How to install and configure FreeRADIUS with Active Directory allow specific group of users to authenticate in Debian 10

serval years ago,I built freeradius server in centos 6 work with active directory. It works perfect with wifi authortication and ikev2 vpn authortication. But recently days, I found a bug that the radius server can not limit user access to a group in AD. So I’m trying to build a new freeradius server in debian 10. After a week work.At last I figure it out.

Install Software and configuration

First thing first, We need install a debian 10 server on your virtualization platform. currently, I installed a debian server on proxmox ve platform.

Basic Information

Name	Value
Domain Name	TESTING.LOCAL
NTDomain Name	TESTING
RADIUS HOSTNAME	MYRADIUS
DOMAIN CONTROLLER	MYDC02.TESTING.LOCAL
DOMAIN CONTROLLER	MYDC03.TESTING.LOCAL
DOMAIN GROUP	VPN_GROUP

Change Debian settings

Change hostname

hostnamectl set-hostname myradius

Sync NTP time with domain controller Install chrony

apt purge ntp
apt install -y  chrony

vi /etc/chrony/chrony.conf
#comment out `pool xxx iburst
server <ip_of_dc01> iburst
server <ip_of_dc02> iburst

restart chrony service and force update times

systemctl restart chrony
chronyc sources

Install samba and winbind and let Debian Host joined domain

Install samba,winbind,krb5-user

apt update && apt -y dist-ugprade
apt install -y samba winbind krb5-user
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules

config samba config file

vi /etc/samba/smb.conf

In [global] section, change settings form

[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
  workgroup = WORKGROUP

[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of

   workgroup = TESTING
   realm = TESTING.LOCAL
   security = ads
   idmap config * : backend =tdb
   idmap config * : range = 3000-7999
   idmap config testing : backend = rid
   idmap config testing : range = 10000-999999
   winbind use default domain = true
   winbind offline logon = false

Modify /etc/nsswitch.conf

 vi /etc/nsswitch.conf

Change settings:

passwd:         files systemd 
group:          files systemd

passwd:         files systemd winbind
group:          files systemd winbind

Modify /etc/krb5.conf

[libdefaults]
   default_realm=TESTING.LOCAL
...
[realms]
   TESTING.LOCAL = {
       kdc = MYDC02.TESTING.LOCAL
       kdc = MYDC03.TESTING.LOCAL
       admin_server = TESTING.LOCAL
       default_domain = TESTING.LOCAL
   }
...
[domain_realm]
   .testing.local = TESTING.LOCAL
   testing.local = TESTING.LOCAL

Restart OS
```
reboot
```

Join domain

#net join -U mypoweruser
net ads join -U Administrator

Enter Administrator's password:
Using short domain name -- TESTING
Joined 'SMB' to dns domain ''
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

Restart samba and winbind service
```
systemctl restart smbd winbind
```

Testing samba AD authentication:

Using winbind:

systemctl restart winbind
wbinfo -a <user>%<password>

You will get the following message if everything is correct:

plaintext password authentication succeeded
challenge/response password authentication succeeded

Using ntlm_auth:

ntlm_auth --request-nt-key --domain=TESTING --username=<user> --password=<password>

Then you will got success message:

NT_STATUS_OK: Success (0x0)

Install freeradius

Install freeradius
```
apt install -y freeradius
```

Grant permission for freerad user on winbind’s socket:

sudo usermod -a -G winbindd_priv freerad
sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

Change MACHAP to use ntlm_auth:

vi /etc/freeradius/3.0/mods-available/ntlm_auth

change

program = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{mschap:User-Name} --password=%{User-Password}"

#if you want to limted to a specific domain group please modified as this:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME  --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP'  --username=%{mschap:User-Name} --password=%{User-Password}"

Change module mschap :

vi /etc/freeradius/3.0/mods-available/mschap

mschap { 
...
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

Change eap config.

vi /etc/freeradius/3.0/mods-available/eap

Change settings of default_eap_type.

eap {
    default_eap_type = md5

eap {
    default_eap_type = mschapv2

Then restart freeradius service

systemctl restart freeradius

Change /etc/freeradius/3.0/sites-enabled/default and /etc/freeradius/3.0/sites-enabled/inner-tunnel
```
authenticate {
    ntlm_auth
```

