freeradius with freeipa

FreeRADIUS Server as a frontend to FreeIPA

Install the required FreeRADIUS packages:

    [root@ipa ~]# yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5

All the FreeRADIUS configuration files are in /etc/raddb. Most of the configuration is done by linking files from the mod-available directory to the mod-enabled directory and then editing them as needed.

Add the following lines at the beginning of clients.conf:

    client localnet {
            ipaddr = 192.168.1.0/24
            proto = *
            secret = somesecret
            nas_type = other<------># localhost isn't usually a NAS...
            limit {
                    max_connections = 16
                    lifetime = 0
                    idle_timeout = 30
            }
    }

In sites-enabled/default and sites-enabled/inner-tunnel replace this line:

    #  The ldap module reads passwords from the LDAP database.
    -ldap

with these lines:

    #  The ldap module reads passwords from the LDAP database.
    ldap
    if ((ok || updated) && User-Password) {
        update {
            control:Auth-Type := ldap
        }
    }

and uncomment the following lines:

    #       Auth-Type LDAP {
    #               ldap
    #       }

Add LDAP to the enabled mods:

    [root@ipa raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

Edit mods-enable/ldap and change:

    server = 'ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org'

    ...

    #   base_dn = 'dc=example,dc=org'

to:

    server = 'ipa.foobar.com'

    ...

    base_dn = 'cn=accounts,dc=foobar,dc=com'

Add the required ports to the firewall:

    [root@ipa ~]# firewall-cmd --permanent --add-port=1812/udp --add-port=1813/udp
    [root@ipa ~]# firewall-cmd --reload

Generate /etc/raddb/certs/server.pem:

    cd /etc/raddb/certs
    ./bootstrap

Test the RADIUS server by starting it in debug mode with the following command:

    [root@ipa ~]# radiusd -X
    ...
    Listening on auth address * port 1812 as server default
    Listening on acct address * port 1813 as server default
    Listening on auth address :: port 1812 as server default
    Listening on acct address :: port 1813 as server default
    Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
    Opening new proxy socket 'proxy address * port 0'
    Listening on proxy address * port 36752
    Ready to process requests

Open another shell and test the RADIUS server:

    [root@ipa ~]# radtest test password123456 ipa.foobar.com 1812 somesecret
    Sending Access-Request Id 105 from 0.0.0.0:44729 to 192.168.1.10:1812
        User-Name = 'test'
        User-Password = ' password123456'
        NAS-IP-Address = 192.168.1.10
        NAS-Port = 1812
        Message-Authenticator = 0x00
    Received Access-Accept Id 105 from 192.168.1.10:1812 to 192.168.1.10:44729 length 20

If an Access-Accept response is received, the RADIUS server is working as intended. Stop the debug server with ctrl-c, then enable the server daemon and start it:

    [root@ipa ~]# systemctl enable --now radiusd

Getting LDAP groups to work with FreeRADIUS

In the /etc/raddb/users file add this line to the bottom of the file:

    DEFAULT LDAP-Group == 'cn=radius,cn=groups,cn=accounts,dc=foobar,dc=com'

In the /etc/raddb/sites-enabled/default file, at the bottom of the post-auth block add:

    if (LDAP-Group == 'radius') {
        noop
    }
    elsif (LDAP-Group == 'cn=radius,cn=groups,cn=accounts,dc=foobar,dc=com') {
        noop
    }
    else {
        reject
    }

In the /etc/mods-enabled/ldap file, modify these lines within these blocks:

    ldap {
        server = 'dc1.foobar.com'

        base_dn = 'cn=accounts,dc=foobar,dc=com'
        user {
            base_dn = 'cn=users,${..base_dn}'
            filter = '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'
            scope = 'sub'
            ...
        }
        group {
            base_dn = 'cn=groups,${..base_dn}'
            filter = '(objectClass=posixGroup)'
            membership_attribute = 'memberOf'
            scope = 'sub'
            name_attribute = cn
            ...
        }
    }

Include the following at the top of the ldap block of /etc/mods-enabled/ldap:

    identity = 'uid=test,cn=users,cn=accounts,dc=foobar,dc=com'
    password = 'password123456'

Get FreeIPA to Read NTLM Hash (For MSCHAP, CHAP, PAP, etc.)

To get devices that use MSCHAP(v2), CHAP, and PAP to work with FreeIPA’s LDAP,

In mods-available/eap change the default_eap_type to:

    deafult_eap_type = mschapv2

In mods-enabled/ldap, change the following line:

    update {
        control:Password-With-Header    += 'userPassword'
        control:NT-Password             := 'ipaNTHash'
        ...
    }

Create a role, privilege, and permission in FreeIPA to read the ipaNTHash:

    [root@ipa ~]# ipa role-add "RADIUS auth"
    [root@ipa ~]# ipa privilege-add "NTLM Password Hash Access"
    [root@ipa ~]# ipa permission-add "Read NTLM Password Hash Attribute" \
    --attrs=ipaNTHash --type=user --right=read --right=compare
    [root@ipa ~]# ipa privilege-add-permission "NTLM Password Hash Access" \
    --permissions="Read NTLM Password Hash Attribute"

Add the Read Only LDAP user to the RADIUS Authentication role, allowing them to read ipaNTHash.