Radius active directory linux

Системное администрирование Linux

Настройка Freeradius для работы с Microsoft Active Directory

Иногда для удобства организации доступа к сети, удобно использовать централизованную схему аутентификации на основе протокола Radius. В этой статье мы рассмотрим настройку сервера Freeradius для работы с доменом Active Directory, для организации доступа к сети на основании учетных записей доменных пользователей.

FreeRADIUS — RADIUS сервер с открытым исходным кодом.

Radius — сетевой протокол, предназначенный для обеспечения централизованной аутентификации, авторизации и учёта (Authentication, Authorization, and Accounting, AAA) пользователей, подключающихся к различным сетевым службам. Используется, например, при аутентификации пользователей WiFi, VPN

Настройка сервера Freeradius будем производить на сервере CentOs7, в качестве контроллера домена выступает машина Windows Server 2012R2 с именем test-dc, домен test.un.

Настройка сервера Centos

sudo sed -i «s/SELINUX=enforcing/SELINUX=disabled/» \

Указываем DNS сервер отвечающий за домен

# Generated by NetworkManager search test.un nameserver 172.20.1.78

На файерволе разрешаем порт udp 1812

Устанавливаем необходимые зависимости:

sudo yum install authconfig samba samba-winbind samba-client \

pam_krb5 krb5-workstation net-tools bind-utils samba-winbind-clients

Запускаем интерфейс для настройки источников системной аутентификации

Запускается псевдо-графическая оболочка для настройки

На странице «Конфигурация аутентификации» выбираем «Информация пользователя->Использовать Winbind», «Аутентификация->Использовать Kerberos»

Далее в меню «Настройка Kerberos указываем область и сервер KDC»

«Настройка Winbind» выбираем «Модель защиты»->ads, указываем домен (Netbios имя),контроллер домена, область и оболочку по-умолчанию в зависимости от необходимости

Запускаем демоны и добавляем их в автозагрузку

sudo systemctl enable smb

sudo systemctl enable nmb

Присоединяем сервер к домену

sudo net ads join -U Administrator

Enter Administrator"s password: Using short domain name -- TEST Joined "FREERADIUS" to dns domain "test.un" No DNS domain configured for freeradius. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER

sudo systemctl start winbind

sudo systemctl enable winbind

TEST\administrator TEST\guest TEST\krbtgt

Проверяем аутентификацию ntlm

ntlm_auth —request-nt-key —domain=TEST.UN \

--username=Administrator --password=*

Установка и настройка Freeradius сервера

sudo yum install freeradius freeradius-krb5

Идем в файл /etc/raddb/mods-enabled/ntlm_auth прописываем правильные значения

Правим конфигурацию виртуальных сервров Freeradius

в файл /etc/raddb/users добавляем следующую секцию

DEFAULT Auth-Type = ntlm_auth

Создаем клиента для Freeradius

Запускае Freeradius сервер в режиме Debug

И проверяем аутентификацию на Freeradius сервере с другой машины для которой был создан клиент

radtest radius «пароль» 172.20.1.210 1812 testing123

Sending Access-Request of id 20 to 172.20.1.210 port 1812 User-Name = "radius" User-Password = "******" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 172.20.1.210 port 1812, length=20

Аутентификация прошла удачно.

Если вы хотети ограничить аутентификацию для пользователей на основании принадлежности их к доменной группе, то в файле /etc/raddb/mods-enabled/ntlm_auth в строке с указанием ключей для команды ntlm_auth обавляем следующую конструкцию

--require-membership-of="DOMAIN\GROUP_NAME"

Источник

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]

FreeRADIUS: Active Directory Integration and PEAP-MschapV2 with Dynamic Vlan Assignment

We will setup authentication and authorization for a wireless network that can be used for a large organization, ensuring network users are able to securely authenticate to the network. Here’s what you’ll need:

• A FreeRADIUS Server
• A Domain Controller
• A Wireless Controller
• An Access Point (AP)
• Some Clients with Different Operating System

The clients will be classified depend on device type (Android, iPhone, Windows) and assigned to different vlans after being authenticated. We will use Protected Extensible Authentication Protocol (PEAP) with Mschapv2. My network topology will look like below.

Following table shows the device type and the vlans they will be assigned.

Integrate FreeRADIUS with Active Directory

Mschapv2 is a challenge-response based authentication protocol. Since it does not support sending client credentials in complete clear text, we will not be able to use LDAP database in Active Directory for authentication. There can be a workaround but, we will not cover that scenario in this article. Instead, we will use Active Directory integration which supports Mschapv2 authentication. We will use Samba server ant it’s utilities to join the Active Directory.

Followings steps show Samba installation and the other required tools.

Step-1: A fully qualified domain name (FQDN) must be defined. Open » /etc/hosts » file in your preferred text editor and add localhost IP address, FQDN and hostname respectively as below.

root@freeradius:/home/celal# nano /etc/hosts

My configuration is below.

Step-2: Verify the hostname and FQDN with the commands below.

root@freeradius:/home/celal# hostname freeradius root@freeradius:/home/celal# hostname -f freeradius.mydomain.com

Step-3: Update package information from all the configured sources.

root@freeradius:/home/celal# apt-get update

Step-4: Install the required packages with the command below.

root@freeradius:/home/celal# apt-get install samba winbind libnss-winbind krb5-user

During the installation, the window below will appear. Enter your domain name and click «OK«.

Enter your Domain Controllers FQDN. If you have more than one, then separate them with a space.

Enter the administrative server FQDN and click «OK«.

