How to install and configure FreeRADIUS with Active Directory allow specific group of users to authenticate in Debian 10
serval years ago,I built freeradius server in centos 6 work with active directory. It works perfect with wifi authortication and ikev2 vpn authortication. But recently days, I found a bug that the radius server can not limit user access to a group in AD. So I’m trying to build a new freeradius server in debian 10. After a week work.At last I figure it out.
Install Software and configuration
First thing first, We need install a debian 10 server on your virtualization platform. currently, I installed a debian server on proxmox ve platform.
Basic Information
Name | Value |
---|---|
Domain Name | TESTING.LOCAL |
NTDomain Name | TESTING |
RADIUS HOSTNAME | MYRADIUS |
DOMAIN CONTROLLER | MYDC02.TESTING.LOCAL |
DOMAIN CONTROLLER | MYDC03.TESTING.LOCAL |
DOMAIN GROUP | VPN_GROUP |
Change Debian settings
- Change hostname
hostnamectl set-hostname myradius
- Sync NTP time with domain controller Install chrony
apt purge ntp
apt install -y chrony
vi /etc/chrony/chrony.conf
#comment out `pool xxx iburst
server <ip_of_dc01> iburst
server <ip_of_dc02> iburst
restart chrony service and force update times
systemctl restart chrony
chronyc sources
Install samba and winbind and let Debian Host joined domain
- Install samba,winbind,krb5-user
apt updatee && apt -y dist-ugprade
apt install -y samba winbind krb5-user
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
- config samba config file
vi /etc/samba/smb.conf
In [global]
section, change settings form
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
to
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = TESTING
realm = TESTING.LOCAL
security = ads
idmap config * : backend =tdb
idmap config * : range = 3000-7999
idmap config testing : backend = rid
idmap config testing : range = 10000-999999
winbind use default domain = true
winbind offline logon = false
- Modify
/etc/nsswitch.conf
vi /etc/nsswitch.conf
Change settings:
passwd: files systemd
group: files systemd
to
passwd: files systemd winbind
group: files systemd winbind
- Modify
/etc/krb5.conf
[libdefaults]
default_realm=TESTING.LOCAL
...
[realms]
TESTING.LOCAL = {
kdc = MYDC02.TESTING.LOCAL
kdc = MYDC03.TESTING.LOCAL
admin_server = TESTING.LOCAL
default_domain = TESTING.LOCAL
}
...
[domain_realm]
.testing.local = TESTING.LOCAL
testing.local = TESTING.LOCAL
-
Restart OS
reboot
-
Restart samba and winbind service
systemctl restart smbd winbind
-
Join domain
#net join -U mypoweruser net ads join -U Administrator
Enter Administrator's password: Using short domain name -- TESTING Joined 'SMB' to dns domain '' No DNS domain configured for smb. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
-
Restart winbind
systemctl restart winbind
-
Testing samba AD authentication:
- Using winbind:
systemctl restart winbind wbinfo -a <user>%<password>
You will get the following message if everything is correct:
plaintext password authentication succeeded challenge/response password authentication succeeded
- Using ntlm_auth:
ntlm_auth --request-nt-key --domain=TESTING --username=<user> --password=<password>
Then you will got success message:
NT_STATUS_OK: Success (0x0)
Install freeradius
-
Install freeradius
apt install -y freeradius
-
Grant permission for
freerad
user on winbind’s socket:sudo usermod -a -G winbindd_priv freerad sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
-
Change MACHAP to use ntlm_auth:
vi /etc/freeradius/3.0/mods-available/ntlm_auth
change
program = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{mschap:User-Name} --password=%{User-Password}" #if you want to limted to a specific domain group please modified as this: program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP' --username=%{mschap:User-Name} --password=%{User-Password}"
-
Change module mschap :
vi /etc/freeradius/3.0/mods-available/mschap
mschap { ... ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
-
Change eap config.
vi /etc/freeradius/3.0/mods-available/eap
Change settings of
default_eap_type
.eap { default_eap_type = md5
to
eap { default_eap_type = mschapv2
Then restart freeradius service
systemctl restart freeradius
-
Change
/etc/freeradius/3.0/sites-enabled/default
and/etc/freeradius/3.0/sites-enabled/inner-tunnel
authenticate { ntlm_auth
-
Configure RADIUS client
client 0.0.0.0/0 { secret = myauthpassword shortname = "nas access" }
-
restart service of freeradius
systemctl restart freeradius
Test FreeRADIUS and MSCHAP:
radtest -t mschap <user> <password> localhost 0 testing123
The results will be like:
Sent Access-Request Id 9 from 0.0.0.0:59244 to 127.0.0.1:1812 length 134
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 172.100.99.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x163bc4c900360a08
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Configure freeradius-ldap Auth with AD
To limited to auth a AD group, we need to config freeradius auth with ldap.
- Install freeradius-ldap
apt install -y freeradius-ldap
Edit config
- edit
/etc/freeradius/3.0/mods-available/ldap
vi /etc/freeradius/3.0/mods-available/ldap
ldap {
...
server = 'dc01.mydomain.local'
server = 'dc02.mydomain.local'
port = 389
identity = 'aduser@mydomain.local'
password = <mypassword>
base_dn = 'dc=mydomain,dc=local'
...
}
...
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
reply:Reply-Message := 'radiusReplyMessage'
reply:Tunnel-Type := 'radiusTunnelType'
reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
...
edir = no
...
}
...
user {
...
base_dn = "${..base_dn}"
...
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
...
- create a link to mode-enable
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/
- edit
/etc/freeradius/3.0/sites-available/default
vi /etc/freeradius/3.0/sites-available/default
...
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
...
}
- Restart freeradius service
systemctl restart freeradius
freeradius -fX
testing ldap auth
radtest <domain_accout> <password> localhost 0 testing123
- Change
/etc/freeradius/3.0/users
to allow specific groupVPN_GROUP
of users to authenticate
vi /etc/freeradius/3.0/users
DEFAULT Auth-Type = ntlm_auth, LDAP-Group == "VPN_GROUP"
...
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
Reply-Message = "Your are not permit to access VPN Connectiong"
- Change MACHAP to use ntlm_auth:
vi /etc/freeradius/3.0/mods-available/ntlm_auth
change
#if you want to limted to a specific domain group please modified as this:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP' --username=%{mschap:User-Name} --password=%{User-Password}"
Install mysql,daloradius to make management freeradius with web access
- Install mariadb database
apt install -y mariadb-server