Index > Help Tutorials > Freeradius on Ubuntu 14.04 LTS with samba4 authentication
This setup will let you setup freeradius to authenticate against Samba4/Active Directory. This how to is based on samba4, I have tested for following
<> radtest authentication
<> wireless authentication
<> pptp vpn authentication (not coverd)
I dont issue any warrenty or dont take any responsibility that it will work for you, it worked for me so I am sharing it
Let start by installing the packages we need sooner or later.
sudo apt-get install freeradius freeradius-common freeradius-krb5 freeradius-ldap freeradius-utils winbind
Now before we do any damage, lets backup the whole /etc/freeradius
directory for later reference/restore.
cp -fr /etc/freeradius ~
We need to edit the following few files, I started with clean file just to keep things simple, off course you dont have to do that For the ease you can simply copy and paste the text for each file in terminal. The location is embadded so it will know where to write
radiusd.conf
eap.conf
ldap
mschap
ntlm_auth
default
inner-tunnel
clients.conf
main configuration
Clear existing configuration from /etc/freeradius/radiusd.conf
cat null > /etc/freeradius/radiusd.conf; nano /etc/freeradius/radiusd.conf
And paste the following, save and exit
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
requests = ${logdir}/auth-%Y%m%d.log
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = "Success"
msg_badpass = "Access Denied"
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Go Up
eap configuration
Clear existing configuration from /etc/freeradius/eap.conf
cat null > /etc/freeradius/eap.conf; nano /etc/freeradius/eap.conf
and paste the following in it
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Go Up
ldap configuration
cat null > /etc/freeradius/modules/ldap; nano /etc/freeradius/modules/ldap
and paste the following, save and exit
ldap {
server = "dc1.devlab.nt"
identity = "cn=rkhan,cn=users,dc=devlab,dc=nt"
password = Test123
basedn = "cn=users,dc=devlab,dc=nt"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
# password_attribute = userPassword
edir_account_policy_check = no
groupmembership_filter = "(member=%{control:Ldap-UserDn})"
keepalive {
idle = 60
probes = 3
interval = 3
}
}
Go Up
mschap configuration
paste the following in terminal
cat << EOT > /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-devlab} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
retry_msg = "Authentication failed, re-enter the username and password to retry"
}
EOT
Go Up
ntlm_auth configuration
paste the following in terminal
cat << EOT > /etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/user/bin/ntlm_auth --request-nt-key --domain=devlab --username=%{mschap:User-Name} --password=%{User-Password}"
}
EOT
Go Up
sites-enable (default)
paste the following in terminal
cat << EOT > /etc/freeradius/sites-enabled/default
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
ldap
expiration
logintime
if (LDAP-Group == "radius") {
noop
}
else {
reject
}
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
ldap
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
EOT
Go Up
sites-enabled (inner-tunnel)
paste the following in terminal
cat << EOT > /etc/freeradius/sites-enabled/inner-tunnel
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
ldap
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
EOT
Go Up
client configuration
paste the following in terminal
cat << EOT > /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
client 10.10.10.0/24 {
secret = test
shortname = WirelessAccessPoint
}
EOT
Go Up
Now create the group radius
and user to it
samba-tool group add radius; samba-tool group addmembers radius rkhan
Reboot the machine just to be safe
reboot
radtest testing
radtest rkhan Test123 localhost 1812 testing123
Go Up
LDAP queries
ldapsearch for group
ldapsearch -x -b "cn=users,dc=devlab,dc=nt" -D "cn=rkhan,cn=users,dc=devlab,dc=nt" -h localhost -w "Test123" "(&(cn=radius))"
ldapsearch for radius members
ldapsearch -x -b "cn=users,dc=devlab,dc=nt" -D "cn=rkhan,cn=users,dc=devlab,dc=nt" -h localhost -w "Test123" "(&(objectClass=user)(memberOf=CN=radius,CN=users,DC=devlab,DC=nt))"
⇑