
Create a clean smb.conf file and add the following
[global] workgroup = yourdomain security = ads password server = yourdomain.tld realm = yourdomain.tld
Client Config
- Add your client, in this case I added a subnet where the access points reside.
client wifi { ipaddr = 192.168.1.0/24 secret = somesecret require_message_authenticator = no nas_type = other }
- Start Winbind
sudo systemctl status winbind.service
sssd
- I precreated a group called wifiaccess. Members of this account will be allowed to access the wifi.
sudo yum -y install sssd realmd adcli samba-common-tools sudo realm join -U domain_admin yourdomain.net sudo realm permit -g wifiaccess