Freeradius Active Directory Integration
This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server.
At the time of writing this document, the software used was:
- Microsoft Windows Server 2003 R2 SP2
- Alpine 2.0.2
- freeradius-2.1.10-r7
- freeradius-postgresql-2.1.10-r7
Join the domain
Install samba, and kerberos
# apk add samba winbind heimdal
Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:
[global] workgroup = <MYWORKGROUP> #change the netbios name as desired netbios name = RADIUS realm = <MYREALM> server string = security = ads encrypt passwords = yes password server = <DCNAME>.<MYDOMAIN> log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = False dns proxy = No # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes # If you don't use SMB signing # change the following setting to "no" client use spnego = yes
Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags:
[libdefaults] default_realm = <MYREALM> [realms] <MYREALM> = { kdc = <DCNAME>.<MYDOMAIN> default_domain = <MYDOMAIN> } [domain_realm] .<mydomain> = .<MYREALM> <mydomain> = <MYREALM>
Change /etc/conf.d/samba in:
daemon_list="winbindd"
Set autostart:
# rc-update add samba default
Join domain:
# net ads join -S <DCNAME>.<MYDOMAIN> -U Administrator
You should get a message that you have joined the domain.
Start winbind:
# rc-service samba start
Check that AD integration works:
# wbinfo -u
You should get the list of all your domain users.
Configure Freeradius
Install freeradius-postgres
# apk add freeradius-postgres
Edit /etc/raddb/sql.conf to match the settings of your postgresql server:
server = "<fqdn>" login = "<username>" password = "<password>"
PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.
In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB):
GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>; GRANT USAGE ON SEQUENCE radacct_radacctid_seq TO <user>;
Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:
exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" }
You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:
authenticate { ... ntlm_auth ... }
Add the following text to the top of the users file:
DEFAULT Auth-Type = ntlm_auth
Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default. It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name):
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Configure your clients by editing /etc/raddb/clients.conf.
Start radius in debug mode in order to check that everything works:
# radiusd -X
If everything is ok, press Ctrl^C and set it for autostart:
# rc-update add freeradius default # rc-service freeradius start
Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting:
accounting { ... sql ... }