Radius and integrated with AD for Wireless AP

Freeradius and integrated with AD, with Wireless (Aruba-controller)

 

 

 

 

Here you go, FreeRADIUS, an open-sourced project that will please you.

Prerequisite

  • Active Directory domain
  • Ubuntu server

Below are the used settings assuming

FreeRADIUS 192.168.1.12
mydomain.com: domain name
mydc.mydomain.com: domain controller
MYNTDOMAIN: nt domain name
Radiussrv : Radius server hostname

           


1. Install samba, winbind, krb5-user:

sudo apt install samba winbind krb5-user

2. Config samba by editing:

a. /etc/samba/smb.conf:

...
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = MYNTDOMAIN

# need to add these
   security = ads
   password server = mydc.mydomain.com
   realm = MYDOMAIN.COM
   winbind use default domain = true
...

b. /etc/krb5.conf:

[libdefaults]
        default_realm = MYDOMAIN.COM

...

[realms]
        MYDOMAIN.COM = {
                kdc = mydc.mydomain.com
                admin_server = mydc.mydomain.com
                default_domain = mydomain.com
        }

 

...

 

[domain_realm]
        .mydomain.com = MYDOMAIN.COM
        mydomain.com = MYDOMAIN.COM

...

 

c. /etc/hosts

127.0.0.1 radiussrv.mydomain.com radiussrv localhost


3. Restart samba service:

sudo systemctl restart smbd

4. Join domain (MYNTDOMAIN)

net join -U Administrator

5. Test samba AD authentication:

a. Using winbind:

wbinfo -a <user>%<password>

You will get the following message if everything is correct:

plaintext password authentication succeeded
challenge/response password authentication succeeded

or

b. Using ntlm_auth:

ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=<user> --password=<password>

Success message:

NT_STATUS_OK: Success (0x0)

6. Install freeradius 3.0.X:

sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt update
sudo apt install freeradius freeradius-config easy-rsa

7. Generate and config the server certificates with easy-rsa, remember to enter your server's FQDN as common name when asked:

a. Generate the certs

sudo cp -R /usr/share/easy-rsa /etc/freeradius/certs/
cd /etc/freeradius/certs/easy-rsa

Mkdir keys
source vars
./clean-all
./build-ca
./build-key-server server
sudo cp keys/ca.crt /etc/freeradius/certs/
sudo cp keys/server.* /etc/freeradius/certs/
sudo chown freerad /etc/freeradius/certs/server*
sudo chmod +r /etc/freeradius/certs/server*

b. Config FreeRADIUS to use those new certs:

sudo nano /etc/freeradius/mods-enable/eap
change the below setting
...
        tls-config tls-common {
                private_key_password =
                #private_key_file = ${certdir}/server.pem

                private_key_file = ${certdir}/server.key
...
                #certificate_file = ${certdir}/server.pem
                certificate_file = ${certdir}/server.crt
...
                #ca_file = ${cadir}/ca.pem

                ca_file = ${cadir}/ca.crt

...



8. Grant permission for freerad user on winbind's socket:

sudo usermod -a -G winbindd_priv freerad
sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

9. Tell FreeRADIUS to use ntlm_auth for MSCHAP by editing:

a. /etc/freeradius/modules/ntlm_auth:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"

b. /etc/freeradius/modules/mschap:

mschap {

...

    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNTDOMAIN --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

...


c. /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel:

authenticate {
...
    ntlm_auth
...

d. /etc/freeradius /mods-config/files/authorize

 

DEFAULT     Auth-Type = ntlm_auth


10. Configure RADIUS client, /etc/freeradius/clients.conf. For example:

client 192.168.1.10 {
        secret                = 123456

}

 


11. Re start FreeRADIUS:

sudo systemctl restart freeradius

12. Test FreeRADIUS and MSCHAP:

radtest -t mschap <user> <password> localhost 0 testing123

The results will be like:

Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
        User-Name = "user"
        MS-CHAP-Password = "password"
        NAS-IP-Address = 172.100.99.100
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
        MS-CHAP-Challenge = 0x163bc4c900360a08
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
        MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

 


13. Configure your Aruba Controller as below

 



14. Try to connect to your wifi network using your AD account and enjoy.

Comments

Post a Comment

Popular posts from this blog

How to install XIbo?

Image
How to install Xibo on Windows 10 64 bit What is Xibo? XIbo is open source signage software, Xibo Digital Signage is a low-cost, high performance solution to launch your business, workplace or organisation into the future. Xibo doesn’t just replicate print media, but actively increases engagement allowing you to deliver your message more effectively than ever before What is  Digital signage?  Digital signage is a sub-segment of electronic signage. Digital displays use technologies such as LCD, LED, projection and e-paper to display digital images, video, web pages, weather data, restaurant menus, or text.  Wikipedia How to install Xibo on Windows 10. It is very easy to install the Xibo on windows 10 x64 bit os with docker. Below is the step to install the Xibo. ð   Step 1.   Download the docker for windows 10 x64,  Link to download Docker ð   Step 2. Install the Docker. Double-click  Docker for ...
Read more

How to install - Snipe-IT, Free IT Asset manager software

Image
 Snipe-IT, IT Free Asset manager Software. S nipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories. Pre-requisite 1) Wamp Webserver - Download Link 2)  composer  - Download Link Step 1.  Install Composer 2) Install Wamp  create database snipeit; show databases; Create user snipe_user; grant all on snipeit.* to 'snipe_user' @ 'localhost' identified by 'password123' ; Extract and configure Snipe-IT and run composer https://snipeitapp.com/download Download and exact Snipe-IT to c:\wamp\www\snipe-it. Edit  .env.example See the  Configuration  options for more information on how to configure your Snipe-IT installation. Save your edited  env.example  as  .env Open command prompt then change directory to...
Read more

How Backup configuration Sonicwall Firewall

Image
How to Save a Backup Copy of Your Configuration Preferences (Current Settings) Article Applies To:   SonicWALL Security Appliance Platforms:   Gen6 SM E10000 series : NSA E10800, NSA E10400, NSA E10200, NSA E10100 Gen6 SM 9000 series : NSA 9600, NSA 9400, NSA 9200 Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600 Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240 Gen5 TZ Series: TZ 100, TZ 100W, TZ 200, TZ 200W, TZ 210 and TZ 210W. Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260 Gen4 TZ series: TZ 190, TZ 190 Wireless, TZ 180, TZ 180 Wireless, TZ 170, TZ 170 Wireless, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 Wireless, TZ 150 Wireless (RevB) Firmware versions:  All Gen 6, Gen 5 and Gen 4 firmware versions (SonicOS Standard and Enhanced) Video Tutorial:  Click here  for the video tutorial of this topic Question/Topic: Be...
Read more