freeradius3.0.3onubuntu14.04lts
TRANSCRIPT
-
Jisc Regional Support Centre for [email protected]
FreeRADIUS 3.0.3 on Ubuntu 14.04 LTS
with Active Directory for eduroam
(document is in progress...!)
-
FreeRADIUS on Ubuntu 14.04 LTS with AD for eduroamThe following are based on installing FreeRADIUS on Ubuntu Server 14.04 (Trusty) with Active Directory support for deployment of eduroam. In this instance we use a pre-compiled FreeRADIUS package from a Personal Package Archive (PPA). This documentation should also work with Ubuntu 12.04 Precise and 10.04 Lucid. No prebuilt packages are available for non-LTS Ubuntu releases.
Hardware Requirements
PhysicalGenerally any hardware that you are comfortable with using and managing on an ongoing basis for this service. As you can see from the basic VM requirements.
VM(Absolute minimum, you may need to scale-up as usage increases)
1 x vCPU 512MB RAM 8GB Storage
Networking and Remote access Ensure that the server has a static IP address Ensure that you have remote access to the server via SSH
Update/Upgrade
Samba and Authentication with Active Directory
sudo aptitude install snmp samba krb5-user winbind
-
Configure Kerberos and SambaIn this example;RSC-WALES.LOCAL (or rsc-wales.local) equals the FQDN of our AD domainRSC-WALES = the Netbios name of our AD domain
dc0.rsc-wales.local = one of our Domain Controllers
/etc/krb5.conf
[libdefaults]default_realm = rsc-wales.local
krb4_config = /etc/krb.confkrb4_realms = /etc/krb.realmskdc_timesync = 1ccache_type = 4forwardable = trueproxiable = true
v4_instance_resolve = falsev4_name_convert = {
host = {rcmd = hostftp = ftp
}plain = {
something = something-else}
}fcc-mit-ticketflags = true
[realms]RSC-WALES = {
kdc = dc0.rsc-wales.localadmin_server = dc0.rsc-wales.localdefault_domain = dc0.rsc-wales.local
}.
-
/etc/samba/smb.conf
#Global parameters[global]workgroup = rsc-wales#winbind use default domain = norealm = rsc-wales.localpreferred master = nolocal master = nodomain master = noserver string = rsc-wales freeradiussecurity = ADSencrypt passwords = yeswinbind separator = +idmap uid = 1000-60000idmap gid = 1000-60000password server = *
Check that services are started;
sudo service winbind restartsudo service smbd restartsudo service nmbd restart
http://wiki.samba.org/index.php/Join_a_domain_as_a_DC
Adding the server to the domain
sudo net ads join -U administrator
Using short domain name -- RSC-WALESJoined 'RADIUS1' to realm 'rsc-wales.local'
If above fails try adding -S dc0.rsc-wales.local to the command;
sudo net ads join -U administrator -S dc0.rsc-wales.local
Confirming authentication requests using ntlm_auth
-
ntlm_auth --request-nt-key --domain=rsc-wales.local --username=Administrator
NT_STATUS_OK: Success (0x0)
If you get the following output;
could not obtain winbind separator!Reading winbind reply failed! (0x01): (0x0)
then check that the service winbind is running
ps -A | grep winbind
2952 ? 00:00:00 winbindd2953 ? 00:00:00 winbindd
If required start the winbind service;
sudo service winbind start
winbind start/running, process 2954
-
FreeRADIUS install
sudo add-apt-repository ppa:freeradius/stable-3.0sudo aptitude updatesudo aptitude upgradesudo aptitude install freeradius
FreeRADIUS configuration files need some changes, as FreeRADIUS currently wont start or allow additional packages to be installed.
/etc/freeradius/radiusd.conf
allow_vulrenable_openssl = CVE-2014-0160name = freeradius
Install the following packages, two are freeradius plugins, the third is used for build the SSL certificate authority.
sudo aptitude install freeradius-ldap freeradius-krb5 make
-
sudo chown -R :adm /etc/freeradius/ /var/log/freeradius/
cd /etc/freeradius/certssudo rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*sudo make ca.pemsudo make server.pem
FreeRADIUS will create a certificate authority and server certificate on first installation. You can re-configure this as described below to your own requirements or utilise your own CA. If you introduce a secondary FreeRADIUS server, then you shouldn't create a new CA, but should get a certificate signed by the CA on the primary FreeRADIUS server.
Changes to openSSL config files
ll the information below could be made available to users by clients connecting or you providing the Public CA key to them.
days = 3650default_days = 3650
/etc/freeradius/certs/ca.cnf/etc/freeradius/certs/server.cnf
For ca.cnf only in [ ca_default] and [v3_ca]
crlDistributionPoints URI:http://eduroam.rsc-wales.ac.uk/ca.crl URI:http://yourdomain/ca.crl
For ca.cnf in [certifcate_authority] For server.cnf in [server]
countryName GB GB
stateOrProvinceName Wales County (or nation if you're Welsh!)
localityName Swansea Town/City
organizationalUnitName Jisc Regional Support Centre Wales Organisation Name
emailAddress [email protected] IT service helpdesk?
