How to install and configure FreeRADIUS with Active Directory allow specific group of users to authenticate in Debian 10

serval years ago,I built freeradius server in centos 6 work with active directory. It works perfect with wifi authortication and ikev2 vpn authortication. But recently days, I found a bug that the radius server can not limit user access to a group in AD. So I’m trying to build a new freeradius server in debian 10. After a week work.At last I figure it out.

Install Software and configuration

First thing first, We need install a debian 10 server on your virtualization platform. currently, I installed a debian server on proxmox ve platform.

Basic Information

Name Value
Domain Name TESTING.LOCAL
NTDomain Name TESTING
RADIUS HOSTNAME MYRADIUS
DOMAIN CONTROLLER MYDC02.TESTING.LOCAL
DOMAIN CONTROLLER MYDC03.TESTING.LOCAL
DOMAIN GROUP VPN_GROUP

Change Debian settings

  • Change hostname
hostnamectl set-hostname myradius
  • Sync NTP time with domain controller Install chrony
apt purge ntp
apt install -y  chrony
vi /etc/chrony/chrony.conf
#comment out `pool xxx iburst
server <ip_of_dc01> iburst
server <ip_of_dc02> iburst

restart chrony service and force update times

systemctl restart chrony
chronyc sources

Install samba and winbind and let Debian Host joined domain

  • Install samba,winbind,krb5-user
apt updatee && apt -y dist-ugprade
apt install -y samba winbind krb5-user
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
  • config samba config file
vi /etc/samba/smb.conf

In [global] section, change settings form

[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
  workgroup = WORKGROUP

to

[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of

   workgroup = TESTING
   realm = TESTING.LOCAL
   security = ads
   idmap config * : backend =tdb
   idmap config * : range = 3000-7999
   idmap config testing : backend = rid
   idmap config testing : range = 10000-999999
   winbind use default domain = true
   winbind offline logon = false
  • Modify /etc/nsswitch.conf
 vi /etc/nsswitch.conf

Change settings:

passwd:         files systemd 
group:          files systemd 

to

passwd:         files systemd winbind
group:          files systemd winbind
  • Modify /etc/krb5.conf
[libdefaults]
   default_realm=TESTING.LOCAL
...
[realms]
   TESTING.LOCAL = {
       kdc = MYDC02.TESTING.LOCAL
       kdc = MYDC03.TESTING.LOCAL
       admin_server = TESTING.LOCAL
       default_domain = TESTING.LOCAL
   }
...
[domain_realm]
   .testing.local = TESTING.LOCAL
   testing.local = TESTING.LOCAL
  • Restart OS

    reboot
    
  • Restart samba and winbind service

    systemctl restart smbd winbind
    
  • Join domain

    #net join -U mypoweruser
    net ads join -U Administrator
    
    Enter Administrator's password:
    Using short domain name -- TESTING
    Joined 'SMB' to dns domain ''
    No DNS domain configured for smb. Unable to perform DNS Update.
    DNS update failed: NT_STATUS_INVALID_PARAMETER
    
  • Restart winbind

    systemctl restart winbind
    
  • Testing samba AD authentication:

    • Using winbind:
    systemctl restart winbind
    wbinfo -a <user>%<password>
    

    You will get the following message if everything is correct:

    plaintext password authentication succeeded
    challenge/response password authentication succeeded
    
    • Using ntlm_auth:
    ntlm_auth --request-nt-key --domain=TESTING --username=<user> --password=<password>
    

    Then you will got success message:

    NT_STATUS_OK: Success (0x0)
    

Install freeradius

  • Install freeradius

    apt install -y freeradius
    
  • Grant permission for freerad user on winbind’s socket:

    sudo usermod -a -G winbindd_priv freerad
    sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
    
  • Change MACHAP to use ntlm_auth:

    vi /etc/freeradius/3.0/mods-available/ntlm_auth
    

    change

    program = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{mschap:User-Name} --password=%{User-Password}"
    
  • Change module mschap :

    vi /etc/freeradius/3.0/mods-available/mschap
    
    mschap { 
    ...
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
    
  • Change eap config.

    vi /etc/freeradius/3.0/mods-available/eap
    

    Change settings of default_eap_type.

    eap {
        default_eap_type = md5
    

    to

    eap {
        default_eap_type = mschapv2
    

    Then restart freeradius service

    systemctl restart freeradius
    
  • Change /etc/freeradius/3.0/sites-enabled/default and /etc/freeradius/3.0/sites-enabled/inner-tunnel

    authenticate {
        ntlm_auth
    
  • Configure RADIUS client

    client 0.0.0.0/0 {
       secret  = myauthpassword
       shortname = "nas access"
    }
    
  • restart service of freeradius

    systemctl restart freeradius
    

    Test FreeRADIUS and MSCHAP:

radtest -t mschap <user> <password> localhost 0 testing123

The results will be like:

Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
       User-Name = "user"
       MS-CHAP-Password = "password"
       NAS-IP-Address = 172.100.99.100
       NAS-Port = 0
       Message-Authenticator = 0x00
       Cleartext-Password = "password"
       MS-CHAP-Challenge = 0x163bc4c900360a08
       MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
       MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
       MS-MPPE-Encryption-Policy = Encryption-Allowed
       MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

Configure freeradius-ldap Auth with AD

To limited to auth a AD group, we need to config freeradius auth with ldap.

  • Install freeradius-ldap
apt install -y freeradius-ldap

Edit config

  • edit /etc/freeradius/3.0/mods-available/ldap
vi /etc/freeradius/3.0/mods-available/ldap
ldap {
     ...
    server = 'dc01.mydomain.local'
    server = 'dc02.mydomain.local'
    port = 389
    identity = 'aduser@mydomain.local'
    password = <mypassword>
    base_dn = 'dc=mydomain,dc=local'
    ... 
}
...
    update {
       control:Password-With-Header    += 'userPassword'
       control:NT-Password     := 'ntPassword'
       reply:Reply-Message     := 'radiusReplyMessage'
       reply:Tunnel-Type       := 'radiusTunnelType'
       reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'
       reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
    }
...
edir = no
...
}
...
user {
...
    base_dn = "${..base_dn}"
...
    filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"    
...
  • create a link to mode-enable
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/
  • edit /etc/freeradius/3.0/sites-available/default
vi /etc/freeradius/3.0/sites-available/default
...
authorize {
...
   ldap
   if ((ok || updated) && User-Password) {
       update {
           control:Auth-Type := ldap
       }
   }
...
authenticate {
...
       Auth-Type LDAP {
               ldap
       }
...
}
...
}
  • Restart freeradius service
systemctl restart freeradius
freeradius -fX

testing ldap auth

radtest <domain_accout> <password> localhost 0 testing123
  • Change /etc/freeradius/3.0/users to allow specific group VPN_GROUP of users to authenticate
vi /etc/freeradius/3.0/users
DEFAULT Auth-Type = ntlm_auth, LDAP-Group == "VPN_GROUP"
...
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
        Reply-Message = "Your are not permit to access VPN Connectiong"

Install mysql,daloradius to make management freeradius with web access

  • Install mariadb database
apt install -y mariadb-server

Reference

  1. WPA2 Enterprise with FreeRADIUS and AD integration on Ubuntu16.04
  2. 调试freeradius 3.0 与microsoft AD通过LDAP认证的笔记
  3. Configure FreeRADIUS with Active Driectory allow specific group of users to authenticate
  4. Join in Windows Active Directory Domain with Samba Winbind.