Configure RADIUS client

vi /etc/freeradius/3.0/clients.conf

client 0.0.0.0/0 {
   secret  = myauthpassword
   shortname = "nas access"
}

restart service of freeradius
```
systemctl restart freeradius
```
Test FreeRADIUS and MSCHAP:

radtest -t mschap <user> <password> localhost 0 testing123

The results will be like:

Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
       User-Name = "user"
       MS-CHAP-Password = "password"
       NAS-IP-Address = 172.100.99.100
       NAS-Port = 0
       Message-Authenticator = 0x00
       Cleartext-Password = "password"
       MS-CHAP-Challenge = 0x163bc4c900360a08
       MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
       MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
       MS-MPPE-Encryption-Policy = Encryption-Allowed
       MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

Configure freeradius-ldap Auth with AD

To limited to auth a AD group, we need to config freeradius auth with ldap.

Install freeradius-ldap

apt install -y freeradius-ldap

Edit config

edit /etc/freeradius/3.0/mods-available/ldap

vi /etc/freeradius/3.0/mods-available/ldap

ldap {
     ...
    server = 'dc01.mydomain.local'
    server = 'dc02.mydomain.local'
    port = 389
    identity = 'aduser@mydomain.local'
    password = <mypassword>
    base_dn = 'dc=mydomain,dc=local'
    ... 
}
...
    update {
       control:Password-With-Header    += 'userPassword'
       control:NT-Password     := 'ntPassword'
       reply:Reply-Message     := 'radiusReplyMessage'
       reply:Tunnel-Type       := 'radiusTunnelType'
       reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'
       reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
    }
...
edir = no
...
}
...
user {
...
    base_dn = "${..base_dn}"
...
    filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"    
...

create a link to mode-enable

ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/

edit /etc/freeradius/3.0/sites-available/default

vi /etc/freeradius/3.0/sites-available/default

...
authorize {
...
   ldap
   if ((ok || updated) && User-Password) {
       update {
           control:Auth-Type := ldap
       }
   }
...
authenticate {
...
       Auth-Type LDAP {
               ldap
       }
...
}
...
}

Restart freeradius service

systemctl restart freeradius
freeradius -fX

testing ldap auth

radtest <domain_accout> <password> localhost 0 testing123

Change /etc/freeradius/3.0/users to allow specific group VPN_GROUP of users to authenticate

vi /etc/freeradius/3.0/users

DEFAULT Auth-Type = ntlm_auth, LDAP-Group == "VPN_GROUP"
...
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
        Reply-Message = "Your are not permit to access VPN Connectiong"

Change MACHAP to use ntlm_auth:

vi /etc/freeradius/3.0/mods-available/ntlm_auth

change

#if you want to limted to a specific domain group please modified as this:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME  --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP'  --username=%{mschap:User-Name} --password=%{User-Password}"

Install mysql,daloradius to make management freeradius with web access

Install mariadb database

apt install -y mariadb-server

Renew certficiation

We purchased godaddy certification, so we will replace ssl certification

backup default eap configure file

cp /etc/freeradius/3.0/mods-enabled/eap /etc/freeradius/3.0/mods-enabled/eap.backup

Place pem file to /etc/freeradius/3.0/certs/mycerts
```
ls -al /etc/freeradius/3.0/certs/mycerts
```

-rw-r–r– 1 root root 1728 Feb 21 11:11 mycerts-ca.pem -rw-r–r– 1 root root 1704 Feb 21 11:09 mycerts.key -rw-r–r– 1 root root 2248 Feb 21 11:13 mycerts.pem

- Convert crt to pem

```bash
openssl x509 -in mycert-ca.crt -out mycert-ca.pem -outform PEM

Modified /etc/freeradius/3.0/mods-enabled/eap file.

  tls-config tls-common {
      #private_key_password = whatever
      private_key_file = /etc/freeradius/3.0/certs/vpn.grapecity.com.cn/mycerts.key

… certificate_file = /etc/freeradius/3.0/certs/vpn.grapecity.com.cn/mycerts.pem … ca-file = /etc/freeradius/3.0/certs/vpn.grapecity.com.cn/mycerts-ca.pem


- Restart freeradius service.

```bash
systemctl restart freeradius

How to Install and Configure Freeradius With Active Directory Allow Allow Specific Group of Users to Authenticate in Debian 10