windows 2003 AD authentication with freeradius (for 802.1X)

To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: windows 2003 AD authentication with freeradius (for 802.1X)
From: Stieven.Struyf@komatsu.eu
Date: Thu, 16 Nov 2006 12:10:20 +0100
In-reply-to: <OF08DB98E6.5C97902A-ONC1257228.002F7B4B-C1257228.002FD044@komatsu.eu>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

All,
I've been struggling to get AD authentication working the way i want it. I wanted users to autom. login to the wireless network with their windows(ad) account without needing to enter their passwords.
I created this procedure with bits and pieces i found on the internet, hints i got on this list and some things i found out myself.
I hope this saves some time to others(as this was a popular question the list/google, but i didn't found the complete solution that worked for me). If there are better options then the ones i used let me know. I changed ipaddresses and realm names for privacy reasons, but if there's something not clear anymore let me know.

1. General config needed for 802.1X
I added the AP in the clients.conf file.
I configured the AP to use WPA2/aes (also had to add WPA/tkip).
I entered the radiusserver i used below as radius server(enabled 802.1X on the AP) and used the secret i configured in the clients.conf file.

freeradius+AD windows 2003
install samba(package samba+samba-common+samba-client)

configure /etc/samba/smb.conf:
[root@radsv samba]# cat smb.conf
realm = DIVISION.DOMAIN.NET
workgroup = division.domain.net
security = ADS
encrypt passwords = yes
password server = 192.168.100.3
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/sambatest
read >
browsable = yes
writable = yes
guest ok = yes
valid users = @DIVISION.DOMAIN.NET\"Domain Users"
[root@radsv samba]#

configure /etc/krb5.conf
[root@radsv samba]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DIVISION.DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc

[realms]
DIVISION.DOMAIN.NET = {
kdc = 192.168.100.3:88
admin_server = 192.168.100.3:749
default_domain = division.domain.net
}

[domain_realm]
.division.domain.net = DIVISION.DOMAIN.NET
division.domain.net = DIVISION.DOMAIN.NET

[kdc]
profile = "">
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@radsv samba]#

configure nsswitch.conf:

change following entries in nssswitch.conf:

passwd:files -> passwd:files winbind

group:files -> group:files winbind

join the radius server to the domain (account wireless-acount needs to be created and should have enough rights on AD)
#net ads join -S 192.168.100.3 -U wireless-account

Configure freeradius:

Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also want to add vlan assignment entries):
[root@radsv raddb]# cat users|grep -i user123
user123
[root@radsv raddb]#

Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of your domain):
realm DIVISION.DOMAIN.NET {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DIVISION {
type = radius
authhost = LOCAL
accthost = LOCAL
}

Configure /etc/raddb/radiusd.conf (change/activate mschap part):
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong = yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}

Configure eap.conf:

Uncomment tls keys(for production you should create your own!!).
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}

Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551

Follow-Ups:
- Re: windows 2003 AD authentication with freeradius (for 802.1X)
  - From: "Michael Messner" <michael.messner_edv@inode.at>
- Re: windows 2003 AD authentication with freeradius (for 802.1X)
  - From: "Alan DeKok" <aland@deployingradius.com>

References:
- Re: AW: freeradius and ntlm_auth howto
  - From: Stieven.Struyf@komatsu.eu

Previous by Date: Re: Prompting for credentials
Next by Date: Re: rewriting usernames
Previous by Thread: Re: AW: freeradius and ntlm_auth howto
Next by Thread: Re: windows 2003 AD authentication with freeradius (for 802.1X)
Freeradius-Users November 2006 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.