-
commonName Jisc RSC Wales - eduroam This should be a sensible name as it will display to users. e.g. "College XX- eduroam"
Note: Update input_password and output_password and make a note as you will also need to configure this in eap.conf later
Now update the certificates from that install by the ubuntu package
sudo make ca.pemsudo make server.pem
-
Config with eduroam(UK)
Copy the config from the UK eduroam Support site into clients.conf and proxy.conf. In clients.conf replace nastype with nas_type
For proxy.conf
Replace
/etc/freeradius/proxy.confrealm LOCAL
realm ~.*
In order to enable sufficient logging to comply with the eduroam specification, uncomment the following lines in the virtual servers that contain:
/etc/freeradius/sites-available/default/etc/freeradius/sites-available/inner-tunnel
auth_logreply_logattr_filter.pre-proxypre_proxy_logpost_proxy_logattr_filter.post-proxy
Create an eduroam virtual router
To create an eduroam virtual router, simply copy the default router, and modify
sudo cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/eduroam
Sites-available contains all the virtual routers, sites-enabled is simply symbolic links to the files in sites-available, therefore we need to create a link using the command ln;
sudo ln -s /etc/freeradius/sites-available/eduroam /etc/freeradius/sites-enabled/eduroam
-
Make the following changes to /etc/freeradius/sites-enabled/eduroam, starting at the top of the file (note that we have discounted the comments, with the comments this is approximately 160 lines)
sites-available/eduroam
server default {listen {
type = authipaddr = *port = 0limit {
max_connections = 16 lifetime = 0 idle_timeout = 30
}}listen {
ipaddr = *port = 0type = acctlimit {}
}
server eduroam {
Add to the following to the authorize sections of sites-available/default after suffix (approximately line 300) that will send all requests that arent for your realms, to the NRPS.
sites-available/default
if("%{Realm}" !~ /(.*\\.)?(rsc-wales\\.ac\\.uk|rsc-cymru\\.ac\\.uk)$/) { update control { Proxy-To-Realm := 'eduroam' } }
In the pre-proxy section of sites-available/default uncomment operator-name
site-available/default
#operator-name
operator-name
But we dont want to send certain invalid realms, so modify the policy.d/filter:
-
/etc/freeradius/policy.d/filter
filter_username { if (User-Name != "%{tolower:%{User-Name}}") { reject }
filter_username { if (User-Name !~ /@/) { update reply { Reply-Message += "Rejected: Username has no realm" } reject }
-
mods-enabled/eap
Ensure that the password matches the input_password / output_password in certs/ca.cnf and certs/server.cnf
change all instances of copy_request_to_tunnel = no to copy_request_to_tunnel = yes
change default_eap_type=md5 to default_eap_type=peap
The following is a sample eap.conf file with all comments removed;
/etc/freeradius/mods-enabled/eap
eap {default_eap_type = peaptimer_expire = 60ignore_unknown_eap_types = nocisco_accounting_username_bug = nomax_sessions = 4096md5 {}leap {}gtc {
auth_type = PAP}tls {
certdir = ${confdir}/certscadir = ${confdir}/certsprivate_key_password = whateverprivate_key_file = ${certdir}/server.pemcertificate_file = ${certdir}/server.pemCA_file = ${cadir}/ca.pemdh_file = ${certdir}/dhrandom_file = ${certdir}/randomCA_path = ${cadir}cipher_list = "DEFAULT"make_cert_command = "${certdir}/bootstrap"ecdh_curve = "prime256v1"cache { enable = no max_entries = 255}verify {}ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/"}
-
}ttls {
default_eap_type = mschapv2copy_request_to_tunnel = yesuse_tunneled_reply = novirtual_server = "inner-tunnel"
}peap {
default_eap_type = mschapv2copy_request_to_tunnel = yesuse_tunneled_reply = novirtual_server = "inner-tunnel"
}mschapv2 {}
}
-
The following is a sample modules/mschap file with all comments removed;
/etc/freeradius/mods-enabled/mschap
mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-rsc-wales.local} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"}
-
LDAP details
Update modules/ldap with your LDAP details. The following table, lists the key details;
sudo ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled
/etc/freeradius/mods-enabled/ldap
server dc0.rsc-wales.local This refers to one domain controller, within most AD environments there will be a number of DCs. Consider using domaindnszones.rsc-wales.local or read the following article on FreeRADIUS and multiple LDAP - http://www.novell.com/support/kb/doc.php?id=3807164
identity cn=ldap,cn=Users,dc=rsc-wales,dc=local This will be an account that you have created within your AD environment, this maybe shared between other systems, but it shouldnt be an account used by users. You should ensure that it doesnt become disabled or removed. Ensure that Password Never Expires and User Cannot Change Password
password This will be your password for the identity above.