Step-5: After the installation, we need to configure Samba server. Open » /etc/samba/smb.conf » file with your preferred text editor and modify it the way it suits you. Mine is below.

root@freeradius:/home/celal# nano /etc/samba/smb.conf [global] workgroup = MYDOMAIN security = ads winbind use default domain = yes realm = MYDOMAIN.COM password server = mydc1.mydomain.com

Step-6: Although we configured Kerberos in step 4, we need to add more config. Open » /etc/krb5.conf » and modify it as below.

root@freeradius:/home/celal# nano /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.COM [realms] MYDOMAIN.COM = < kdc = mydc1.mydomain.com kdc = mydc2.mydomain.com admin_server = mydc1.mydomain.com >[domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM

Step-7: Now that we have installed and configured Samba server and Kerberos authentication, we need to join the Active Directory. Remember that when you join a windows client to an Active Directory, you must have an administrator account. Before joining the Active Directory, you provide your credentials. For Ubuntu, we will use «kinit» tool to obtain and cache Kerberos ticket-granting ticket then join the AD.

root@freeradius:/home/celal# kinit Administrator Password for Administrator@MYDOMAIN.COM:

Following output shows Kerberos obtaining ticket-granting ticket in packet level.

Join the Active Directory with command below.

root@freeradius:/home/celal# net ads -k join

Following figure shows joining the Active Directory in the packet level.

Step-8: Restart the services as below.

root@freeradius:/home/celal# service smbd restart root@freeradius:/home/celal# service nmbd restart root@freeradius:/home/celal# service winbind restart

Step-9: At this point, we have joined the Active Directory and will confirm if New Technology LAN Manager (NTLM) authentication works. FreeRADIUS uses «ntlm_auth» tool to allow external access to Winbind’s NTLM authentication function. Apply the command below to confirm if NTLM authentication works.

root@freeradius:/home/celal# ntlm_auth --request-nt-key --domain=mydomain.com --username=administrator --password=mypassword NT_STATUS_OK: The operation completed successfully. (0x0) root@freeradius:/home/celal#

When the authentication is successful, it returns 0 (zero). Following screenshot shows that the ntlm authentication has made over Remote Procedure Call (RPC), which is a Microsoft proprietary protocol.

Configure FreeRADIUS

I assume that you have already installed FreeRADIUS. If not, please visit here (FreeRADIUS Installing and Configuring (Part 1)).

Step-1: The «default» virtual server contains too much settings. Thus, I will remove it and create my own simple server.

root@freeradius:/home/celal# rm /etc/freeradius/3.0/sites-enabled/default

Step-2: My Aruba testing wireless controller are able to classify a client based on its Operating System. It sends device type in an » Access-Request » packet, using » Aruba-Device-Type » vendor specific attribute. After authenticating the user, I use this attribute to distinguish the clients from each other, then I assign them the vlan accordingly with » post-auth » block. FreeRADIUS comes with many vendor specific dictionaries. They are stored in » /usr/share/freeradius/ » directory. If there is currently no dictionary for your vendor, you can create a new one in the directory. Change the configuration below to suit your needs.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/sites-enabled/my_server server my_server < listen < ipaddr = * port = 1812 type = auth >authorize < preprocess mschap suffix eap files >authenticate < Auth-Type MS-CHAP < mschap >eap > post-auth < if (Aruba-Device-Type == "Android") < update reply < Reply-Message := "you are an Android" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "100" >> if (Aruba-Device-Type == "iPhone") < update reply < Reply-Message := "you are an iPhone" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101" >> if (Aruba-Device-Type == "Win 10") < update reply < Reply-Message := "you are a windows" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "102" >> > >

Step-3: Define a RADIUS client in » /etc/freeradius/3.0/clients.conf » file.

client Wireless_Controller

Step-4: Change «default_eap_type» to «peap«. Some legacy clients may not support TLS version 1.2, so make the changes as you need. I commented out (disabled) some settings, and modified the TLS min and max values. Open «eap» module and follow below.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/mods-available/eap eap < default_eap_type = peap --- --- --- tls-config tls-common < # disable_tlsv1_1 = yes # disable_tlsv1 = yes tls_min_version = "1.0" tls_max_version = "1.2" >>

Step-5: Open «mschap» module and configure it as below. FreeRADIUS will use an external program called «ntlm_auth» to authenticate the users.

nano /etc/freeradius/3.0/mods-available/mschap mschap < use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%:-%:-None>> --challenge=%:-00> --nt-response=%:-00>" >

Step-6: Add «freerad» user to «winbindd_priv» group which will be able to reach «winbind» program.

root@freeradius:/home/celal# usermod -a -G winbindd_priv freerad root@freeradius:/home/celal# chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

Testing PEAP-MschapV2 with an Android device

I will connect my Service Set Identifier (SSID) using an Android device. During the authentication, I captured RADIUS packets between the wireless controller and FreeRADIUS. Because of most of packets are encrypted with TLS, I will omit them. Here is below the «Access-Request» packet.

As you see in the screenshot above, the wireless controller sends «Aruba-Device-Type» vendor specific attribute with value of «Android». After authentication, this attribute will be used in the policy to decide to which vlan a user will be assigned. Following shows the last RADIUS packet (Access-Accept).

The FreeRADIUS server insert vlan information (in this case vlan 100), Wi-Fi Protected Access (WPA) encryption and decryption keys into the «Access-Accept» packet. The wireless controller receives the packet and apply the policy accordingly, then it conveys the encryption and decryption keys to the Access Point (AP).

Final thoughts

FreeRADIUS can be integrated into many systems. Active Directory is just one of them. With a simple configuration, you can have a RADIUS integrated into Active Directory.

Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Источник