Index > Help Tutorials > Freeradius on Ubuntu 14.04 LTS with samba4 authentication radtest authentication wireless authentication pptp vpn authentication (not coverd)
sudo apt-get install freeradius freeradius-common freeradius-krb5 freeradius-ldap freeradius-utils winbind
Now before we do any damage, lets backup the whole /etc/freeradius directory for later reference/restore.
cp -fr /etc/freeradius ~
We need to edit the following few files, I started with clean file just to keep things simple, off course you dont have to do thatradiusd.conf
eap.conf
ldap
mschap
ntlm_auth
default
inner-tunnel
clients.conf
main configuration
Clear existing configuration from /etc/freeradius/radiusd.conf
cat null > /etc/freeradius/radiusd.conf; nano /etc/freeradius/radiusd.conf
And paste the following, save and exit
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
requests = ${logdir}/auth-%Y%m%d.log
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = "Success"
msg_badpass = "Access Denied"
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Go Up eap configuration
Clear existing configuration from /etc/freeradius/eap.conf
cat null > /etc/freeradius/eap.conf; nano /etc/freeradius/eap.conf
and paste the following in it
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Go Up ldap configuration
cat null > /etc/freeradius/modules/ldap; nano /etc/freeradius/modules/ldap
and paste the following, save and exit
ldap {
server = "dc1.devlab.nt"
identity = "cn=rkhan,cn=users,dc=devlab,dc=nt"
password = Test123
basedn = "cn=users,dc=devlab,dc=nt"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
# password_attribute = userPassword
edir_account_policy_check = no
groupmembership_filter = "(member=%{control:Ldap-UserDn})"
keepalive {
idle = 60
probes = 3
interval = 3
}
}
Go Up mschap configuration
paste the following in terminal
cat << EOT > /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-devlab} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
retry_msg = "Authentication failed, re-enter the username and password to retry"
}
EOT
Go Up ntlm_auth configuration
paste the following in terminal
cat << EOT > /etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/user/bin/ntlm_auth --request-nt-key --domain=devlab --username=%{mschap:User-Name} --password=%{User-Password}"
}
EOT
Go Up sites-enable (default)
paste the following in terminal
cat << EOT > /etc/freeradius/sites-enabled/default
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
ldap
expiration
logintime
if (LDAP-Group == "radius") {
noop
}
else {
reject
}
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
ldap
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
EOT
Go Up sites-enabled (inner-tunnel)
paste the following in terminal
cat << EOT > /etc/freeradius/sites-enabled/inner-tunnel
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
ldap
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
EOT
Go Up client configuration
paste the following in terminal
cat << EOT > /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
client 10.10.10.0/24 {
secret = test
shortname = WirelessAccessPoint
}
EOT
Go Up radius and user to it
samba-tool group add radius; samba-tool group addmembers radius rkhan
Reboot the machine just to be safe
reboot
radtest testing
radtest rkhan Test123 localhost 1812 testing123
Go Up LDAP queries
ldapsearch for group
ldapsearch -x -b "cn=users,dc=devlab,dc=nt" -D "cn=rkhan,cn=users,dc=devlab,dc=nt" -h localhost -w "Test123" "(&(cn=radius))"
ldapsearch for radius members
ldapsearch -x -b "cn=users,dc=devlab,dc=nt" -D "cn=rkhan,cn=users,dc=devlab,dc=nt" -h localhost -w "Test123" "(&(objectClass=user)(memberOf=CN=radius,CN=users,DC=devlab,DC=nt))"
⇑ 