basedn cn=Users,dc=rsc-wales,dc=local You will need to Search an ou (Organisational Unit) or cn (Container) within AD. You cannot search from the dc (domain) level. If you require multiple bases then this is similar to multiple servers - see http://www.novell.com/support/kb/doc.php?id=3807164
filter "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
This is an important bit that you will need to test for your environment. The example given should largely work in most AD environments, but you may not want to use sAMAccountName and may prefer to use mail or UserPrincipalName. For the inner-tunnel authentication based on using mschap, then you will need to map to sAMAccountName.
-
Attribute files
When working with attribute files (attr) remember to add a comma to the last entry when adding more to the file. Comma is used a separator and therefore isnt need after the last entry.
Change the DEFAULT sections of the following to attrs filters; the other ones in the DEFAULT section are not required as part of the eduroam spec, therefore we should drop them all and only allow the ones that should be there.
/etc/freeradius/mods-config/attr_filter/pre-proxy
DEFAULT User-Name =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, State =* ANY, Proxy-State =* ANY, Operator-Name =* ANY, Class =* ANY, Calling-Station-Id =* ANY, Chargeable-User-Identity =* ANY
/etc/freeradius/mods-config/attr_filter/post-proxy
DEFAULT Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, State =* ANY, Calling-Station-Id =* ANY, Operator-Name =* ANY, User-Name =* ANY, Class =* ANY, Chargeable-User-Identity =* ANY
-
FreeRADIUS Virtual Servers (sites-enabled)
eduroam Provides virtual router for all external authentication requests i.e. your users when roaming elsewhere
Mostly default config
default Provides a virtual router for all authentication at your site. This provides the default EAP (outer tunnel) as used by College clients locally and users that are roaming locally.
Mostly default configuration with changes to allow ldap. Set proxy to eduroam for all realms that are not local to eduroam for non-ystrad-mynach realm
inner-tunnel This provides the MSCHAP authentication for our local users, and redirects visited users to the eduroam virtual router.
Majority of configuration work has been in this file.Redirect to eduroam for non-ystrad-mynach realm
Other FreeRADIUS configuration files
eap.conf This provides the default EAP configuration. Defining the inner-tunnels to use, and SSL Certificate information.
Minor changes to enable eap, and for the certificate password.
certs/ca.cnfcerts/server.cnf
These provide the configuration which are used by FreeRADIUS (and its certs/bootstrap script) to create a certificate and authority when first running RADIUS.
These are customised to each organisation to provide sensible information for users in the certificate and certificate authority. Under no circumstance should a production server be put on-line with these files left in their default state
clients.conf This provides the IP address and shared secret with clients including other RADIUS servers
We configure all clients here, this includes any full Wireless APs, or where using thin Wireless APs just the controller. In addition, we also configure the JANET RADIUS servers, configuration items for this is provided on the JRS support
-
site.
modules/mschap MS Chap Configuration Changes to the ntlm_auth command only
modules/ldap LDAP configuration Significant configuration in this file with the usual LDAP details. Username/Password/BaseDN/ServerName/Attribute
-
Clients
You will need to add clients for all Wireless Access-Points, Wireless Access-Point Controllers, Network Switches or other RADIUS servers that need to communicate with this RADIUS server. In addition the JANET NRPS (National Radius Proxy Servers) will need to be configured here. However, the eduroam(UK) support page provides the relevant configuration snipit.
You may wish to define these as IP subnets if you have majority APs in a single IP subnet. You should be careful of using these over broader subnets which may contain client machines or servers.
The following is an example entry for clients.conf. This defines a client for all hosts in 192.168.1.0/24 (or 192.168.1.*)
clients.conf
client 192.168.1.0/24 {secret = mysecret}
Testing
If you would like to test on the command line, then use the following instructions to build rad_eap_test and eapol_test programs.
https://docs.google.com/a/jiscadvance.ac.uk/document/d/1NfB8JbUs-EhlHX-wLIsquoc7E8l4-FAqFyXOwvKGbE8/edit#heading=h.b5fil0xvkowd
-
Enable login with userPrincipalName and/or sAMAccountName
in mods-enabled/ldap
in the user section change filter to
filter = "(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(userPrincipalName=%{User-Name}))"
(this means that you can login as either sAMAccountName@realm or userPrincipalName)
Alternatively, set this to:
filter = "(userPrincipalName=%{User-Name})
if you dont want to allow login as sAMAccountName, i.e. only allow userPrincipalName
in the update section add
request:Stripped-User-Name := 'sAMAccountName'
(we need to use the sAMAccountName for the inner tunnel where you usethe mschap module and ntlm_auth command)